Ransomware payment reporting scheme comes into effect today. Companies required to disclose payment of ransoms.
May 30, 2025 |
Today Part 3 of the Cyber Security Act 2024, which sets out the mandatory ransomware and cyber extortion reporting regime, commences. All reporting business entities are required to disclose ransomware and cyber extortion reporting using the form on ASD’s webpage found on cyber.gov.au.. lIt has been reported by the AFR where it describes how organisations, primarily companies, covered by the Privacy Act 1988 to disclose ransom payments resulting from a data breach. The payment is not an offence. It is also reviewed in cyberdaily’s article Pay up: Understanding Australia’s new ransomware reporting requirements.
The Home Affairs Deparment has set up a comprehensive site explaining the operation of the Cyber Security Act.That includes the Ransom Rules regime. Companies would do well to seek professional advice about how the regime operates.
The AFR has an interesting piece on it which provides:
Cybersecurity lawyers and incident responders say company boards will face fresh pressure from Friday, when new laws come into force that will compel the disclosure of ransom payments to cybercriminals.
The rules mean any organisation that has an annual turnover of $3 million or more, or is responsible for critical infrastructure, must report a ransom payment via an online portal to Home Affairs and the Australian Signals Directorate, within three days.
Home Affairs Minister Tony Burke has previously said the government would like to outlaw ransom payments, as they fund the organisations that carry out attacks, but that Australia and its allies do not currently know enough about the full extent of ransomware to introduce a ban, or combat it properly.
While ransom payments are officially frowned upon, anecdotal evidence suggests they are regularly paid when companies fear lengthy outages or the leak of customers’ data poses an existential threat.
“The new ransomware payment reporting scheme is a welcome step toward transparency, but it won’t prevent payments,” said Darren Hopkins, a partner at McGrathNicol, who regularly advises companies on preparation for cyber incidents, and helps them deal with the aftermath.
“In both real incidents and simulations, many boards choose to engage with threat actors to confirm what data has been taken, delay its release, or assess the credibility of a threat.“The legislation will sharpen the decision-making process, but if paying is the only way to prevent serious harm or disruption to business, many organisations will still take that path.”
The government says the purpose of collecting ransom details is to help it build a more informed and up-to-date picture of the threat landscape, and provide tailored advice to help disrupt the ransomware business model.
If firms are caught failing to disclose a ransom, they can be fined up to $19,800. While the amount would be small for large companies, the brand damage could be significant.
“The cost of paying a ransom goes far beyond the financial. Companies must weigh an average ransom demand of around $2 million against the toll on staff, loss of customer trust, and long-term reputational damage,” said Honi Rosenwax, crisis communications specialist at Arize Communications.
“In my experience, the worst time to make high-stakes decisions is during a crisis. These scenarios need to be planned for and simulated at the board level well before a breach occurs.”
The new rules are part of changes that came in under the Cyber Act last year. They included so-called safe harbour protections that let businesses share private details with the government’s cybersecurity agencies to help fight back in the immediate aftermath of a hack, without the information being used against them in future investigations and damages claims.
High-profile data breaches at organisations including Optus, Medibank, HWL Ebsworth and Latitude Financial have increased scrutiny of cybersecurity within companies.
The corporate regulator has said it is investigating how directors have prepared for and responded to cyberattacks, with potential legal action mooted against those deemed to have neglected their responsibilities.
Partner in MinterEllison’s national cyber practice Shannon Sedgwick said his experience working with companies suggested the scale of ransom payments in Australia was underestimated.
“A ransom payment is often viewed by industry and the public as an abject failure in an organisation’s cybersecurity measures, so the obligation to report will encourage organisations to assess their cybersecurity posture,” Sedgwick said.
“These reporting obligations will also likely act as a deterrent to threat actors, as organisations often pay to avoid having to disclose they were breached.”
The Cyberdaily provides:
New ransomware reporting rules come into effect on 30 May as part of Australia’s Cyber Security Act, requiring organisations with an annual turnover of $3 million or entities responsible for critical infrastructure to report paying a ransom to the Australian Signals Directorate within 72 hours of making the payment.
The aim of this new reporting regime is to help the government build a picture of the ransomware landscape and understand how cyber crime is impacting Australian businesses.
But how exactly will this impact Australian organisations and IT leader.
“Australia’s new ransomware reporting obligations represent a major step toward transparency and accountability in cyber crime response,” Aaron Bugal, field CISO APJ at Sophos, told Cyber Daily.
“Being required to disclose any ransomware payments will force a need for a review of and an update to policies, incident response plans and ensuring board-level awareness. While this adds a layer of compliance, it also encourages better cyber hygiene and may reduce the likelihood of a ransom payment as an easy way out after an attack.
“With this additional insight, government and industry get clearer telemetry into ransomware trends, enabling more informed policymaking and improved threat response.”
While the new requirements will certainly lead to a shift in how businesses respond to and plan for ransomware attacks, it may also have an impact on hackers behind the scenes.
“Will this force cyber criminals to shift to a different form of extortion? Maybe, but at least it’s going to be a watershed moment of change where it finally looks like the battle against ransomware is progressing toward an end game,” Bugal said.
Civil penalties will apply to entities that fail to report ransom payments within the required period, but according to Bugal, there is still more that the government can do.
“Without hesitation, Australia should be standing behind the UK’s model of completely banning ransomware payments. Paying ransoms only fuels cyber criminal networks, encourages more attacks, and increases the likelihood of repeat targeting through double or triple extortion,” Bugal said.
“There’s no guarantee that paying a ransom will recover data or prevent its release. In fact, it often leads to more harm. There are plenty of examples of ransomware groups double or even triple dipping into the pockets of businesses that they consider ‘easy targets’.
“We must move away from reactive payments and toward proactive resilience. Australia has the capability, through strong cyber security frameworks, expert practitioners, and regulatory support, to prepare and protect organisations without resorting to funding criminals.”
For Bugal, a complete ban is a comprehensive answer to the ransomware challenge.
“There is no honour among thieves, and a complete ban sends a clear message Australia will not negotiate with cyber criminals,” Bugal said.