Australia's mandatory ransomware payment reporting rules: What your organisation needs to know

Australian businesses and organisations continue to suffer significant operational disruption or financial losses due to ransomware attacks and other cyber extortion.

69% of Australian businesses experienced a ransomware attack as of 2024, up from 56% as of 2023. 84% of victims made the ransom payment, paying an average of $1.35 million.

Australia's mandatory ransomware payment reporting regime started on 30 May 2025. It requires businesses having an annual turnover over $3 million, and some entities responsible for critical infrastructure assets, to report within 72 hours after a ransomware or cyber extortion payment. Non compliance risks a civil penalty (fine) of up to 60 penalty units or $19,800.

In this article we unpack the reporting rules and assist Australian businesses and other organisations to understand their mandatory reporting obligations in the face of a ransomware or other cyber extortion payment.

What is ransomware?

Ransomware is a type of malicious software. Cyber criminals uses it to digitally scramble or put beyond use a victim's data, and demand a payment (the ransom) to decrypt or restore access. A victim risks operational disruption, financial loss, reputational damage, or face potential legal or regulatory consequences if personal information or valuable data is compromised.

In a more sophisticated, "double extortion" attack, the extorting entity also makes a copy of the victim's data, and threatens to publish or sell it unless the ransom demand is paid. A so-called triple extortion additionally targets the victim's customers, business partners or employees, by threatening to leak their data or also disrupt their respective services, and creating broader reputational and legal risks.

What is the ransomware reporting obligation?

From 30 May 2025, certain Australian businesses or organisations who suffer a ransomware or other cyber extortion incident must report to the Australian Signals Directorate (ASD) within 72 hours if they pay a ransomware or other cyber extortion demand – or become aware that a person has made a payment on their behalf.

The ransomware payment reporting obligation is in Part 3 of the Cyber Security Act 2024 (Cth) (CS Act).

This obligation adds a further layer of compliance, and to the complexity of managing the incident response, for organisations who suffer a cyber security incident and (for any reason) determine to pay.

Will the reporting obligation apply to my business?

The obligation applies to reporting business entities –

• having an annual turnover of $3 million or more for the last financial year; or
• being a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) applies, and regardless of annual turnover.

The obligation does not apply to -

• start-ups or small businesses having an annual turnover of less than $3 million in the last financial year; or
• Commonwealth or State government bodies.

The annual turnover threshold is pro-rated.  A new business whose turnover starts part-way through the financial year will need to assess against a lower turnover threshold.

How does the reporting requirement apply to an Australian subsidiary of an international business?

In general, a multinational business carrying on business in Australia must report a ransomware payment in accordance with Part 3 if the subsidiary carrying on business in Australia:

• has made the ransomware payment; or
• is impacted by the ransomware incident even where the payor (such as a parent company) is based overseas.

What is a payment?

A 'payment' in this reporting context means a monetary or non-monetary benefit given to (or for the benefit of) the extorting entity.

So even if money itself isn't involved, a reporting business entity makes a 'payment' if it gives a product, service or another thing of value, in exchange for a decryption key for unlocking the business's data or the extorting entity stopping (or otherwise not making good on) the extortion.

How will the reporting obligation be enforced?

The Department of Home Affairs (DHA) administers the ransomware payment reporting obligation.

DHA's regulatory action plan recognises that reporting business entities may need time to become familiar with this reporting obligation and put in place internal processes to meet it. Accordingly, DHA is following a two-stage approach to enforcement:

Stage 1 - 30 May to 31 December 2025

DHA will engage with reporting business entities and provide resources to support and promote awareness of reporting process, identify barriers to compliance, and to communicate DHA's compliance expectations. Enforcement will be reserved for the most serious cases of non-compliance.

Stage 2 - from 1 January 2026

DHA will update its guidance materials to incorporate feedback received during stage 1, to assist reporting business entities in their preparation for and notification of a ransomware payment.

DHA expects that, by early 2026, reporting business entities will have revised their incident response plans and put in place procedures to report a ransomware payment within the required timeframe. Accordingly, DHA will transition to an enforcement-oriented posture; and non-compliance will risk regulatory enforcement action, as a matter of routine.

What are the consequences of not reporting?

A reporting business entity that fails to submit a mandatory ransomware report within the required time, risks a civil penalty (a fine) of up to 60 penalty units (currently $19,800).

What needs to be in a ransomware payment report?

A ransomware payment report must include the following:

• contact and business details of the reporting entity, including its Australian Business Number;
• details of the ransomware or cyber extortion incident, including its impact on the reporting business entity;
• details of the extorting entity's demand, including the value and payment method requested;
• details of the payment made or provided, including the value and method of payment or transfer;
• if applicable, the contact and business details of any third-party entity (whether in Australia or overseas) who made the payment on behalf of the reporting business entity;
• copies of communications with the extorting entity in relation to the cyber incident, ransomware demand and payment, and including pre-payment negotiations; and
• any additional information relating to the cyber incident that could assist the ASD.

Will submitting a report to ASD waive legal professional privilege?

No. The reporting obligation applies only to the prescribed information (outlined above) which, at the time of making the report, the reporting business entity knows or is able, by reasonable search or enquiry, to find out .  Remain cautious and consider obtaining legal advice before sharing additional information.

Can the information provided to ASD be used against the reporting business entity?

Generally no, yet (perhaps no surprise) exceptions apply:

Information disclosed in a ransomware payment report is inadmissible against the reporting business entity in:

• criminal proceedings;
• civil proceedings for contraventions of civil penalty provisions;
• prosecuting breaches of any Commonwealth, State and Territory law; or
• proceedings in a Commonwealth, State or Territory tribunal.

However, the information may be used in:

• criminal proceedings involving false or misleading information or obstruction of a Commonwealth official;
• civil proceedings for contravening a civil penalty provision in the CS Act; or
• royal commissions or coronial inquiries.

While these legal protections (provided for in the CS Act) are strongly worded, they are untested. As reported incidents move through regulatory action and the courts, the precise scope and limits of these protections will be clarified.

What should a reporting business entity do to prepare?

To reduce a risk (however low) of becoming a test-case for regulatory action, reach out to our Cybersecurity and Privacy team for help in updating your cyber incident response plans and playbook.

This article was prepared by Partner Steven Hunwicks, a specialist cybersecurity and data privacy lawyer at Thomson Geer.

‍