According to the Annual Cyber Threat Report 2023-2024, ransomware was involved in 71% of extortion-related cyber incidents handled by the Australian Signals Directorate (ASD). In response, the Cyber Security Act 2024 (Cth) introduces mandatory ransomware payment reporting obligations for businesses, taking effect on 30 May 2025.
The new rules apply to businesses operating in Australia with an annual turnover exceeding $3M, as well as critical infrastructure entities under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). Small businesses (below the $3M threshold), as well as critical infrastructure entities under the SOCI Act. Small businesses (below the $3M threshold), Commonwealth agencies, and state bodies are exempt. Multinational companies must report if their Australian entity made the payment or was impacted by the incident, even if payment was made by a foreign parent company.
Reporting is required when a ransomware or cyber extortion incident occurs, impacts the business, involves a demand (for money, data, or services), and results in a benefit being provided to the attacker. Businesses must submit a report within 72 hours of making (or becoming aware of) a ransomware payment through an ASD online portal, which is yet to be launched. Reports must include details such as the incident description, its impact, the extortion demand, payment information, and any communications with the attackers. Failure to comply may result in civil penalties of up to $19,800, increased regulatory scrutiny, and reputational damage.
The Draft Rules consultation period closed on 14 February 2025, with final rules expected before 30 May 2025. The government is also working to prevent overlap with existing reporting requirements under the SOCI Act. Businesses must prepare for these new obligations, as there is no grace period; compliance is mandatory from the commencement date. This legislation aims to improve Australia’s cyber threat intelligence and strengthen defences against ransomware attacks.
