Introduction of Mandatory Ransomware and Cyber Extortion Payment Reporting

October is Cyber Security Awareness Month, so this month we will be exploring some of the important legal changes in this area. First, Australia tightens cyber reporting rules amid rising ransomware threats.

Ransomware is a type of malicious software designed to encrypt or restrict access to an organisation’s systems or data. The objective of this encryption is to coerce the impacted organisation into paying a ransom, typically in cryptocurrency such as Bitcoin, in exchange for a decryption key or to prevent the public release of sensitive information on the dark web.

Ransomware is often accompanied by an additional layer of extortion, involving the exfiltration of data prior to encryption, in this case with the threat to publish sensitive data – this is known as “double extortion”. 

The Australian Signals Directorate (ASD), in its 2023-2024 Annual Cyber Threat Report, reported a 9% increase in extortion-related cyber security incidents compared to the previous financial year, with ransomware accounting for approximately 71% of these incidents. 

In response to the growing threat of ransomware, Part 3 of the newly enacted Cyber Security Act 2024 (Cyber Security Act) introduced an additional layer of compliance. Reporting business entities must now notify the ASD within 72 hours of making a ransomware payment or becoming aware that such a payment has been made on their behalf.

When do the obligations come into force?

The mandatory ransomware payment reporting obligation is now live, having commenced on 30 May 2025. However, recognising that regulated entities require some time to familiarise themselves with the new reporting requirements and adapt their internal processes to accommodate the additional reporting regime, the Department of Home Affairs has adopted a phased approach to its implementation strategy:

As of the date of this article, Australia remains in Phase 1 of the ransomware payment reporting obligation rollout. However, beginning 1 January 2026, the Department of Home Affairs will transition to Phase 2, which marks a shift from education to active regulatory oversight. From this point onwards, businesses will be expected to have fully integrated the ransomware payment reporting obligation into their cyber incident response plans, with clear procedures in place to ensure timely reporting within the required 72-hour timeframe. Entities should also be prepared for increased scrutiny and potential enforcement action in cases of non-compliance.

Is my business in scope?

If either one of the following thresholds is met, your business will be considered a reporting business entity under the Cyber Security Act and are subject to the mandatory ransomware payment reporting obligation: 

• Annual turnover threshold: the business has an annual turnover of $3 million or more within the last financial year; or 
• Critical infrastructure asset threshold: the business is a “responsible entity” owning critical infrastructure assets to which Part 2B of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) applies, regardless of the business’ annual turnover.

Importantly, for start-ups or businesses that commenced operations partway through the financial year, the turnover threshold is pro-rated. This means that for new businesses that commence operations part-way through the year, the applicable threshold will be reduced. 

Who is exempt?

The following entities are not subject to the mandatory ransomware payment reporting obligation:

• Small businesses with an annual turnover below $3 million; and
• Commonwealth and State government bodies. 

What constitutes payment?

Payment under the legislation is not limited to traditional monetary transactions. The legislation defines payment broadly to include both monetary and non-monetary benefits provided to the party making the extortion demand (“the extorting entity”). This means that even if no money changes hands, your business may still be considered to have made a reportable payment where gifts, goods, services, or anything of value have been offered in exchange for the attacker ceasing their activity.

What do I have to report?

The report must include the following information, where this is known or discoverable through reasonable enquiry:

• the contact and business details of the reporting entity, including an Australian Business Number (ABN);
• details of the incident, including its impact on the business;
• the contact and business details of any third-party entity that made the payment on the reporting entity’s behalf (where relevant);
• the demand made by the extorting entity, including the value and method of payment; 
• the ransomware payment including the actual value and method of payment provided;
• communications with the extorting entity relating to the incident, demand, and payment, including any pre-payment negotiations; and
• any other additional information relating to the incident that could assist. 

What are the consequences for non-compliance?

Under the Cyber Security Act, reporting business entities that fail to submit a ransomware payment report within the required 72-hour timeframe may face a civil penalty of up to 60 penalty units, which is currently equivalent to $19,800.

Does reporting mean I waive privilege?

A key concern for many businesses in the wake of high-profile breaches and emerging class actions is whether reporting a ransomware or cyber extortion payment to the government could inadvertently waive legal professional privilege (LPP). The Department of Home Affairs has made it clear that reporting to the ASD does not waive privilege. In other words, if the information is privileged, it remains protected, even after being disclosed in a ransomware payment report. 

The purpose of the reporting obligation is to support threat intelligence gathering and enable select government agencies to assist in incident response and coordination. It is not intended to be used against the reporting entity in legal or regulatory proceedings. 

That said, this is a new and untested regime, and businesses should remain cautious. While LPP is preserved in the initial report, entities should consider whether LPP remains protected when information is shared across multiple government agencies, and what additional internal controls may be required to manage any residual risk. 

Can the information I provide be used against me in court?

Reassuringly, information provided in a mandatory ransomware payment report cannot be used against the reporting entity in most legal contexts.

Specifically, s 32 of the Cyber Security Act sets out that information disclosed in a ransomware payment report is not admissible in:

• Criminal proceedings;
• Civil proceedings for contraventions of civil penalty provisions;
• Breaches of any Commonwealth, State and Territory law; or
• Proceedings before a tribunal of the Commonwealth, any State or Territory.

While these protections are broad, businesses should be aware of limited exceptions where the information may be used against the reporting entity:

• Criminal proceedings involving false or misleading information or obstruction of Commonwealth officials;
• Civil proceedings for a contravention of a civil penalty provision in the Cyber Security Act; and 
• Royal Commissions or coronial inquiries.

Although the legislation provides strong safeguards, the mandatory ransomware payment reporting regime is still in its early stages. As more incidents are reported and tested through regulatory processes and the courts, the practical implications, particularly around LPP, admissibility and enforcement, will become clearer. Businesses should watch this space for further developments, guidance and case law as the framework matures.

Simone Herbert-Lowe acknowledges the significant assistance of Jessica Kim in the writing of this article.