top of page
Search

Mandatory Reporting of Ransomware Payments


In response to the growing threat of ransomware attacks, the Australian Government has enacted new legislation that introduces a mandatory reporting obligation for ransomware payments. The Cyber Security Act 2024, which came into effect following Royal Assent on 29 November 2024, aims to improve national visibility of cybercrime and deter malicious actors by increasing transparency and regulatory oversight.


Key Requirements of the Cyber Security Act 2024:


Under the new law and starting 30th of May 2025, certain businesses—defined as “reporting business entities”—must notify the Australian Signals Directorate (ASD) within 72 hours if a ransomware payment is made. This obligation also applies when an entity becomes aware of such a payment being made on its behalf.


The reporting requirement is triggered when:


  • A cyber incident has occurred or is imminent;

  • The incident results in a ransom or extortion demand;

  • A ransomware payment has been made in response to that demand.


The threshold for compliance applies to businesses operating in Australia with an annual turnover exceeding AU$3 million, in line with the Privacy Act 1988. It also applies to critical infrastructure entities, as defined under the Security of Critical Infrastructure Act 2018.


Implications for Businesses

This legislative shift places additional responsibility on medium to large businesses and critical infrastructure operators to act swiftly in the face of ransomware incidents. Failing to report such payments could expose organisations to enforcement action, including financial penalties and reputational risk.


Additionally, entities are encouraged to strengthen internal protocols for incident response, governance, and documentation. This includes reviewing cyber insurance coverage, updating ransomware playbooks, and ensuring executives are trained to meet the 72-hour window.


Organisations should view this legislation not as a burden, but as an opportunity to strengthen their resilience and contribute to a safer digital ecosystem for all Australians.


Need Help Understanding Your Obligations?

At Lynden Group, we help Australian and international organisations navigate cybersecurity and regulatory changes with confidence. If your organisation needs help understanding its new obligations under the Cyber Security Act 2024, or updating incident response and reporting frameworks, we invite you to reach out for a consultation.


Sources:


Australian Government – Cyber Security Act 2024

Australian Signals Directorate (ASD) – Cyber.gov.au

Contact us on WhatsApp

Lynden Group aims to be a steadfast and reliable partner for clients worldwide, providing comprehensive financial and cyber solutions of the highest standard. We offer a solid foundation for financial knowledge, security empowerment, and success.

For over 13 years, we have been trusted by numerous corporations and entrepreneurs in Australia, Israel, Vietnam, guiding them through business growth and personal projects. Beyond our expertise, we are dedicated to meeting our clients' needs with utmost commitment.

Office: +61 3 91157406 

Direct: +61 3 85481843  info@lyndengroup.com.au

  • Facebook
  • LinkedIn
  • Instagram

Sign Up for the Latest News and Insights

We'll keep in touch

bottom of page