Under the Cyber Security Act 2024, certain Australian businesses are now legally required to report ransomware and cyber extortion payments. If your organisation earns over $3 million in annual revenue or operates within critical infrastructure, these obligations apply to you.
This legislation reflects a broader shift in expectations around cyber preparedness, accountability and governance, particularly for growing small and medium businesses.
What is the Cyber Security Act?
If your business experiences a ransomware or cyber extortion attack and makes a payment, the Act requires reporting in these circumstances to the Australian Signals Directorate (ASD) within 72 hours of making the payment or becoming aware that a payment was made on your behalf.
These mandatory reporting obligations commenced on 30 May 2025.
Reporting is only mandatory when a payment is made. If a ransom demand is received but no payment is made, there is no mandatory reporting requirement. However voluntary reporting is encouraged.
A payment does not only mean money; it can include:
- Cryptocurrency
- Goods
- Services
- Any other non-monetary benefit or arrangement provided to the attacker
What Information Must Be Reported?
A ransomware payment report must include information that the business knows or is reasonably able to find out within 72 hours.
This report includes key details such as:
What is the Purpose of the Act?
The reasoning behind ransomware and cyber extortion payment reporting is for three main purposes:
- To better understand which threat actors are most active, which industries and business sizes they target, the techniques and malware used, and the economic impact of ransomware in Australia
- To enable the Government to provide targeted, practical cyber security guidance to industry, particularly small and medium businesses, based on real-world trends identified through reporting
- To assist with future legislative proposals and other programs aimed at reducing the impact of ransomware and cyber extortion across the Australian economy
What This Means for Small and Medium Businesses
Meeting the reporting requirements under pressure can be particularly challenging for SMBs. During a ransomware incident, decisions are made quickly, visibility is limited, and key staff are often juggling multiple responsibilities.
Without clear processes, documented response plans, and systems that preserve logs and evidence, many businesses would struggle to accurately confirm what happened within a 72-hour window.
Ransomware is not just a large enterprise issue. SMBs are often targeted because they typically have fewer security controls, limited internal IT resources, and less formalised incident response processes. Cybercriminals actively exploit this lack of readiness.
Preparing now helps protect your business today and ensures you are ready as your organisation grows; even if your business does not yet meet the reporting threshold, this legislation is a clear signal of where cyber security expectations are heading.
If you are unsure how your business would respond to a ransomware incident, or whether you could meet a 72-hour reporting requirement, this is now the right time to review your readiness.
Concord IT can help by:
- Assessing your current cyber risk exposure
- Reviewing and developing incident responses and reporting plans
- Identifying gaps in security controls, processes and governance
Concord IT works alongside legal, insurance and incident response professionals when supporting clients through ransomware events.
Important Disclaimer
This article is provided for general information purposes only and does not constitute legal advice. Cybersecurity incidents, including ransomware events, can raise complex legal, regulatory, contractual and insurance considerations that depend on the specific facts and circumstances.
Organisations experiencing a ransomware or cyber extortion incident should seek independent legal advice promptly to understand their obligations under applicable Australian law, including the Cyber Security Act 2024, privacy legislation, contractual obligations and any insurance requirements.
To learn more about ransomware and cyber extortion payment reporting, refer to the official Ransomware Payment Reporting Guidance.
