All resources
Guide · Cybersecurity Governance

Ransomware payment reporting: the $3 million question every Australian board now faces

Australia’s Cyber Security Act 2024 makes ransomware payment reporting mandatory for businesses over $3 million turnover. The education-first grace period ended on 1 January 2026. Most mid-market companies are now caught, and most have not wired the obligation into their incident plan.

13 min readPublished 2 July 2026

What changed, and why it catches you

Australia’s first standalone Cyber Security Act passed in November 2024, and its ransomware payment reporting rules commenced on 30 May 2025[1]. The obligation is broad by design. Any entity carrying on business in Australia with annual turnover of $3 million or more must report, as must every critical infrastructure entity regardless of size. That $3 million threshold is what pulls most of the mid-market in.

The trigger is making a ransomware payment, or becoming aware that one was made on your behalf, for instance by your insurer or a negotiator. The deadline is 72 hours, and the report goes to the Australian Signals Directorate through cyber.gov.au[1]. A payment includes money or any other benefit, so handing over data or services counts too.

The fine is not the point

Non-compliance carries a civil penalty of around $20,000, which for most affected businesses is not the exposure that should worry the board[2]. The real risk is operational. The 72-hour reporting step has to be built into the incident response plan now, because a ransomware event is the worst possible moment to discover the obligation exists. An education-first phase gave organisations until 31 December 2025 to get ready. Since 1 January 2026, the regulator is actively enforcing[2].

Five clocks, one incident

The reporting obligation does not replace anything. It stacks on top. A single serious incident at a regulated, listed company can start five separate clocks running at once: ransomware payment reporting to ASD, notifiable data breach assessment and notification to the OAIC, critical-infrastructure reporting under the SOCI Act, material-incident notification under APRA CPS 234, and continuous disclosure and directors’ duties obligations to the market. Each has its own deadline and its own recipient.

This is exactly the sort of tangle that comes apart under pressure. The value of mapping it in advance is that no one is trying to reverse-engineer five regulatory obligations while the systems are still down.

Paying can be a crime

Paying a ransom is not, in itself, illegal in Australia, but it becomes a criminal offence if the recipient is a sanctioned person or entity, carrying up to 10 years imprisonment[5]. This is not theoretical: Australia sanctioned the Medibank hacker Aleksandr Ermakov in January 2024, which made any dealing with him, including a ransom payment, an offence. The practical implication is that a board needs a payment stance and a sanctions-screening step decided in advance, not improvised at two in the morning during an active extortion.

What the board should have ready

The threat is getting worse, not better. ASD calls ransomware the most disruptive cybercrime threat and assesses that AI is helping attackers move faster and appear more convincing[3]. And the mid-market is quietly paying: a 2025 survey found 64% of attacked firms paid, at an average of about A$711,000, with the large majority of victims being small and medium-sized businesses[4].

  • A named decision-maker for whether to pay, with a nominated backup
  • A sanctions-screening step before any payment is even considered
  • The 72-hour ASD reporting step written into the incident response plan, alongside the OAIC, SOCI, APRA, and disclosure obligations that may run in parallel
  • A tested position on who speaks to the regulator, the insurer, and affected customers
  • A date on the calendar for when this was last rehearsed as a live scenario
The grace period is over. If your incident response plan does not name who makes the payment call, who screens for sanctions, and who files the 72-hour report, that work is now overdue, not optional.
Research sources

Evidence-based, transparently sourced.

All statistics and research findings on this page are supported by authoritative sources. Behind The SLA is committed to evidence-based advisory and transparent methodology.

  1. [1]
    Australian Government. (2025). Cyber Security (Ransomware Payment Reporting) Rules 2025
    Commenced 30 May 2025. Entities carrying on business in Australia with annual turnover of $3 million or more, plus critical infrastructure entities, must report a ransomware payment within 72 hours of making it or becoming aware one was made on their behalf.
    View source
  2. [2]
    Department of Home Affairs. (2025). Ransomware payment reporting factsheet
    An education-first phase ran to 31 December 2025, with active compliance and enforcement from 1 January 2026. Reports are made to ASD via cyber.gov.au. Non-compliance carries a civil penalty.
    View source
  3. [3]
    Australian Signals Directorate. (2025). Annual Cyber Threat Report 2024-25
    ASD calls ransomware the most disruptive cybercrime threat and assesses that AI is enabling attackers to operate at greater scale and speed.
    View source
  4. [4]
    McGrathNicol Advisory. (2025). Ransomware Survey 2025
    Survey of 800+ decision-makers at businesses with 50 or more staff: 64% of those attacked paid, with an average payment of about A$711,000. 89% of organisations attacked in the past year were small or medium-sized.
    View source
  5. [5]
    Department of Foreign Affairs and Trade. (2024). FAQs: Cyber sanctions and ransomware payments
    Paying a ransom to a sanctioned person or entity is a criminal offence carrying up to 10 years imprisonment. Australia sanctioned the Medibank hacker Aleksandr Ermakov in January 2024.
    View source

Methodology Note: Behind The SLA conducts independent research validation for all published statistics. Where proprietary research is cited, it is based on aggregated, anonymised data from client engagements spanning 15+ years of MSP industry experience.

Want this applied to your organisation?

An independent advisory conversation costs nothing, and clarifies whether what you have read here is relevant to where you actually are.

Schedule a conversation