As of today, a failure to report a ransomware payment could lead to your organisation being fined. From 30 May 2025, a failure to report a ransomware payment could lead to your organisation being fined. That’s when new reporting obligations surrounding ransomware payments came into effect across Australia.
Ransomware is a kind of malware that usually inhibits a business’s systems or their access to files. Hackers who rely on ransomware often demand payment or some other kind of benefit in exchange for removing the malware from the business’s system.
The Legislation
Part 3 of the Cyber Security Act 2024 (Cth) (the Act) requires ‘reporting business entities’ which are impacted by cyber security incidents to report any payment made to an entity trying to benefit from the impact of the incident.
The Act aims to improve cyber security, encourage transparency, improve responses to cyber security incidents and ultimately prevent or mitigate such incidents. While the Act came into effect generally in November last year, Part 3 only commences 30 May 2025 – today! At the same time, the Cyber Security (Ransomware Payment Reporting) Rules 2025 (the Rules) will commence and these Rules may be relevant when interpreting Part 3 of the Act
Who must report?
Not every business is a ‘reporting business entity’ according to the Act. In order to be required to report ransomware payments, an entity must be carrying on a business in Australia and have an annual turnover above $3 million for the previous financial year. However, if the business has only been carried on for part of the previous financial year, it is calculated using the following formula:
Public bodies and entities responsible for critical infrastructure assets are generally not ‘reporting business entities’. However, a responsible entity for critical infrastructure assets under Part 2B of the Security of Critical Infrastructure Act 2018 (Cth) will be a reporting business entity for the purposes of the Act.
When to report?
A report must be made when a ransomware payment is made to a person or another entity who wants to benefit from the impact of a cybersecurity incident and makes demands to that end. So, there are four key factors to look out for:
- A cyber security incident has occurred;
- This incident has had an impact on the reporting business entity;
- Another entity has demanded payment or some other kind of benefit;
- This benefit has been given to them.
A cyber security incident is an event or events involving unauthorised impairment of electronic communication to or from a computer. However, such an event is only a cyber security incident for the purposes of the Act if the incident:
- involves a critical infrastructure asset; or
- involves the activities of a corporation; or
- impeded the ability of a computer to connect to a telegraphic, telephonic or similar service; or
- has serious implications for Australia’s social or economic stability, defence, or national security.
If the above factors have been satisfied, then the reporting entity has 72 hours to make a report (s 27(1)).
If an organisation fails to make the report, it can be fined
What must a report include?
The report needs to be made to an authorised Department such as the Australian Signals Directorate or the Australian Cyber Security Centre.
Rule 7 sets out the information that is required to be included in any report of a cyber security incident. A report must include the contact and business details, the ABN (if applicable) and the address of both the reporting entity and the entity demanding payment. The report must also include information about the cyber security incident including:
- when the incident occurred;
- when the reporting business entity became aware of the incident;
- any impact on infrastructure;
- any impact on customers;
- the kind of ransomware or other malware used;
- the vulnerabilities (if any) in the system that were exploited;
- any other information that could be helpful to the investigating body.
Going forward
If you are considered a reporting business entity under the Act, you are bound by the reporting obligations above. So it would be advisable for you to consider your system’s vulnerabilities and fortify it against ransomware attacks. Also, you should review your cyber insurance notification regime and internal cyber security policies to ensure that reporting occurs within the required time. If you have questions about this alert please contact a member of our Intellectual Property + Technology team.
For further information, contact Ben Gouldson.
The assistance of Eve Gellatly, Legal Assistant, in researching this article is gratefully acknowledged.
Katy/Katie Perry Trademark Case Heads to High Court