What changed, and why it catches you
Australia’s first standalone Cyber Security Act passed in November 2024, and its ransomware payment reporting rules commenced on 30 May 2025[1]. The obligation is broad by design. Any entity carrying on business in Australia with annual turnover of $3 million or more must report, as must every critical infrastructure entity regardless of size. That $3 million threshold is what pulls most of the mid-market in.
The trigger is making a ransomware payment, or becoming aware that one was made on your behalf, for instance by your insurer or a negotiator. The deadline is 72 hours, and the report goes to the Australian Signals Directorate through cyber.gov.au[1]. A payment includes money or any other benefit, so handing over data or services counts too.
The fine is not the point
Non-compliance carries a civil penalty of around $20,000, which for most affected businesses is not the exposure that should worry the board[2]. The real risk is operational. The 72-hour reporting step has to be built into the incident response plan now, because a ransomware event is the worst possible moment to discover the obligation exists. An education-first phase gave organisations until 31 December 2025 to get ready. Since 1 January 2026, the regulator is actively enforcing[2].
Five clocks, one incident
The reporting obligation does not replace anything. It stacks on top. A single serious incident at a regulated, listed company can start five separate clocks running at once: ransomware payment reporting to ASD, notifiable data breach assessment and notification to the OAIC, critical-infrastructure reporting under the SOCI Act, material-incident notification under APRA CPS 234, and continuous disclosure and directors’ duties obligations to the market. Each has its own deadline and its own recipient.
This is exactly the sort of tangle that comes apart under pressure. The value of mapping it in advance is that no one is trying to reverse-engineer five regulatory obligations while the systems are still down.
Paying can be a crime
Paying a ransom is not, in itself, illegal in Australia, but it becomes a criminal offence if the recipient is a sanctioned person or entity, carrying up to 10 years imprisonment[5]. This is not theoretical: Australia sanctioned the Medibank hacker Aleksandr Ermakov in January 2024, which made any dealing with him, including a ransom payment, an offence. The practical implication is that a board needs a payment stance and a sanctions-screening step decided in advance, not improvised at two in the morning during an active extortion.
What the board should have ready
The threat is getting worse, not better. ASD calls ransomware the most disruptive cybercrime threat and assesses that AI is helping attackers move faster and appear more convincing[3]. And the mid-market is quietly paying: a 2025 survey found 64% of attacked firms paid, at an average of about A$711,000, with the large majority of victims being small and medium-sized businesses[4].
- A named decision-maker for whether to pay, with a nominated backup
- A sanctions-screening step before any payment is even considered
- The 72-hour ASD reporting step written into the incident response plan, alongside the OAIC, SOCI, APRA, and disclosure obligations that may run in parallel
- A tested position on who speaks to the regulator, the insurer, and affected customers
- A date on the calendar for when this was last rehearsed as a live scenario