The system mandates reporting of ransom payments linked to cyber attacks for some Australian businesses
Organisations with an annual turnover of $3 million or more will be required to report any ransom payments for cyber extortion, under a new mandatory reporting scheme introduced by the Federal Government.
Under the new rules, which start from May 30 2025, these businesses must report when they make a ransomware or cyber extortion payment, or if a payment has been made on their behalf, to the Australian Signals Directorate (ASD) within 72 hours of the payment.
"From [May 30], all reporting business entities are required to commence ransomware and cyber extortion reporting using the form on ASD's webpage found on: cyber.gov.au," the Home Affairs Department's factsheet advises.
According to the factsheet, the ransomware report should include the contact and business details of the company that made the payment, including its Australian Business Number.
It should also include the details of the cybersecurity incident, including its impact on the business entity, the demand made by the extorting entity, as well as the amount of the ransomware payment.
"The Cyber Security Act 2024 provides that a civil penalty of 60 penalty units may apply where a reporting business entity fails to make a mandatory ransomware payment or cyber extortion report," the factsheet says.
However, it noted that the government is first taking an education-first approach to the new scheme from May 30, 2025, to December 31, 2025 and the Home Affairs Department will only pursue regulatory action "in cases of egregious non-compliance."
"The Department will engage with Australian entities, industry groups, peak bodies, and other relevant stakeholders through Town Hall meetings and by providing practical resources, including Frequently Asked Questions (FAQs), factsheets, and user guides for incident reporting," it added.
The more active regulatory focus will take place starting January 1, 2026, as the regulated entities become acquainted with the mandatory reporting obligation, according to the government.
The government said the new ransomware payment reporting scheme allows authorities to observe what threat actors are most active, as well as the types of entities and businesses that they target.
It also lets them know what types of code and malicious software are used, and how much money or productivity is lost as a result of these incidents.
The scheme is part of Australia's first Cyber Security Act, which was passed last year.
Cybersecurity Minister Tony Burke said the legislation is a "key pillar" in protecting the public from cyber threats.
"This package forms a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever changing cyber landscape," Burke said in a statement last year.
"Close co-operation between government and industry is one of our best defences against malicious cyber activity. In the wake of a cyber security incident, businesses need to know that they can call on government to quickly get the support they need."
The new legislation comes in the wake of massive cyber attacks against Australian firms, such as Optus in 2022.
Australia has ranked 13th in SurfShark's list of most affected countries by data breaches, recording a total of 398,495 compromised accounts in the first quarter of 2025.
