Mandatory ransomware reporting in Australia: what SMEs need to know

Australia's Cyber Security Act 2024 requires businesses with annual turnover of AU$3 million or more to report ransomware payments to the Australian Signals Directorate within 72 hours of paying or being aware that payment has been made. The reporting obligation came into force on 30 May 2025, with civil penalties of up to AU$19,800 for non-reporting. Reports go to ASD via the cyber.gov.au portal and include the entity, the cybercriminal demand, and the payment details. The intent is intelligence sharing, not prosecution of victims.

Key facts

• The Cyber Security Act 2024 received Royal Assent in late November 2024 and the ransomware reporting provisions commenced 30 May 2025.
• The reporting obligation applies to businesses carrying on a business in Australia with annual turnover of AU$3 million or more, plus all entities responsible for critical infrastructure assets.
• Reports must be lodged within 72 hours of making a ransomware payment or becoming aware that one has been made.
• Civil penalty for non-compliance: up to 60 penalty units (~AU$19,800).
• Reports are made via the Australian Signals Directorate at cyber.gov.au, with limited use protections meaning the report can't be used to prosecute the entity.
• Paying ransoms is not illegal in Australia, but it does create the reporting obligation.

What does the Cyber Security Act 2024 actually require?

The Cyber Security Act 2024 introduces Australia's first mandatory ransomware payment reporting regime. Where a covered entity makes a ransomware or cyber extortion payment (or where one is made on its behalf), the entity must report the payment to ASD within 72 hours. The report includes the entity's details, the nature of the demand, the type of cybercriminal involved, the amount paid, and how the payment was made.

The Act sits alongside several other obligations introduced by the same legislation: a national Cyber Incident Review Board, mandatory security standards for smart devices, and limited use protections that prevent ASD from sharing reported information with most regulators for enforcement. The intent is to encourage reporting rather than punish it.

Where the entity makes the payment but isn't itself the direct victim (for example, a cyber insurer or incident response firm pays on behalf of the insured), the obligation still falls on the entity that benefited from the payment, not the payer. This catches arrangements where the actual policyholder might otherwise hide behind a third party.

Who has to report and who's exempt?

The reporting obligation applies to two categories. First, businesses carrying on a business in Australia with annual turnover of AU$3 million or more in the previous financial year. Second, entities responsible for critical infrastructure assets under the Security of Critical Infrastructure Act, regardless of turnover.

Most Australian SMEs by count fall under the AU$3 million threshold and are exempt from the reporting obligation. But the exemption is narrower than it sounds. It applies only to ransomware reporting under the Cyber Security Act. Other obligations (Notifiable Data Breaches scheme, Privacy Act, ASIC reporting, banking and financial services rules) apply regardless of turnover and can each create their own reporting triggers.

If your turnover is over AU$3 million, treat the reporting obligation as in scope. If your turnover is close to the threshold, get specific advice rather than guessing, because the way "annual turnover" is defined in the Act includes some related-entity revenue that's easy to miss.

What happens if you don't report?

The civil penalty for failing to report a ransomware payment is up to 60 penalty units, currently AU$19,800. The penalty applies to the entity, not individuals, and is enforced by the Department of Home Affairs.

The penalty is deliberately set lower than the cost of paying a ransom in the first place. The Government's policy logic is that the marginal incentive to report should outweigh the perceived benefit of staying silent. Combined with the limited use protections (ASD cannot share the report with most regulators for enforcement), the legislative design is "report and we won't use this against you" rather than "report or we'll punish you harder."

That said, the reputational and contractual consequences of non-reporting can be material. Customers, insurers, and lenders increasingly require certification that the business is meeting its statutory obligations. Failure to report a ransomware payment can void cyber insurance cover and create disclosure obligations to customers.

What should an SME do before a ransomware incident?

Three things matter, all preventative.

Immutable backups, tested. The single most important defence against ransomware extortion is a backup that the attacker cannot encrypt or delete. We use Proxmox Backup Server with immutability enabled and backup retention policies that survive ransomware actor dwell time of weeks rather than days. The backup is only useful if it's been tested, ideally with a quarterly restore exercise.

