ARTICLE
25 June 2025

Ransomware reporting obligation changes have started!

CG
Clifford Gouldson Lawyers

Contributor

Clifford Gouldson Lawyers logo
Clifford Gouldson Lawyers is a leading regional provider of legal services to the business, government and not for profit sectors. Established in Toowoomba more than 15 years ago with a commitment to offering specialised expertise in a regional setting we now provide our services across multiple offices within Queensland and interstate.
Explore Firm Details
Failure to report a ransomware payment could lead to your organisation being fined. Who must report? When? What to include in report?
Australia Technology
Ben Gouldson
Your Author LinkedIn Connections

As of today, a failure to report a ransomware payment could lead to your organisation being fined. From 30 May 2025, a failure to report a ransomware payment could lead to your organisation being fined. That's when new reporting obligations surrounding ransomware payments came into effect across Australia.

Ransomware is a kind of malware that usually inhibits a business's systems or their access to files. Hackers who rely on ransomware often demand payment or some other kind of benefit in exchange for removing the malware from the business's system.

The Legislation

Part 3 of the Cyber Security Act 2024 (Cth) (the Act) requires 'reporting business entities' which are impacted by cyber security incidents to report any payment made to an entity trying to benefit from the impact of the incident.

The Act aims to improve cyber security, encourage transparency, improve responses to cyber security incidents and ultimately prevent or mitigate such incidents. While the Act came into effect generally in November last year, Part 3 only commences 30 May 2025 – today! At the same time, the Cyber Security (Ransomware Payment Reporting) Rules 2025 (the Rules) will commence and these Rules may be relevant when interpreting Part 3 of the Act

Who must report?

Not every business is a 'reporting business entity' according to the Act. In order to be required to report ransomware payments, an entity must be carrying on a business in Australia and have an annual turnover above $3 million for the previous financial year. However, if the business has only been carried on for part of the previous financial year, it is calculated using the following formula:

$3 million × number of days in the partnumber of days in the previous financial year

Public bodies and entities responsible for critical infrastructure assets are generally not 'reporting business entities'. However, a responsible entity for critical infrastructure assets under Part 2B of the Security of Critical Infrastructure Act 2018 (Cth) will be a reporting business entity for the purposes of the Act.

When to report?

A report must be made when a ransomware payment is made to a person or another entity who wants to benefit from the impact of a cybersecurity incident and makes demands to that end. So, there are four key factors to look out for:

  1. A cyber security incident has occurred;
  2. This incident has had an impact on the reporting business entity;
  3. Another entity has demanded payment or some other kind of benefit;
  4. This benefit has been given to them.

A cyber security incident is an event or events involving unauthorised impairment of electronic communication to or from a computer. However, such an event is only a cyber security incident for the purposes of the Act if the incident:

  1. involves a critical infrastructure asset; or
  2. involves the activities of a corporation; or
  3. impeded the ability of a computer to connect to a telegraphic, telephonic or similar service; or
  4. has serious implications for Australia's social or economic stability, defence, or national security.

If the above factors have been satisfied, then the reporting entity has 72 hours to make a report (s 27(1)).

If an organisation fails to make the report, it can be fined

What must a report include?

The report needs to be made to an authorised Department such as the Australian Signals Directorate or the Australian Cyber Security Centre.

Rule 7 sets out the information that is required to be included in any report of a cyber security incident. A report must include the contact and business details, the ABN (if applicable) and the address of both the reporting entity and the entity demanding payment. The report must also include information about the cyber security incident including:

  • when the incident occurred;
  • when the reporting business entity became aware of the incident;
  • any impact on infrastructure;
  • any impact on customers;
  • the kind of ransomware or other malware used;
  • the vulnerabilities (if any) in the system that were exploited;
  • any other information that could be helpful to the investigating body.

Going forward

If you are considered a reporting business entity under the Act, you are bound by the reporting obligations above. So it would be advisable for you to consider your system's vulnerabilities and fortify it against ransomware attacks. Also, you should review your cyber insurance notification regime and internal cyber security policies to ensure that reporting occurs within the required time. If you have questions about this alert please contact a member of our Intellectual Property + Technology team.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Ben Gouldson
Ben Gouldson
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More