On May 30, the ransomware payment reporting requirements of Australia's Cyber Security Act 2024 (CSA) took effect. The new requirement applies to a broad range of entities and cyber security incidents, requiring reporting after a "ransomware payment" is made. Australia is the first jurisdiction worldwide to require businesses to report ransomware payments, but pending activity in the United States and the United Kingdom indicate other countries may soon follow.
Scope of Covered Entities
The CSA's ransomware reporting obligation applies to entities that meet either of these two criteria:
- Any entity carrying on business in Australia with annual turnover exceeding AUD $3 million, as set by the Cyber Security (Ransomware Payment Reporting) Rules 2025 (CSA Rules)
- Responsible entities for critical infrastructure assets under Australia's Security of Critical Infrastructure Act 2018 (amended 2024) (SOCI) and associated regulations that are subject to SOCI's incident reporting requirements
Reporting Threshold
The reporting obligation is triggered when all the following five criteria, which will likely exist in most ransomware payment scenarios, are met:
- An incident has occurred, is occurring or will imminently occur.
- The incident is a "cyber security incident" under the CSA (discussed below).
- The incident has had, is having or could reasonably be expected to have a direct or indirect impact on a covered entity.
- An "extorting entity" makes a demand of any entity to benefit from the incident or the impact on the covered entity.
- The covered entity, or another entity on behalf of the covered entity, provides a payment or benefit to the extorting entity directly related to the demand.
Because the rule covers incidents and impacts in the past, present and future, it may require reporting for past incidents that lead to a ransom demand (such as a new threat to release data stolen in an old incident) and to imminent incidents that have not yet materialized (such as an extortion demand tied to a threatened denial-of-service attack). The rule covers either "direct or indirect" impacts, so entities must consider a broad range of operational, financial or reputational consequences when evaluating whether the rule applies. In practice, this requirement is likely redundant because an entity is unlikely to pay a demand unless an incident involves some direct or indirect impact on the entity.
Read together, the fourth and fifth criteria are met when a covered entity satisfies a demand made by an extorting entity. Notably, the extorting entity need not have caused the incident, addressing the complex ransomware ecosystem in which multiple bad actors often work together in different roles. And the rule covers any type of payment or benefit. Although nearly all ransom demands are for monetary payment, the rule also covers other intangible demands, such as those that might come from a politically or ideologically motivated group.
Scope of Covered Cyber Security Incidents
The reporting requirement is triggered only by payments made in connection with a qualifying "cyber security incident" or "presumed" incident. CSA incorporates SOCI's broad definition of "cyber security incident," covering essentially any unauthorized cyber activity as a starting point, but limits the scope to incidents that also meet any of these five criteria:
- Involves a critical infrastructure asset
- Involves the activities of any corporation subject to the Parliament's corporations power under the Australian Constitution, including essentially any corporation doing business in Australia
- Is effected by means of a telegraphic, telephonic or similar service subject to Parliament's powers, including by means of the Internet
- Impedes or impairs the ability of a computer to connect to such a service, including the Internet
- Seriously prejudices Australia's social or economic stability, its defense of itself, or its national security
In addition, an incident is "presumed" to qualify as a cyber security incident if it "probably" meets any of the latter three criteria (broadly including any incident involving the use of the Internet). Although the CSA provides a no-penalty safe harbor for incidents ultimately proven not to meet these criteria, this presumption recognizes the uncertainty during an incident's early hours and encourages entities to err on the side of reporting.
Finally, although styled as a ransomware payment reporting rule, it is better to consider it a cyber extortion payment rule because an incident need not involve the deployment of ransomware (or any other malware) to trigger the rule's reporting requirement. An incident that involves the mere theft of data over the Internet and a threat to release that data if an entity fails to pay – which is the more common scenario we see today – may still trigger the reporting requirement if the entity pays the demand.
Form, Content and Timing of Reports
When the reporting requirement is triggered, the covered entity must make a ransomware payment report to the Australian Signals Directorate (ASD), Australia's signals intelligence agency, "within 72 hours of making the ransomware payment or becoming aware that the ransomware payment has been made." The CSA Rules require each report to include:
- The contact and business details for the entity that pays the ransom (not necessarily the covered entity)
- Information about the cyber security incident and its impact
- The demand made by the extorting entity and the payment made to satisfy it
- Any communications with the extorting entity related to the incident, demand or payment
The report should also contain any other relevant information the covered entity knows or is able to find out by reasonable inquiry.
Penalties
If a covered entity fails to submit a required report within 72 hours, it is subject to 60 penalty units. Under Australian federal law, this translates to a fine of up to AUD $19,800 per unreported but covered ransomware payment.
Practical Considerations for Incident Response
For organizations navigating ransomware incidents under Australia's new CSA requirements, it is critical to align legal obligations with practical incident response strategies. The ransomware landscape continues to evolve rapidly, and the BakerHostetler 2025 Data Security Incident Response Report offers critical insight into how payment trends and incident response strategies are changing in ways that directly affect the scope and impact of Australia's new ransom payment reporting requirement.
In 2024, our firm saw average ransom payments drop by 33%, and only 36% of ransomware and extortion victims paid a ransom. These figures are more than statistical shifts. They reflect a convergence of maturing organizational response capabilities, improved tooling, more strategic decision-making and increased international law enforcement action against threat actor groups. Other cybersecurity firms have also reported a decline in the percentage of ransomware victims that ultimately pay ransom.
These developments mean more organizations are choosing not to pay ransoms, especially when (1) restoration from backup is feasible, (2) data exfiltration is limited or involves non-sensitive data, or (3) legal or regulatory considerations disfavor payment.
Organizations should ensure they incorporate Australia's reporting threshold into their ransomware decision-making workflow. Legal counsel and incident response teams should also coordinate closely, particularly if payment is being considered, to evaluate timing, documentation and downstream reporting. As more jurisdictions consider similar reporting obligations, a globally consistent incident response plan – reflecting jurisdiction-specific compliance triggers – can help multinational organizations reduce risk and streamline their crisis response.
Strategically, the CSA should not be viewed merely as a compliance burden. Instead, it offers an opportunity to formalize how legal, technical and executive teams collaborate during crises – and encourages proactive evaluation of whether ransom payment is the best path.
Other Ransomware Reporting Developments Worldwide
Australia is the first jurisdiction worldwide to impose ransomware reporting obligations on the private sector, but similar proposals in the U.S. and U.K. are pending.
In the U.S., the Cybersecurity and Infrastructure Security Agency has proposed a rule to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), requiring covered entities to report qualifying ransom payments. CSA and CIRCIA bear many similarities, including a similar approach to defining the scope of covered entities, relying on both size-based and critical infrastructure-based criteria. CIRCIA's scope of covered ransom payments may be slightly narrower than CSA's, applying only to exchange of "money or other property or asset," rather than CSA's coverage of any "benefit," including intangible interests and services.
And the U.K.'s Home Office in January introduced proposals targeted at ransomware attacks and payments. One of the proposals would outright ban ransomware payments, while the others would require reporting ransomware payments to the Home Office, either before or after payment. The notice-before-payment proposal would significantly depart from CSA and CIRCIA, requiring ongoing consultation with authorities before deciding to pay a ransom. In practice, businesses often choose to consult with law enforcement before making a ransom payment anyway, especially in the U.S., where such consultations may ease sanctions concerns.
Related Developments in Australia
In related news, Australia enacted privacy reforms on December 10, 2024, that will take effect on June 10. The reforms create a new tort of "serious invasion of privacy," expand regulatory enforcement powers for key Australian regulators, and require technical and organizational measures to ensure security, among other provisions.
Contributing Author: Associate King Xia
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
