Mandatory ransomware payment reporting in Australia: what the Cyber Security Act 2024 now requires

Introduction

If your business pays a ransom or an extortion demand, the law now gives you 72 hours to report it to government. That obligation is new, it is in force, and the window is short. It also sits on top of a separate and harder question that should not be answered without legal advice: whether to pay at all.

Ransomware payment reporting in Australia became mandatory on 30 May 2025 under the Cyber Security Act 2024 (Cth), Australia’s first standalone cyber security law. Of the measures the Act introduces, this is the one most businesses will actually encounter. This article explains who must report, what counts as a reportable payment, how and when to report, the protection that attaches to information you give the government, the penalty for getting it wrong, and the legal considerations that should sit in front of any decision to pay.

What the Cyber Security Act 2024 does

The Act introduces several distinct measures. Mandatory ransomware and cyber-extortion payment reporting is the part most businesses will deal with. The Act also creates a limited-use protection for information voluntarily given to the National Cyber Security Coordinator and the Australian Signals Directorate, mandatory security standards for smart devices, and a Cyber Incident Review Board to conduct no-fault reviews of significant incidents.

For boards and owners, the practical point is simple. Ransomware is no longer only an operational and insurance question. It is now a reporting obligation with a statutory deadline and a civil penalty for failure.

Who must report

The reporting obligation applies to two categories.

The first is a reporting business entity: an entity carrying on business in Australia with an annual turnover of $3 million or more in the last financial year. This is the threshold most commercial clients will be measured against. If your business operates in Australia and turns over $3 million or more, assume you are caught.

The second is a responsible entity for a critical infrastructure asset under the critical infrastructure regime. If you operate an asset captured by the Security of Critical Infrastructure Act framework, the obligation applies regardless of the turnover test.

Smaller businesses below the turnover threshold are not subject to the payment reporting obligation. That does not mean they have nothing to do, because other obligations, including the Notifiable Data Breaches scheme under the Privacy Act, can still apply to the same incident.

What counts as a reportable payment

The obligation is triggered by a payment, not by the attack itself. It applies where a ransomware or cyber-extortion payment is made by the entity, or made by someone else on the entity’s behalf, in connection with a cyber security incident affecting the entity.

Cyber extortion reporting under the Act is not confined to classic ransomware. It reaches extortion demands that do not involve encryption, so the obligation can be triggered even where no system was locked, for example where an attacker exfiltrates data and threatens to publish it.

The “on its behalf” wording also matters. A payment arranged through an incident response firm, an insurer, a broker or another third party can still be the entity’s reportable payment. If a demand is met on your behalf, the obligation is yours. This is one reason to run an incident through a single point of legal control, so the reporting obligation is identified and managed, not lost between the parties handling the response.

Reporting a payment is a separate question from whether the underlying incident is a notifiable data breach. The same event can require both a ransomware payment report under the Cyber Security Act and a breach notification to the Office of the Australian Information Commissioner under the Privacy Act, on different tests and different timelines.

The 72-hour rule

A reportable payment must be reported within 72 hours of the payment being made. The report goes to the Australian Government, through the Department of Home Affairs and the Australian Signals Directorate.

Seventy-two hours is not long once an incident is under way, and the window often opens at the worst possible moment, while systems are down, the board is anxious and the focus is on recovery. Building the reporting step into your incident response plan in advance, with the responsible person and the process named, is the difference between a report filed calmly and a deadline missed.

How to report

The report is made to government, through the Department of Home Affairs and the Australian Signals Directorate. In practice the report is lodged through the Australian Government’s designated cyber reporting channel, and we recommend it is prepared and lodged with legal input. The required content is the kind of information that lets government understand the incident and the payment: for example, details of the incident, the demand, the payment and the threat actor’s communications where known.

This is a structured reporting obligation. Prepare the report with legal input so that what is reported is accurate, complete and appropriately framed, and so the report and the limited-use protection work together rather than at cross-purposes.

The limited-use protection

The Act introduces a limited-use protection for information given to the National Cyber Security Coordinator and the ASD in connection with a cyber security incident. The intent is to encourage businesses to engage with government during an incident by restricting how that information can be used downstream, for example its use against the reporting entity in certain proceedings.

The protection is real, and it is a deliberate policy choice to reward engagement. It is also specific in scope. It is not a blanket immunity, and it does not displace your other legal obligations. Understanding what the protection does and does not cover, before you share information, is part of getting incident response right.

The penalty for not reporting

Failure to report a reportable payment within the 72-hour window can attract a civil penalty. The maximum civil penalty for failing to report is 60 penalty units. The larger exposure, though, is rarely the penalty itself. Being found to have failed to report a ransom payment carries regulatory and reputational consequences that outweigh the fine, and a late or missing report sits poorly against your other obligations arising from the same incident. The cleaner course is to report properly and on time.

The harder question: should you pay at all

Paying a ransom is currently not, in itself, automatically unlawful in Australia. But that is not the end of the analysis, and treating payment as a purely commercial decision is a mistake. Several legal risks sit in front of any decision to pay.

• Sanctions exposure: Many ransomware groups are linked to sanctioned individuals, entities or jurisdictions. Making a payment to, or for the benefit of, a sanctioned party can itself breach Australian sanctions law. Before any payment, the recipient should be screened against sanctions and proceeds-of-crime considerations. This is not a step to skip under time pressure.
• Proceeds of crime and facilitation risk: A payment to a criminal enterprise carries its own legal and reputational risks that need to be weighed deliberately.
• No guarantee of return: Paying does not guarantee that data will be restored, that decryption will work, or that the stolen data will be deleted rather than leaked or sold. There is often a second demand.
• It does not remove your other obligations: Paying does not cure a notifiable data breach, does not stop the NDB clock, and does not remove the 72-hour reporting obligation that the payment itself creates.

For these reasons, the decision to pay should be made with legal advice and a sanctions screen completed first, not after the funds have moved. Once a payment is made, options narrow.

How GRM LAW helps

GRM LAW’s Ransomware Decision-Making Advisory is one of our trigger products, available when an incident is live. We work alongside your incident response under legal direction to help you assess the legal exposure of paying or not paying, run sanctions and proceeds-of-crime screening before any payment, and manage the 72-hour reporting obligation and the limited-use protection so the report is made correctly and on time. Running the forensic and decision-making work under legal direction can also help privilege attach to the work-product when the engagement is properly scoped, which matters if findings are later sought by a regulator or in litigation.

For clients who want this in place before an incident, our Breach + Drill Subscription is a breach-coach retainer with two facilitated incident-response drills a year and a plain-English incident response plan kept current, with the first hours of any in-year incident included. The point of a drill is that the reporting deadline, the people and the decisions are rehearsed before they are real.

When a ransomware demand lands, the reporting deadline, the sanctions question and the privacy obligations all run at once, and they run fast. That is the moment you want your lawyer on the line, before any decision is made and before any payment moves.

To ensure your business is prepared for these new obligations, contact our cyber and privacy lawyers at GRM LAW to book a no-obligation 30-minute scoping call. Most engagements with us begin with that call, and it is far better to have the reporting plan, the sanctions question and the decision-makers settled in advance than to work them out while a demand is live. As a lower-friction first step, you can also request our free Cyber Readiness Checklist to see where your gaps are before an incident forces the question.

Frequently Asked Questions

Disclaimer: This is general information only and is not legal advice. For advice on your circumstances, contact GRM LAW.