Mandatory Ransomware Payment Reporting

Share this article
Facebook
LinkedIn
Twitter

In May 2025, the Australian Government introduced new reporting obligations under the Cyber Security Act 2024. As the mandatory ransomware and cyber extortion payment reporting requirement has now been in effect for four months, the Department has updated its guidance materials to support companies in meeting these obligations.

These measures aim to strengthen national cyber resilience by improving visibility into ransomware and cyber extortion activity across the economy.

Who Must Report

Entities are considered reporting business entities if they meet any of the following criteria:

Operate a business in Australia with an annual turnover of AUD $3 million or more in the previous financial year (or meet the pro-rata threshold if operating for part of the year)
Are a responsible entity for a critical infrastructure asset under the Security of Critical Infrastructure Act 2018

Not-for-profit organisations are not explicitly exempt.

What Must Be Reported

A report must be submitted when:

A ransomware or cyber extortion payment is made, either directly by the business or on its behalf
The payment includes monetary or non-monetary benefits (e.g. services, gifts)

Reports are not required if no payment is made, or if the incident involves scams or physical extortion (these should be reported to Scamwatch).

When to Report

Reports must be submitted within 72 hours of:

Making the payment, or
Becoming aware that a payment was made on the entity’s behalf (e.g. if an overseas entity paid the ransom on behalf of the extorted Australian company)

How to Report

Reports must be submitted via the Australian Signals Directorate (ASD) portal and include:

Business and contact details (including ABN)
Description of the cyber incident and its impact
Details of the payment (amount, method, and communications with the extorting entity)
Information about any third party involved in making the payment

Penalties for Non-Compliance

Failure to report within the required timeframe may result in a civil penalty of up to 60 penalty units.

However, reporting obligation is being introduced in two phases:

Phase 1: Education-First Approach (30 May - 31 December 2025)
Focus on awareness, guidance, and support. Regulatory action will be limited to serious non-compliance.
Phase 2: Compliance and Enforcement (From 1 January 2026)
Full enforcement of reporting obligations, supported by updated guidance and stakeholder engagement.

For further information, including different scenarios of how the reporting obligations apply to Australian companies, see the updated guidelines here.

Industry survey: Ransomware

The Department of Home Affairs has launched a Ransomware Survey, available here until midnight on 31 October 2025.

Your responses will help the Department improve the ransomware reporting form, guidance materials, overall user experience, as well as identify areas where businesses may need support.