Introduction
Australia is set to implement mandatory ransomware payment reporting rules [2], marking a significant step in cybersecurity regulation. These rules [10], effective from May 30, 2025, require organizations with substantial annual turnovers to report ransomware payments, aiming to enhance transparency and improve the nation’s cybersecurity posture.
Description
Mandatory ransomware payment reporting rules will take effect in Australia on May 30, 2025, requiring organizations with an annual turnover exceeding AUS $3 million (approximately $1.93 million) to report any ransom payments made to cybercriminals within 72 hours. This initiative [1] [3] [6] [10], established under the Cyber Security Act 2024 [1] [9], mandates that reports be submitted through the Australian Signals Directorate portal and include essential details such as the company’s contact information, Australian Business Number [7], a description of the cybersecurity incident and its impact [10], the amount demanded and paid [2] [6], the payment method (including cryptocurrency details), and the nature and timing of communications with the attackers [2]. Organizations must also disclose the involvement of any third-party negotiators in the ransom payment process. Non-compliance may result in civil penalties of up to $19,800, and the information reported is protected from being used in civil or regulatory actions against the reporting entity [3] [6].
From May 30 to December 31, 2025 [7], the government will prioritize educating and engaging businesses about these new obligations, with regulatory enforcement commencing on January 1, 2026 [7], focusing on severe non-compliance [7]. This initiative aims to enhance understanding of ransomware attacks by providing insights into targeted entities [1], attack methods [1], and the nature of demands and payments [1]. The reporting scheme seeks to address the previous lack of visibility surrounding ransomware payments [1], which often occurred in secrecy due to legal and reputational concerns [1]. Insights gained from these reports will assist authorities in tracking active threat actors, identifying the types of businesses targeted [7], understanding the malicious software used, and assessing the financial impact of cyber incidents [7]. Notably, only 20% of ransomware victims have previously disclosed incidents, underscoring the importance of these new reporting requirements.
Australia is the first nation to enforce mandatory ransomware payment reporting [2], a measure enacted in response to significant cyberattacks [7], including the 2022 incident involving Optus [7]. The decision to enforce this disclosure requirement is driven by the increasing frequency of ransomware incidents and the need for data transparency to improve security measures [5]. However, the current framework does not require public disclosure of the collected data [1], which may only be utilized by select government agencies for incident response and national coordination [1]. To maximize the effectiveness of the reporting regime [1], it is suggested that information be shared in an aggregated form [1], with identities anonymized [1], through public channels such as the ACSC’s annual cyber threat report or a dedicated ransomware trends webpage [1]. Public access to this data could improve awareness of the sectors most affected by cyberattacks and the methods employed by attackers [1], ultimately supporting better risk management and informed public discourse [1].
Additionally, the Cyber Security Act 2024 introduces new security standards for smart device manufacturers [2], set to take effect in 2026 [2], requiring secure default settings [3], unique passwords [3], regular updates [3], and data encryption [3]. The Act also establishes a Cyber Incident Review Board to evaluate significant cybersecurity incidents [2], potentially scrutinizing senior executives regarding their cyber strategy decisions [2] [9]. Cybersecurity Minister Tony Burke has emphasized the importance of collaboration between government and industry to enhance defenses against cyber threats [7]. Experts suggest that a shift towards proactive resilience, rather than reactive payments [8], is essential to better prepare and protect organizations against cyber threats [8], as paying ransoms may inadvertently support cybercriminal networks and lead to further attacks [8].
The mandatory reporting is seen as a significant advancement in addressing the underreporting of ransomware incidents in Australia [10], providing authorities with better visibility into the threat landscape [10], which could enhance prosecution and prevention efforts [10]. Security leaders emphasize the need for businesses to reassess their security protocols in light of these new requirements [10], as the rules introduce additional complexities when dealing with ransom demands [10]. While the reporting obligations primarily apply to larger organizations [10], small to medium-sized businesses are encouraged to strengthen their cyber resilience in response to evolving threats [10], including reviewing their backup systems to ensure effective restoration in the event of a breach [4]. To prepare for compliance [5], companies should upgrade their cybersecurity infrastructure by investing in advanced security tools and conducting regular audits [5], as well as developing comprehensive incident response plans and enhancing reporting and documentation procedures [5]. This new mandate positions Australia as a leader in cybersecurity regulation [5], potentially influencing global standards and fostering international cooperation against cyber threats [5].
Conclusion
The introduction of mandatory ransomware payment reporting in Australia represents a pivotal development in the global fight against cybercrime. By mandating transparency and accountability [5] [8], the initiative aims to mitigate the impact of ransomware attacks and improve national cybersecurity resilience. Organizations are encouraged to adapt to these new requirements by enhancing their cybersecurity measures and fostering a proactive approach to threat management. As Australia leads the way, this regulatory framework may serve as a model for other nations, promoting international collaboration in combating cyber threats.
References
[1] https://www.aspistrategist.org.au/mandatory-ransomware-reporting-great-but-tell-us-whats-being-learned/
[2] https://www.infosecurity-magazine.com/news/ransomware-payment-disclosure/
[3] https://regleis.com.au/new-reporting-obligations-for-cyber-ransoms/
[4] https://dynamicbusiness.com/leadership-2/expert/ransomware-reporting-rules-begin-in-june-5-ceo-questions-answered.html
[5] https://que.com/australian-companies-now-required-to-disclose-ransomware-payments/
[6] https://www.insurancenews.com.au/daily/reporting-rule-takes-cyber-ransoms-out-of-the-darkness
[7] https://www.hcamag.com/au/specialisation/employment-law/new-reporting-rules-for-ransomware-payments/537425
[8] https://www.cyberdaily.au/security/12164-pay-up-understanding-australia-s-new-ransomware-reporting-requirements
[9] https://www.nccgroup.com/us/newsroom/ncc-group-commends-australias-latest-cyber-security-laws/
[10] https://www.arnnet.com.au/article/3998456/ransomware-reporting-rules-require-all-businesses-to-do-a-risk-assessment.html
