New Mandatory Reporting Rules for Ransomware and Cyber Extortion Payments

Written By Lisa Malone

As of 30 May 2025, new cybersecurity reporting obligations under Part 3 of the Cyber Security Act 2024 have come into effect. These provisions introduce mandatory reporting for certain businesses that make ransomware or cyber extortion payments.

Cybersecurity Reporting Obligations: What Triggers the Requirement?

If a cyber incident has occurred—or is ongoing—and an extorting entity makes a demand to exploit the incident or impact a business, and a payment or other benefit is provided in response, the business is required to submit a report under the Act.

Who Is a Reporting Business Entity?

A reporting business entity is one that:

  • Was carrying on business in Australia at the time of the payment; and

  • Had an annual turnover in the previous financial year above the reporting threshold (this has been set at AU$3 million).

Entities responsible for critical infrastructure assets under Part 2B of the Security of Critical Infrastructure Act 2018 are also subject to these obligations.

What to Include in a Report?

The Department of Home Affairs (DHA) has provided a fact sheet outlining what businesses must include in their reports. View here.

Importantly businesses are only required to report information they know at the time of submission. As new facts emerge, updates can be provided to the Australian Signals Directorate (ASD).

Understanding the Scope: Demands, Payments, and Extorting Entities

The legislation adopts intentionally broad definitions:

  • A demand can include requests for payment or any kind of benefit.

  • A payment is not limited to traditional currency - digital assets such as Bitcoin are included.

  • A benefit might include providing access to sensitive information.

  • The extorting entity does not need to be the same party behind the original cyber incident, acknowledging the difficulty of attribution in cybercrime.

Where and When to Report?

The reporting portal went live on cyber.gov.au on 30 May 2025.

Reports must be submitted within 72 hours of making a ransomware payment or becoming aware that one has been made.

A Two-Phase Approach to Compliance

The DHA and ASD are implementing the new regime in two phases:

  • Phase 1 (30 May - 31 December 2025): An education-first approach to help businesses understand and meet their new reporting obligations.

  • Phase 2 (from 2026): A compliance-focused approach with increased regulatory enforcement.

Not sure what qualifies or how to prepare? Our Law Squared Commercial team is here to assist - reach out to start a conversation via [email protected]

Lisa Malone
Next

Becoming a High-Impact Commercial Lawyer