Australia’s Mandatory Ransomware Payment Reporting: What Businesses Need to Know
The Cyber Security Act 2024 (No. 98 of 2024) introduces a sweeping new framework aimed at strengthening Australia’s cybersecurity landscape. Covering everything from the security of connected devices to ransomware response and incident management, this legislation sets out obligations and protections for both businesses and government agencies.
Cyber Forte breaks down the Act’s core provisions and timelines below to help organisations understand what’s required and when.
Key Goals of the Cyber Security Act 2024
The Act is designed to:
Raise security standards for internet-connected devices (like IoT products).
Make ransomware payment reporting mandatory for certain businesses to tackle cyber extortion risks.
Centralise the coordination of significant cyber incidents under a national leadership framework.
Establish a dedicated Cyber Incident Review Board to assess incidents and recommend systemic improvements.
Promote voluntary information sharing between organisations and government while safeguarding sensitive data.
Staged Rollout
The legislation is being implemented in phases:
Parts 1, 4, 6–7 (General provisions, incident coordination, and regulatory powers): Effective 30 November 2024.
Part 2 (Smart Device Security Standards): By 30 November 2025.
Part 3 (Ransomware Payment Reporting): 30 May 2025.
Part 5 (Cyber Incident Review Board): 30 May 2025.
Key Provisions at a Glance
Part 2: Security Standards for Smart Devices
Manufacturers and suppliers of “connectable products” sold in Australia will be required to:
Adhere to prescribed security standards (such as secure default credentials and vulnerability disclosure mechanisms).
Provide a formal statement of compliance with their products.
Regulators will have the authority to issue compliance notices, halt sales of non-compliant products, or issue recalls. Non-compliance may result in financial penalties.
Part 3: Ransomware Payment Reporting
Starting 30 May 2025, any entity with an annual turnover of AUD $3 million or more must report ransomware payments — whether monetary or otherwise — within 72 hours of making the payment.
Key points:
Reports are generally protected from legal discovery but can be used for intelligence gathering and incident response.
Penalties for failing to report can reach 60 penalty units.
Reports must be submitted via the Australian Signals Directorate (ASD) portal: ]https://www.cyber.gov.au/report-and-recover/report/ransomware-payment-and-cyber-extortion-payment-reporting.
Part 4: Coordinating Major Cyber Incidents
A National Cyber Security Coordinator will lead government-wide responses to significant incidents — such as attacks on critical infrastructure or other nationally significant cyber events.
Businesses will be encouraged to voluntarily share incident details with the Coordinator, with strict protections against the legal use or secondary disclosure of shared information.
Part 5: Cyber Incident Review Board
This independent board will review major cybersecurity incidents to identify systemic vulnerabilities and make recommendations to improve national cyber resilience.
The Board can compel organisations to provide relevant documentation but must redact sensitive details in publicly released reports. Members and contributors are legally protected from being called as witnesses regarding their review work.
Part 6: Regulatory Oversight
Civil penalties of up to 60 penalty units may be applied for non-compliance with mandatory requirements.
Authorities will have rights to inspect products, premises, and records to enforce the Act.
Safeguards and Protections
The legislation includes measures to:
Protect information shared under the Act from use in legal proceedings.
Maintain legal privilege for voluntarily shared, legally protected information.
Facilitate collaboration with state and territory governments, under strict usage agreements.
Review and Reporting Requirements
A parliamentary review of the Act is mandated within five years of its commencement, and the Cyber Incident Review Board must publish annual activity reports.
What Must Be Included in a Ransomware Report
Under Section 27(2) of the Act and Section 7 of the Cyber Security (Ransomware Payment Reporting) Rules 2025
The following details must be reported (if known or obtainable through reasonable inquiry):
Contact and business details of the paying entity (including ABN).
Incident specifics, including timing, detection date, business and customer impacts.
Type and variant of ransomware or malware used.
Exploited vulnerabilities, if any.
Any information useful for government response and mitigation (e.g., details for ASD or the Australian Cyber Security Centre).
Details of any third-party payers, including their ABN and address.
The ransom demand, amount, method, and payment details.
Communication logs with the extortionist (including nature, timing, and negotiation history).
Additional incident-related information as relevant to the report.
Conclusion
The Cyber Security Act 2024 is Australia’s most comprehensive cybersecurity legislation yet. It sets out clear expectations for device security, ransomware management, incident response, and systemic risk reduction.
Businesses — particularly those with turnovers above AUD $3 million — should immediately begin preparing to meet these obligations, especially around ransomware payment reporting, while government bodies gain enhanced tools for cyber threat response and intelligence sharing.
The Act’s effectiveness will ultimately depend on how well it balances enforcement with the protection of sensitive, voluntarily shared information.
