According to the Annual Cyber Threat Report 2023-2024, around 71% of extortion-related cyber security incidents to which the Australian Signals Directorate responded in FY 2023-2024 involved ransomware. To combat this, Part 3 of the Cyber Security Act 2024 (Cth) (Cyber Security Act), introduces several significant changes to the Australian cyber security landscape. Key among these is the new reporting obligations imposed on certain entities relating to ransomware and cyber extortion payments.

1. When will the reporting obligations start?

While the Cyber Security Act was enacted on 29 November 2024, the ransomware reporting obligations take effect on a date to be fixed by Proclamation or by 30 May 2025, whichever is first. Indications from government are that the obligations will commence on 30 May 2025. There is no grace period for compliance.

2. Who will need to report?

Reporting obligations apply to 'reporting business entities', namely:

• entities carrying on business in Australia with an annual turnover that exceeds the prescribed turnover threshold. The Cyber Security (Ransomware Reporting) Rules 2024 (Draft Rules) presently set this at $3 million. The Draft Rules remain open for consultation, though it is anticipated the turnover threshold is unlikely to change given prior consultation.
• responsible entities for critical infrastructure assets to which Part 2B of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) applies.

Entities that do not meet these criteria, such as small businesses below the turnover threshold, commonwealth bodies or state bodies, are exempt from this obligation.

The view of the regulator is that multinational entities carrying on business in Australia would be required to report on ransomware payments if the entity carrying on business in Australia has:

• made the ransomware payment; or
• been impacted by the ransomware incident even if the payor (e.g. the parent company) is based outside of Australia.

3. What payments will need to be reported?

The Cyber Security Act triggers reporting obligations when all of the following occur:

• Incident: a cyber security incident has occurred, is occurring or is imminent (e.g. physical threats are not in scope);
• Impact: that cyber security incident had, is having or could reasonably be expected to have an impact (direct or indirect) on a reporting business entity (i.e. the incident impacts the entity with the obligation to report);
• Demand: an extorting entity has made a demand to benefit (i.e. to obtain some advantage e.g. money, services or information) from that cyber security incident or its impact on the reporting business entity; and
• Benefit: the reporting business entity provided (or is aware another entity provided on their behalf) a benefit (e.g. payment, services or data) to the extorting entity directly related to the demand.

A cyber security incident is broadly defined by reference to the SOCI Act and, in keeping with the nature of federal regulation, such incidents are reportable if they have the sufficient constitutional nexus such as involving corporations, telephonic/internet services, critical infrastructure, serious prejudice to security, defence or stability of the nation, or the like.

The Cyber Security Act is relevant to payments made in response to:

• Ransomware: a malicious software designed to cripple digital infrastructure by encrypting devices, folders and files, rendering essential computer systems inaccessible unless a ransom is paid; and
• Cyber extortion: where or when cybercriminals infiltrate commercially sensitive or personal data from victims, threatening sale or release if extortion demands are not met.

4. When and what to report

Reporting business entities must make a report within 72 hours of making the ransomware payment (or becoming aware that the ransomware payment has been made). Reports will be made to the Australian Signals Directorate (ASD) through an online portal yet to be created.

The Cyber Security Act requires that reports include specific details about the cyber security incident, the impact on the reporting business entity, the extortion demand, the ransomware payment and any communications with the extorting entity. This helps the government build a more comprehensive understanding of the threat landscape and provide targeted support to affected entities. The Draft Rules elaborate on the required content of the reports including descriptions of negotiations with extorting entities.

A reporting business entity is only required to share information it 'knows or is able, by reasonable search or enquiry to find out.'

Department of Home Affairs, in the townhall session held on Friday, 24 January 2025, acknowledged the potential overlap between the cyber incident reporting obligations under the SOCI Act and the Cyber Security Act and noted mechanisms would be developed to prevent duplicative reporting.

5. What happens if ransomware reporting obligation is not met?

Under the Cyber Security Act, reporting business entities that fail to report ransomware payments within the stipulated time may face civil penalties up to 60 penalty units (presently, $19,800). Such failure may also result in increased regulatory scrutiny and reputational damage.

6. Input into the Draft Rules

The consultation period on the Draft Rules is open until 5pm AEDT, Friday 14 February 2025. Submissions may be made via the Cyber and Infrastructure Security Centre. After the consultation period ends, feedback will be reviewed and considered prior to the Draft Rules being finalised. The Rules will then be published and come into effect most likely on, and no later than, 30 May 2025.

Minter Ellison provides full-service cyber legal and consultancy services with extensive experience in Australian privacy and cyber security laws. Please contact us if you need guidance in preparing for these imminent changes, including submitting feedback to the ASD on the Draft Rules.