Businesses with annual turnover above $3 million must now report ransom payments within 72 hours or face civil penalties
https://www.legislation.gov.au/F2025L00278/asmade/text
Australia has officially launched its mandatory ransomware payment disclosure requirements, marking a significant milestone in the country’s cybersecurity regulatory landscape. The new rules, which took effect on May 30, 2025, under the Cyber Security Act 2024, represent one of the world’s most comprehensive approaches to tracking and deterring ransomware payments.
The legislation requires any business with an annual turnover exceeding AUS $3 million ($1.92 million) to report ransomware payments within 72 hours to the Australian Signals Directorate (ASD) and the Department of Home Affairs. The disclosure obligations also extend to entities responsible for critical infrastructure assets, regardless of their revenue threshold. Organisations that fail to meet the 72-hour reporting deadline face potential civil penalties and reputational consequences.
Under the new framework, affected entities must disclose both actual ransomware payments and communications with cybercriminals, providing authorities with unprecedented visibility into the scope and scale of extortion activities targeting Australian businesses. The reporting requirements address a significant threat, as ransomware accounted for approximately 11 percent of cyber incidents reported to the ASD in 2023-2024.
The legislation aims to enhance national threat assessment capabilities while potentially discouraging organisations from capitulating to cybercriminal demands. By mandating transparency around ransom payments, Australian authorities seek to build comprehensive intelligence on ransomware operations and their financial impact on the economy.