Cyber Security Act 2024 — mandatory ransomware payment reporting
How Part 3 of the Cyber Security Act 2024 (Cth) requires reporting entities to notify ASD within 72 hours of making or being aware of a ransomware payment.
What the Act introduced
The Cyber Security Act 2024 (Cth) was enacted in November 2024. It forms a key component of Australia's 2023-2030 Cyber Security Strategy. The Act’s purpose includes strengthening Australia’s cyber security posture and enhancing national security.
Part 3 of the Act introduces a mandatory ransomware payment reporting regime. This requires certain entities to report payments made in relation to ransomware incidents. Reporting obligations became effective on 30 May 2025.
Further provisions within the Act establish a Cyber Incident Review Board (Part 5) and provide limited-use protections for incident information shared with the National Cyber Security Coordinator (Part 4).
Who must report
Reporting obligations under the Cyber Security Act 2024 for ransomware payments apply to ‘reporting business entities’. These entities are defined as businesses carried on in Australia with annual turnover at or above $3 million for the previous financial year.
Small businesses with annual turnover below the $3 million threshold are generally exempt from mandatory reporting. However, this exemption does not apply if the business is a responsible entity for a critical infrastructure asset, as defined under the Security of Critical Infrastructure Act.
Government entities are specifically excluded from the definition of a reporting business entity and are therefore not subject to the ransomware payment reporting requirements.
The 72-hour clock
The Cyber Security Act 2024 mandates a strict timeframe for reporting ransomware payments. Organisations must submit a report to the Australian Signals Directorate (ASD) within 72 hours of either making a ransomware payment themselves, or becoming aware that an associated entity has made such a payment.
Reports must be provided in the manner and form approved by the Minister. The report’s content must include details of the cyber security incident, the ransom demand received, details of the payment made, and the identity of the recipient of the payment, to the extent that this information is known.
Failure to comply with the reporting obligation constitutes a civil penalty contravention.
Limited-use and interaction with other regimes
Information provided to the National Cyber Security Coordinator under Part 4 of the Cyber Security Act 2024 is protected by limited-use provisions. These provisions restrict how the Coordinator can onward share and use the information received from reporters.
Reporting obligations under other regulatory regimes are not superseded by the Cyber Security Act 2024. This means that reporting obligations under the Privacy Act, the SOCI Act, and APRA’s CPS 234 notification requirements remain in place and must be fulfilled.
The Cyber Security Act 2024 operates alongside existing laws. Consequently, sanctions law continues to apply; making a payment to a sanctioned person remains a separate criminal offence.
Frequently asked
Does paying the ransom become legal because of the reporting regime?
No. Reporting is a transparency obligation. It does not legalise payments that breach sanctions law (such as the Autonomous Sanctions Act 2011) or Criminal Code offences.
Do I need to report a near miss where I declined to pay?
No. The Part 3 obligation is triggered only by a payment that is made. Notifiable data breach and SOCI reporting obligations may still apply to the underlying incident.
Related
Free tools