The Australian Government now requires all companies with a turnover greater than $3 million per annum to report any payments made relating to ransomware or cyber extortion. This requirement is contained within the Cyber Security Act 2024.
If you are the unfortunate victim of a cyber attack and choose to pay a ransom, then you have 72 hours to report this payment.
Whilst the reporting requirement has been in place since 30th May 2025, from January 1st 2026 the Government will switch from an education based approach to a regulatory approach. This will mean that penalties may apply if you fail to report a payment.
NOTE: This requirement is in addition to mandatory breach reporting that was introduced in February 2018.
If you have taken sufficient means to secure the key IT systems in your business, then the threat of needing to pay a ransom is significantly reduced.
The Australian Signals Directorates Essential 8 guidelines are a great starting point to formalise IT security in your business.
You can read more information about your payment reporting obligations under the act here - https://www.homeaffairs.gov.au/cyber-security-subsite/files/factsheet-ransomware-payment-reporting.pdf
If you need to make a payment report, you can do it here - https://www.homeaffairs.gov.au/cyber-security-subsite/files/how-to-make-a-report-ransomware-payment-reporting.pdf
If you need to make a notifiable data breach report, you can do it here - https://webform.oaic.gov.au/prod?entitytype=DBN&layoutcode=DataBreachWF
Please contact us if you have concerns about your cyber security position so we can work with you to improve security and address your concerns.