Endpoint Detection and Response (EDR) on every endpoint. Modern ransomware operators are inside networks for an average of two to three weeks before they trigger encryption. EDR catches their behavioural signatures (lateral movement, credential dumping, mass file access) much earlier than traditional antivirus. For SMEs, Sophos Intercept X, Microsoft Defender for Endpoint, or SentinelOne are all reasonable choices.

Multi-factor authentication on everything that matters. Email, remote access, admin accounts, financial systems, document repositories. Roughly 80% of the SME ransomware incidents we see in Sydney start with credentialed access (phishing, password reuse, leaked credentials from other breaches). MFA closes most of those entry points.

What should an SME do during a ransomware incident?

This is when the incident response plan matters. If you don't have one, the first 24 hours of any incident will be chaos and decisions will be made under pressure that you'll regret later.

The decisions that need to have been pre-made before an incident hits include: who has authority to take systems offline, who talks to insurance, who notifies customers, who notifies the OAIC, and (for in-scope entities under the Cyber Security Act) who lodges the ASD report. Pre-decided answers save days at exactly the point you don't have them.

During an actual incident, the basics are: contain the spread (isolate affected systems from the network), preserve evidence (don't reboot ransomware-infected machines until forensics are done), engage your incident response provider and cyber insurer, and start the regulatory clock. The 72-hour reporting clock under the Cyber Security Act starts at payment, but the OAIC notifiable data breach clock can start much earlier if personal information is involved.

Should you pay the ransom?

Government and law enforcement guidance is consistent: don't pay. Paying funds the criminal economy, doesn't guarantee data recovery (failed decryption rates are roughly 30% across reported incidents), and marks the organisation as a willing payer for future targeting.

The decision in practice is harder than the principle suggests. Where the alternative is permanent loss of business-critical data and there's no viable backup, organisations sometimes pay. Where the threat is data publication rather than encryption, organisations sometimes pay to protect customer data. These are genuinely difficult calls, and the right answer depends on the specific situation.

What is universally true: the time to make this decision is not during the incident. Have a pre-agreed position with your board or owner, your insurer, and your incident response provider, so that if a payment decision is required, it's made deliberately rather than under panic.

Frequently asked questions

Is paying ransoms illegal in Australia?

No, paying ransoms is not illegal in Australia. Some jurisdictions (Florida, North Carolina) have legislated against state government entities paying ransoms, but Australia has not gone down that path. What is required, under the Cyber Security Act 2024, is reporting the payment to ASD within 72 hours if the entity has annual turnover of AU$3 million or more, or operates a critical infrastructure asset.

Who do I report a ransomware payment to in Australia?

Reports go to the Australian Signals Directorate via the cyber.gov.au portal. The report covers the entity's details, the nature of the cybercriminal demand, the type of attacker, the amount paid, and how the payment was made. ASD has limited use protections meaning the information cannot be shared with most regulators for enforcement against the reporting entity.

What's the penalty for not reporting a ransomware payment?

The civil penalty for failing to report is up to 60 penalty units, currently around AU$19,800. The penalty is deliberately lower than typical ransom payments to incentivise reporting. Beyond the statutory penalty, non-reporting can void cyber insurance cover, breach customer contractual obligations, and create disclosure problems if the breach is later discovered.

Does my small business have to report ransomware payments?

It depends on your annual turnover and whether you operate critical infrastructure. The reporting obligation applies to businesses with annual turnover of AU$3 million or more, plus all critical infrastructure entities regardless of turnover. Most SMEs by count fall under the threshold, but related-entity revenue can push you over the line in ways that aren't always obvious.

What's the difference between the ransomware reporting obligation and the OAIC data breach scheme?

They're separate obligations with different triggers. The Cyber Security Act 2024 ransomware reporting applies to ransomware payments, with a 72-hour clock starting at payment. The Notifiable Data Breaches scheme under the Privacy Act applies to breaches involving personal information likely to result in serious harm, with a clock starting from awareness of the breach. A single ransomware incident involving personal information typically triggers both obligations.

If you'd like a hand putting an immutable backup architecture in place, building or testing your incident response plan, or working through your reporting obligations under the Cyber Security Act and Privacy Act, we can run a ransomware readiness review tailored to where your SME sits today.