Candid Photograph of an Office Worker

 

 

As of last Friday, 30 May, Australian businesses that meet certain criteria are now legally required to report any ransomware payments to the federal government. This requirement is part of the new Cyber Security Act, the country’s first dedicated cybersecurity law.

At Secure ISS, we believe this is a timely and necessary step. Ransomware is not just a tech problem. It is a business resilience issue. Here’s what you need to know.

 

 

Why These Laws Matter

Ransomware remains one of the most disruptive threats facing Australian organisations. In 2023–24, the Australian Signals Directorate responded to 121 ransomware incidents, with the real number likely far higher due to underreporting. With most attacks demanding payment in cryptocurrency or sensitive data, the new legislation aims to:

  • Expose the true scale of ransomware activity in Australia
  • Encourage stronger incident preparedness
  • Disrupt the financial incentives that fund cybercriminals

This shift puts the onus on businesses to be transparent and ready.

 

 

Who Has to Report? 

Organisations must report if they:

  • Have annual turnover above $3 million
  • Operate or manage critical infrastructure assets
  • Are targeted with payment demands (in money, crypto, data, or services)

This captures large businesses while exempting over 90% of smaller entities for now.

 

What You Need to Report and When 

If your business pays a ransom, you must report within 72 hours:

  • When the incident occurred
  • When it was discovered
  • How it impacted your systems or operations
  • Details of the demand, including currency or services
  • Any communication with the threat actor

You can submit reports via cyber.gov.au. For support, call the Australian Cybersecurity Hotline on 1300 CYBER1. 

 

What Happens If You Don’t Report?

Failure to report can result in fines of up to $19,800. However, the government has committed to a six-month education-first period, running from 30 May 2025 to 31 December 2025, where the focus will be on guidance and warnings rather than penalties. From 1 January 2026, a stricter compliance and enforcement approach will apply, and fines will be issued for non-compliance.

 

What About Your Privacy?

Reports are confidential. Information may be shared between government agencies for threat intelligence and response, but it is generally not made public or used in court proceedings, unless in exceptional circumstances such as a Royal Commission.

 

What Your Business Should Do Now

  1. Update your incident response plan to include reporting procedures
  2. Nominate a responsible contact for rapid reporting if required
  3. Review your insurance and legal exposure
  4. Consider a readiness review with a trusted cybersecurity provider

If your organisation meets the reporting criteria, be proactive. Early preparation can make all the difference when under pressure.

 

 

More Than Compliance: Building Real Cyber Resilience

While reporting is now mandatory, we urge clients not to treat this as a tick-box exercise. What you do today, how you prepare for tomorrow, and the systems you build for the future all matter.

Reporting is just one part of a broader strategy for cyber resilience. Real protection comes from ongoing visibility, preparedness, and the ability to respond effectively when it counts.

At Secure ISS, we recommend:

  • 24/7/365 threat monitoring, detection and response through our 100% Australian-based Security Operations Centre
  • Regular incident response testing so teams know what to do under pressure
  • Board-level awareness to align cyber risk with enterprise risk
  • Proactive monthly governance reviews with IT teams to assess threat posture, response and management

With our Security Operations Centre based entirely in Australia, your data stays onshore. Your organisation is protected by security specialists who understand our laws, our ethics and our culture. That matters when decisions need to be made quickly and confidently.

We support schools, hospitals, infrastructure providers, growing businesses and service organisations across the country to build stronger, more resilient defences.

 

If your organisation is subject to these new ransomware reporting requirements, now is the time to act. We are here to help.