New ransomware payment reporting rules have now come into effect in Australia, starting from today, May 30th, 2025. These strict rules apply to all organizations that have an annual turnover of at least AUS $3 million, approximately $1.93 million USD. The provisions, clearly outlined in Australia’s comprehensive Cyber Security Act 2024, also extend to various private companies. This specifically includes private companies that operate any critical infrastructure assets located within the country, a key protective measure. These applicable organizations must now report any ransomware payment they make to the Australian Signals Directorate’s (ASD) official reporting tool.
The mandatory reporting must occur within a tight timeframe of 72 hours of making the actual payment to attackers.
This also applies if they become aware that a ransomware payment has been made on their behalf by another party. The detailed report submitted must include specific information regarding the incident, such as the ransomware payment amount initially demanded. It also needs to include the actual amount that was paid by the affected organization to the cybercriminals. Furthermore, details on the payment method demanded and used, and information on communications with the attackers, are required.
However, these new stringent requirements do not apply to any public sector bodies, which are notably exempt from this rule.
Australia is now the first country in the entire world to introduce such mandatory ransomware payment reporting requirements for businesses. The primary aim of these new rules is to significantly improve visibility into the pervasive issue of ransomware attacks. This increased visibility will greatly help government agencies and various law enforcement bodies in their ongoing efforts to combat threat actors. It is widely believed by experts that there is currently a significant underreporting of ransomware incidents by many affected organizations. The Australian Institute of Criminology has previously reported that only about one in five victims actually report cyber-attacks to authorities.
Australia’s comprehensive Cyber Security Act 2024 also mandates important new security standards specifically for smart device manufacturers operating within the country. These new standards for smart devices are currently due to come into effect sometime in the year 2026. Additionally, this new law will see the creation of a new Cyber Incident Review Board for post-incident analysis. This board will conduct detailed post-incident reviews into all significant cybersecurity incidents that occur within Australia. This could potentially see senior company executives facing much closer scrutiny over their organization’s cyber strategy decisions and their overall preparedness. The UK government is also currently undertaking a consultation on creating a similar mandatory reporting regime for ransomware incidents.
Reference:
