Australia’s New Mandatory Ransomware-Payment Reporting: What Every Business Needs to Know
- Quenten Grasso
- Jun 5
- 3 min read
New Mandatory Ransomware-Payment Reporting, Why this change matters
On 30 May 2025, Australia introduced a world-first requirement: certain organisations must notify the Australian Signals Directorate (ASD) whenever they transfer money or anything of value to ransomware or cyber-extortion criminals. The reform, set out in Part 3 of the Cyber Security Act 2024 and fleshed out by the Cyber Security (Ransomware Payment Reporting) Rules 2025, is aimed at dragging ransom activity out of the shadows so government and industry can finally see the whole picture.
Who must report?
Annual-turnover test – Any “reporting business entity” with ≥ AUD 3 million turnover in the previous financial year. A pro-rata formula applies if you only traded part-year.
Critical-infrastructure operators – Responsible entities under the Security of Critical Infrastructure Act 2018 are automatically in scope, regardless of turnover.
Pro tip for SMEs: The AU $3 m threshold captures roughly the top 6.5 % of Australian businesses, but even smaller firms in critical supply chains may be swept in via the infrastructure
What counts as a “payment”?
Cash, crypto, bank transfers
Non-monetary benefits such as gift cards, services, or other concessions offered
The 72-hour clock
If you pay (or learn that someone paid on your behalf) you must lodge a report via the ASD’s online form within 72 hours. Late or missing reports risk a civil penalty of 60 penalty units (~ AU $18,000 at today’s rates).
What goes into the report?
Category | Examples of required details |
Entity info | ABN, contact person, turnover bracket |
Incident timeline | When the attack occurred & when it was discovered |
Technical details | Malware/ransomware variant, exploited vulnerability |
Impact | Effect on your business & customers |
Extorter’s demand | Amount/asset type requested & paid |
Negotiation history | Timing & nature of messages with the attacker |
Two-phase rollout
Phase | Dates | Regulatory stance |
“Education-first” | 30 May – 31 Dec 2025 | Guidance & outreach; enforcement only for egregious non-compliance |
Full enforcement | 1 Jan 2026 onward | Active monitoring & penalties for breaches |
Why does the government want the data?
Map active threat actors and their preferred tactics.
Provide tailored advice to industry sectors, particularly small to medium-sized enterprises (SMEs).
Shape future cyber-policy and defence.
Privacy & Legal protections
Information in a ransomware-payment report is shielded from use in most civil or criminal proceedings (except false-statement offences). Legal-professional privilege is preserved.
Action checklist for CISOs & MSPs
Update your incident-response playbook – Add a “Report to ASD within 72 h” step and name an internal owner.
Tag payments early – Finance teams should flag any unusual crypto or offshore transfers immediately to security.
Prepare evidence templates – Capture extortioner comms, ransom notes, and system logs in a standard packet.
Brief the board – Directors need to understand the penalties and reputation impacts of non-compliance.
Run a tabletop exercise – Simulate a ransomware scenario that includes drafting and lodging the ASD form.
Leverage the data – Monitor anonymised threat-trend reports, ASD plans to release and feed them into your protective controls roadmap.
Looking ahead
Australia is now the testbed for compulsory ransom reporting. Other jurisdictions (UK, EU, several US states) are watching closely. Expect global harmonisation talks once the Australian scheme’s first-year data emerges.
For local businesses, early compliance isn’t just about avoiding fines; it’s an opportunity to refine incident response, influence future policy, and demonstrate cyber-maturity to customers.
Need help aligning your runbooks or coaching clients through the new obligation? Our cyber-response team at Q10 Systems can run a compliance gap assessment in a single afternoon. Contact us today
(This is general information, not legal advice. Consult counsel for formal opinions.)
