ARTICLE
19 June 2025

Pay The Price, Now 'Fess Up': Reporting Obligations For Ransomware Payments Are Live

KG
K&L Gates LLP

Contributor

At K&L Gates, we foster an inclusive and collaborative environment across our fully integrated global platform that enables us to diligently combine the knowledge and expertise of our lawyers and policy professionals to create teams that provide exceptional client solutions. With offices spanning across five continents, we represent leading global corporations in every major industry, capital markets participants, and ambitious middle-market and emerging growth companies. Our lawyers also serve public sector entities, educational institutions, philanthropic organizations, and individuals. We are leaders in legal issues related to industries critical to the economies of both the developed and developing worlds—including technology, manufacturing, financial services, health care, energy, and more.
As of 29 May 2025, the requirement on businesses to report ransomware payments they make has come into effect.
United States Technology

As of 29 May 2025, the requirement on businesses to report ransomware payments they make has come into effect.

What is the Requirement?

If a reporting business entity becomes impacted by a cyber security incident and ends up making a ransomware payment in response to the incident, the business must report the ransomware payment to the designated government agency within 72 hours after making the payment or becoming aware that the payment was made. Entities who do not produce a satisfactory report within the required time can be liable to a civil penalty of almost AU$20,000.

Who Does it Apply to?

'Reporting business entities' – generally those with over AU$3 million turnover. Certain entities under the Security of Critical Infrastructure Act 2018 are also within scope.

Who do you Produce the Report to?

The Australian Signals Directorate (ASD) is the designated Commonwealth body and has an online form for reporting the payments.

What Happens to the Report?

There are also restrictions on the ASD and other government agencies from using the report for other purposes (such as in investigating or enforcing a breach of the Privacy Act in connection with the relevant incident).

Final Thoughts

We note that the ASD urges businesses to never pay a ransom, as there is nothing keeping cyber criminals from honouring their word. Despite this, businesses may find themselves in circumstances in which this sound advice may not always be practical, and the legislation reflects the reality that such payments are often made. According to a McGrathNicol survey, the average cyber ransom payment cost Australian businesses AU$1.35M in 2024 with only 1 in 10 businesses saying they would not pay under any circumstances.

Above all, this new reporting requirement reinforces the importance of conducting cyber health checks and maintaining an updated Data Breach Response Plan.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More