When did the mandatory reporting requirement take effect?

This obligation came into force on 30 May 2025, following the Royal Assent granted to the Cyber Security Act on 29 November 2024.

Which businesses are required to report ransomware payments?

The requirement applies to organisations with annual turnovers over AUD 3 million, and to entities operating critical infrastructure under the Security of Critical Infrastructure Act 2018.

What triggers the 72-hour reporting window?

Businesses must report to ASD within 72 hours when a cyber incident occurs or is imminent, that involves a ransom or extortion demand, and where a payment has been made to resolve it.

What are the consequences of failing to comply with the new rules?

Non-compliance can result in enforcement actions by authorities, including financial penalties, reputational damage, and increased regulatory scrutiny.

How should businesses prepare to meet the reporting obligation?

Organisations are advised to update ransomware response plans, improve governance and documentation protocols, train executives on the 72‑hour deadline, and reassess cyber insurance coverage.

Why was this reporting law introduced?

The government introduced it to enhance national visibility of cybercrime, deter attackers, and strengthen transparency and regulatory control over ransomware activity.

How can Lynden Group assist businesses with the new requirements?

Lynden Group offers expert guidance to ensure compliance under the Cyber Security Act, helping with incident response frameworks, reporting systems, and executive training.

Mandatory Reporting of Ransomware Payments

Q: What is the new ransomware payment reporting requirement in Australia?

Under the Cyber Security Act 2024, businesses defined as ‘reporting business entities’ must notify the Australian Signals Directorate (ASD) within 72 hours if they make a ransomware payment, or become aware of one made on their behalf.

Sue Cao
May 20
3 min read

Updated: Jul 16

In response to the growing threat of ransomware attacks, the Australian Government has enacted new legislation that introduces a mandatory reporting obligation for ransomware payments. The Cyber Security Act 2024, which came into effect following Royal Assent on 29 November 2024, aims to improve national visibility of cybercrime and deter malicious actors by increasing transparency and regulatory oversight.

Key Requirements of the Cyber Security Act 2024:

Under the new law and starting 30th of May 2025, certain businesses—defined as “reporting business entities”—must notify the Australian Signals Directorate (ASD) within 72 hours if a ransomware payment is made. This obligation also applies when an entity becomes aware of such a payment being made on its behalf.

The reporting requirement is triggered when:

A cyber incident has occurred or is imminent;
The incident results in a ransom or extortion demand;
A ransomware payment has been made in response to that demand.

The threshold for compliance applies to businesses operating in Australia with an annual turnover exceeding AU$3 million, in line with the Privacy Act 1988. It also applies to critical infrastructure entities, as defined under the Security of Critical Infrastructure Act 2018.

Implications for Businesses

This legislative shift places additional responsibility on medium to large businesses and critical infrastructure operators to act swiftly in the face of ransomware incidents. Failing to report such payments could expose organisations to enforcement action, including financial penalties and reputational risk.

Additionally, entities are encouraged to strengthen internal protocols for incident response, governance, and documentation. This includes reviewing cyber insurance coverage, updating ransomware playbooks, and ensuring executives are trained to meet the 72-hour window.

Organisations should view this legislation not as a burden, but as an opportunity to strengthen their resilience and contribute to a safer digital ecosystem for all Australians.

Need Help Understanding Your Obligations?

At Lynden Group, we help Australian and international organisations navigate cybersecurity and regulatory changes with confidence. If your organisation needs help understanding its new obligations under the Cyber Security Act 2024, or updating incident response and reporting frameworks, we invite you to reach out for a consultation.

Frequently Asked Questions – Ransomware Payment Reporting in Australia

1. What is the new ransomware reporting requirement?From 30 May 2025, certain businesses must report ransomware payments to the Australian Signals Directorate (ASD) within 72 hours, under the Cyber Security Act 2024.

2. Who must comply with this law?Entities with over AUD 3 million in annual turnover, and those considered critical infrastructure under the Security of Critical Infrastructure Act 2018, are subject to mandatory reporting.

3. What counts as a reportable event?A report must be made when a ransomware or extortion demand leads to a payment, or when a business becomes aware of such a payment made on its behalf.

4. When does the 72-hour deadline begin?The countdown starts from the moment the business is aware of the ransom demand and a payment being made or planned.

5. What are the consequences of not reporting?Failure to report may result in regulatory action, fines, reputational damage, and increased compliance scrutiny.

6. How can businesses prepare for compliance?Organisations should update their incident response plans, clarify internal governance, train executives on reporting obligations, and review cyber insurance coverage.

7. Why did the government introduce this rule?It aims to improve national cyber intelligence, deter criminal activity, and increase transparency around ransomware attacks in Australia.

8. Can Lynden Group help with compliance?Yes. Lynden Group supports businesses with compliance planning, executive briefings, reporting procedures, and practical frameworks under the Cyber Security Act.

Sources:

Australian Government – Cyber Security Act 2024

Australian Signals Directorate (ASD) – Cyber.gov.au