Cyber Security Act: key business considerations .

Part 2: mandatory ransomware reporting.

The Cyber Security Act became law on 29 November 2024.

In part 2 of our 4 part series, we discuss the key considerations for businesses on mandatory ransomware reporting obligations under the Cyber Security Act.^[1]

1.     Key details.

• Starts on 30 May 2025.
• Applies to businesses:
  • with turnover greater than $3 million in the previous financial year; or
  • that are responsible for ‘critical infrastructure’ under Part 2B of the Security of Critical Infrastructure Act 2018 (Cth).
• Creates an obligation on such businesses to report the making of ransomware payment.
• Those businesses must report to the Australian Signals Directorate (ASD) what they can reasonably find out within 72 hours of the ransomware payment.
• The Cyber Security (Ransomware Payment Reporting) Rules 2025 sets out the information to be reported (section 7). Notably, the rules specify that the ‘payment’ of non-monetary benefits must also be reported.
• Failure to report can result in civil penalties up to 60 penalty units (~$20,000 at the current rate).
• ASD and other agencies may only use and disclose the reported information for certain permitted uses.

2.     What is the intention behind this measure?

The Government explained that mandatory reporting is to provide much needed intelligence to formulate appropriate policy responses to ransomware payments.^[2]

However, the measure appears to have a secondary indirect effect of discouraging businesses from making ransomware payments.

The key nuance is that the measure catches ransomware payments, not demands.^[3] Mandatory ransomware reporting is only triggered if a ransomware payment is made. If a business does not make the ransomware payment, it is not required to report the ransomware demand (though may voluntarily do so to obtain assistance or may be required to by the Cyber Incident Review Board (covered in part 3 of this blog series)).

It is unclear if this was intended. The Government considered that ransomware payments fund criminal enterprises so there is a strong policy argument against this. However, the sensitivity of compromised data and the potential harm makes an outright ban of ransomware payments too broad brush and problematic.^[4] Requiring mandatory reporting may be a softer first step towards shaping business decisions around whether to pay.

3.     To pay or not

Given that mandatory reporting is triggered by ransomware payment, there is now a regulatory overlay to a decision whether to pay.

• Making a ransomware payment is no longer purely a calculated business decision but one with regulatory reporting obligations and implications.
• The decision to pay is still on the business and the business ‘owns’ the decision. But there is now increased scrutiny from mandatory reporting.
• While there are restrictions around using reported information, they are not a ‘safe harbour’. Information can be used in criminal proceedings for provision of false and misleading information or obstruction of Commonwealth public officials. Therefore, care must still be taken to ensure reported information is accurate.

Overall, this makes deciding whether to pay weightier and forces affected businesses to think twice before doing so (linking back to the point above about nudging behaviour to ransomware demands).

4.     Tricky situations: indirect ransomware payments

Mandatory reporting obligations apply to an entity where ransomware payments are indirectly made by the entity or on its behalf in relation to a ransomware incident.

This is relevant to ransomware payments by international corporate groups and affected businesses in relation to ransomware incidents on unrelated third parties. Consider the following:

(a)    Australian company is part of an international group.

The group suffers a ransomware attack, disabling its system or locking up its data, including those of the Australian company. A non-Australian member of the group makes the ransomware payment. The Australian company may be required to report the ransomware payment.

(b)    Australian company buys IT solutions from a supplier.

The supplier may be overseas or does not meet the mandatory reporting turnover threshold. The supplier suffers a ransomware attack which disables the system purchased by the Australian company or locks up the Australian company’s data. The supplier receives a ransomware payment demand. The Australian company pays to ensure business continuity. The Australian company may be required to report the ransomware payment.

These scenarios are entirely possible given the international nature and connectivity of IT supply, systems and networks. Australian business should be aware and ready of their reporting obligations in these situations of indirect ransomware payments.

5.     ‘Plan for the worst, and prepare to be surprised’^[5]

It remains to be seen how this new measure will be applied and enforced. To be prepared in an uncertain environment, the above points show businesses should focus on:

• having clear decision making processes on whether to pay ransomware demands;
• maintaining communications across corporate groups on whether ransomware payments are made, so that Australian entities do not fall foul of their reporting obligations;
• maintaining and practicing ‘drawer’ plans to meet mandatory reporting obligations if ransomware payments are made.

For any assistance with your mandatory ransomware reporting obligations under the Cyber Security Act, contact us today.

[1] Read about part 1 of this 4 part series here.

[2] Revised Explanatory Memorandum, Cyber Security Bill 2024, 5.

[3] The option to require mandatory reporting of both ransomware payments and demands was considered but was not selected: ‘Cyber Security Legislation: Mandatory Ransomware Payment Reporting – Cyber Security Bill 2024‘ (18 October 2024).

[4] Then Minister for Cyber Security Clarae O’Neil discussed these policy considerations in Garman L (host) ‘Becoming the world’s most cyber secure nation, with Cyber Security Minister Clare O’Neil’, Cyber Uncut, Momentum Media, accessed 18 December 2024.

[5] Quote attributed to Denis Waitley.