From 30 May 2025, Australian businesses meeting specific turnover thresholds must report ransomware or cyber extortion payments within 72 hours under the Cyber Security Act 2024. This new regime aims to enhance national cybersecurity by tracking cybercriminal activity and improving threat response strategies.
Who Must Report?
Businesses with an annual turnover of $3 million or more in the last financial year must comply. For businesses operating for only part of the year, a pro-rated threshold applies Entities managing critical infrastructure must also report, regardless of turnover.
What Must Be Reported?
Reports must include:
- Business and contact details (including ABN)
- Incident details (timing, impact, malware used)
- Ransom demand and payment details (monetary or non-monetary)
- Communications with the extorting party
Phased Enforcement Approach
- Phase 1 (30 May – 31 Dec 2025): The Department of Home Affairs will focus on education and guidance, with penalties only for severe non-compliance.
- Phase 2 (From 1 Jan 2026): Stricter enforcement begins, with a 60 penalty unit fine for late or missing reports.
Why Report?
The government will use data to:
- Identify cybercrime trends
- Provide targeted security advice to businesses
- Inform future cybersecurity policies
Protections for Businesses
- Reported information cannot be used in criminal or civil proceedings (except for false statements).
- The Australian Signals Directorate will assist in incident response but will not regulate compliance.
Where to Report?
Submit reports via the ASD’s online form: https://www.cyber.gov.au/report-and-recover/report.
