Pay and tell: mandatory ransomware payment reporting obligations in force

3 minute read 16.06.2025 Maria Rychkova, Natalie Adler, Paul Kallenbach

As of 30 May, mandatory ransomware payment reporting obligations introduced under the Cyber Security Act 2024 (Cth) are in effect.

Key takeouts

Entities falling within the Act have 72 hours to report any ransomware payments.

There is no minimum payment threshold for the mandatory reporting obligation.

Entities that fail to comply with these obligations face civil penalties of up to $19,800 and heightened reputational risk.

A key pillar of the Australian Government's Cyber Security Strategy has now taken effect, with the ransomware reporting obligations under Part 3 of the Cyber Security Act 2024 (Cth) (Cyber Security Act) formally commencing. As of 30 May 2025, entities within scope must comply with mandatory ransomware and cyber extortion payments. As we have previously noted in our article New ransomware payment reporting obligations in Australia, there are no grace periods for compliance.

As highlighted in our 2025 'Perspectives on Cyber Risk' report, understanding and mitigating cyber risks is crucial for all entities. We outline what you need to know below.

Who is caught by the mandatory ransomware reporting obligations?

The new reporting regime applies to reporting business entities, being entities that at the time of the incident are:

entities responsible for critical infrastructure assets as defined under Part 2B of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act); or
entities carrying on business in Australia with an annual turnover exceeding $3 million, as prescribed by the Cyber Security (Ransomware Payment Reporting) Rules 2025 (Ransomware Reporting Rules). This limb excludes Commonwealth or State bodies that are not caught by limb 1 above.

Entities that do not meet these criteria, such as small businesses below the turnover threshold, Commonwealth bodies or State bodies, are exempt from these reporting obligations.

Under what circumstances must a ransomware payment report be made?

Reporting business entities will be required to make a report if:

a cyber security incident has occurred, is occurring or is imminent;
the incident has had, is having, or could reasonably be expected to have, a direct or indirect impact on a reporting business entity;
an extorting entity has made a demand (to the reporting business entity or any other entity) to benefit from the incident or its impact on the reporting business entity; and
the reporting business entity provides, or is aware that another entity has provided on their behalf, a payment or benefit to the extorting entity directly related to the demand.

Reporting timeframes and requirements

Reporting business entities must make a ransomware payment report within 72 hours of making the payment (or becoming aware of a ransomware payment having been made). Reports are to be made to the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC), via an online portal. Critically, all benefits and payments made must be reported – there is no minimum threshold under which reporting is not required. A benefit can be monetary or non-monetary (such as services, gifts or data).

The Cyber Security Act prescribes that reports must contain information regarding:

the business entity who made the payment;
the cyber incident, including its impact on the reporting business entity;
the demand made by the extorting entity;
the ransomware payment; and
any communications with the extorting entity relating to the incident, the demand and the payment.

A reporting business entity is required to share information it 'knows or is able, by reasonable search or enquiry, to find out.'

Failure to make a report can result in civil penalties of up to 60 penalty units (currently $19,800) as well as reputational consequences.

Protection of reported information

Under Division 3 of Part 3, designated Commonwealth bodies are only permitted to use or disclose the information reported under these provisions for permitted purposes (as outlined in the Cyber Security Act). These purposes include assisting the reporting business entity with responding to, mitigating, or resolving the cyber security incident; performing functions or exercising powers under relevant parts of the Cyber Security Act, and performing intelligence agency functions.

The use and disclosure of reported information for civil or regulatory actions outside of the specified permitted purposes is prohibited, except in very limited circumstances.

MinterEllison provides full-service cyber legal and consultancy services with extensive experience in Australian privacy and cyber security law. If your organisation is unsure whether it is captured by the new regime, needs help establishing or updating internal protocols, or wants to review its broader cyber security strategy, our team is ready to assist.