ARTICLE
10 August 2025

New mandatory ransomware and cyber extortion reporting

B
Barry Nilsson

Contributor

Barry Nilsson logo
For 60 years, Barry Nilsson has been shaping a better legal experience, putting our clients first - where they belong. We have grown to become an award-winning national law firm of more than 400 staff, working alongside our clients and evolving our services to meet their changing needs.
Explore Firm Details
Eligible business entities are mandated to report any ransomware or cyber extortion payments to the Australian Signals Directorate.
Australia Technology
Simon Black
Your Author LinkedIn Connections

From 30 May 2025, eligible business entities are mandated to report any ransomware or cyber extortion payments to the Australian Signals Directorate within 72 hours of payment being made.

The changes impose reporting obligations upon businesses with annual turnover of $3M+ impacted by cyber security incidents regarding ransomware and cyber extortion payments.

Under s26(2) of the Cyber Security Act 2024 (Cth) (the Act), eligible businesses are those with an annual turnover of $3 million or above per annum, and businesses that are responsible entities for critical infrastructure assets under Part 2B of the Security of Critical Infrastructure Act 2018 (Cth).

Importantly, the requirement to report is only in the case of payment of a ransom, rather than the discovery of an attempted attack or receipt of an extortion demand.

In the first six months of these changes being implemented, the ASD will focus on an educational approach, providing affected businesses with a grace period to familiarise themselves with the reporting documents and educational resources issued by the Department of Home Affairs. During this period, the ASD will only take regulatory action in cases of excessive non-compliance.

From 1 January 2026 onwards, as the reporting regime solidifies in practice, the Department will transition to a primarily regulatory focus, with additional guidance resources based on feedback from the earlier period available.

Contents of the mandatory report

A reporting business entity is required to provide information it 'knows or is able, by reasonable search or enquiry, to find out'.

The mandatory reports must contain:

  • the contact and business details of the entity that made the payment, and the contact and business details of the reporting business entity, including both Australian Business Numbers (ABN),
  • details of the cyber security incident, including its impact on the reporting business entity (such as date, time, variant of ransomware or malware used, and what vulnerabilities in the entity's systems were exploited),
  • the amount, monetary or non, demanded by the extorting entity,
  • the amount, monetary or non, provided to the extorting entity and the method of provision,
  • details of any communications with the extorting entity relating to the incident, demand and the payment, and
  • other information relating to the cyber security incident in the ransomware payment report.

Additionally, the ransomware or cyber extortion payment reporting form on the ASD website outlines the specific information that must be provided.1

While failure to make a mandatory report can result in a fine of up to 60 penalty units (currently almost $20,000), the potential reputational consequences may be even more significant to a business.

Why mandatory reporting?

Mandatory reporting has already been utilised in other areas of the law to address issues that are not easily identified without the knowledge and input of those involved. In a cyber-security context, the Act aims to enhance cyber security measures across disciplines, responding to the rapid pace at which extorting entities grow in capability.

The purposes of collecting this information are to:

  • allow the government to observe active threat actors, targeted entities and sectors, and the malicious software used,
  • assist the government in providing advice to entities affected, particularly smaller, more vulnerable businesses, on how to maintain their cyber security at a higher capacity, and make them 'hard targets' for cyber criminals, and
  • support the development of future legislative and policy measures to combat ransomware and cyber extortion.

How will the reports be used?

The information provided by the reports may be used to:

  • assist the affected entity/entities in mitigating and resolving the cyber security incident,
  • exercise powers under Parts 3 or 6 of the Act, and proceedings under the Criminal Code regarding issues such as false and misleading information and documents, and the obstruction of Commonwealth public officials,
  • inform and advise the Minister of Cyber Security, as well as other Commonwealth Ministers about the cyber security incident, and
  • assist in the performance of an intelligence agency's functions.

The information cannot be used for:

  • criminal proceedings,
  • civil proceedings for contravention of a civil penalty provision,
  • breaches of any Commonwealth, State or Territory law (including the common law), or
  • for proceedings before a tribunal of the Commonwealth, any State or Territory (see section 32 of the Act).

The reporting obligations do not otherwise affect a claim of legal professional privilege.

The Critical Infrastructure Security Centre provides details on the Act, the use of information contained in mandatory reports, and the availability of additional educational resources via the following websites:

What does this mean for your business?

According to ASD reports, ransomware and cyber crime are on the rise - an observation that aligns with our own experience of a significant increase in cyber incidents, particularly social engineering incidents, leading to claims under standalone cyber insurance policies and/or the cyber components of other insurance policies (particularly Professional Indemnity and Management Liability policies).

The accessibility of generative artificial intelligence (AI) tools has not only seen a rapid increase in these types of claims, but also in the level of sophistication of the scams, misdirection of funds attempts, hacks and attacks. AI has allowed 'Bad Actors' to create and conduct attacks that continue to grow in scale and efficacy.

The mandatory reporting regime is aimed, at least in part, at ensuring that businesses remain focused on the cyber threat, while also encouraging review of cyber security policies to ensure compliance and safety.

Businesses should ensure their key management personnel and officers are aware of the new reporting requirements, in order to guarantee compliance with the new requirements and avoid the risk of potentially significant financial and reputational damage as a result of non-compliance.

Cyber Security Act 2024 - Federal Register of Legislation

Security of Critical Infrastructure Act 2018 - Federal Register of Legislation

Footnotes:

1 Ransomware payment and cyber extortion payment reporting | Cyber.gov.au

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Simon Black
Simon Black
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More