A plain-English guide for Australian businesses to the mandatory ransomware payment reporting rules under the Cyber Security Act 2024, in force since 30 May 2025. Explains who must report (businesses carrying on business in Australia with annual turnover over $3 million, and critical infrastructure entities regardless of turnover), what triggers the duty (making a ransomware or cyber extortion payment, or one made on your behalf by an insurer or incident responder), the 72-hour reporting window to the Australian Signals Directorate, what the report must contain, the civil penalty of up to about $19,800 for failing to report, and the limited-use protections that make reporting safe. Notes that the law does not ban paying and that the ACSC advice, and StartCloud's, is still not to pay.
Ransomware payments must now be reported
Since May 2025, there is a law most Australian business owners have never heard of: if you pay a ransom, you have 72 hours to tell the government. Here is who it applies to, what you have to do, and why it changes how you plan for the worst.
The short version
The Cyber Security Act 2024 makes ransomware payment reporting mandatory. Since 30 May 2025, businesses turning over more than $3 million a year must report any ransomware or extortion payment to the Australian Signals Directorate within 72 hours.
It does not ban paying, and it does not make paying safe. If your insurer or IT firm pays on your behalf, the duty to report still sits with you. Miss the window and the penalty runs to about $19,800.
The practical takeaway: decide how you will handle a ransomware demand before one lands, so the 72-hour clock is not the first time anyone in your business has thought about it.
What the law actually says
Australia's Cyber Security Act 2024 was the country's first standalone cyber security legislation. Tucked inside it is a new obligation that took effect on 30 May 2025: if a covered business makes a ransomware or cyber extortion payment, it must report that payment to the Australian Signals Directorate within 72 hours.
The reasoning is straightforward. For years, the true scale of ransomware in Australia was a guess, because most victims paid quietly and said nothing. Mandatory reporting gives the government real numbers and real intelligence on the groups doing the extorting. It is aimed squarely at the criminals, not at the businesses caught in the middle, which is why the scheme comes with protections for those who report.
There was no soft grace period. The obligation has applied since the day it commenced. If you are covered and you pay, the 72-hour clock is already the law, not a future plan.
Who has to report
Turnover over $3 million
Any business carrying on business in Australia with an annual turnover above $3 million in the last financial year. That is a much wider net than most owners assume, and it catches plenty of firms that do not think of themselves as large.
Critical infrastructure entities
Responsible entities for a critical infrastructure asset are covered regardless of turnover, under the separate Security of Critical Infrastructure Act obligations.
Payments made on your behalf
If your insurer or an incident response firm pays on your behalf, the duty to report still sits with your business. The obligation follows the entity, not whoever actually sends the funds.
One detail worth sitting with: there is no minimum payment amount. A payment of any size, made by a covered business, triggers the obligation to report within 72 hours.
What to do if you pay
The report goes to the Australian Signals Directorate, through the reporting form on the ACSC's website at cyber.gov.au. You have 72 hours from making the payment, or from becoming aware a payment was made on your behalf. During what will already be one of the worst weeks your business has faced, that is not a lot of time, which is the whole argument for having a plan ready in advance.
What the report has to cover
- Your business details, as the entity that made the payment
- The cyber incident and how it affected your business
- The demand the attacker made
- The payment itself, including amount and method
- Any communications you had with the extorting party
Reporting is meant to be safe
A fair worry is that reporting a payment simply hands a regulator the rope to hang you with. The Act tries to head that off with limited-use protections: the information in your report generally cannot be turned around and used against you in civil or regulatory proceedings. It exists so the ACSC can help you and build a national picture, not so another arm of government can punish you for being a victim.
To be clear, none of this is a green light to pay. The strong advice remains: do not. Paying funds the next attack, offers no guarantee of getting your data back, and now carries a reporting duty as well. The reporting scheme is the floor, not the goal.
The best plan is not having to pay
This law is a good prompt to have the conversation now, calmly, rather than at 6am mid-incident. Two things make the biggest difference. The first is not ending up at the ransom demand in the first place, which comes down to the layered defences in our ransomware deep dive: MFA, patching, endpoint protection and email security.
The second is being able to say no when the demand does come, because you can restore instead of pay. That is what tested, isolated backups buy you, which we cover in our business continuity and disaster recovery deep dive. Get those two right and this reporting obligation becomes a box you are very unlikely to ever have to tick.
The takeaway
Mandatory reporting does not change the core advice about ransomware. It sharpens it. Paying was already a bad idea; now it comes with a legal deadline attached, and a threshold that quietly captures a lot of Perth businesses who assume the big-end-of-town rules are not theirs to worry about.
The businesses that never have to think about the 72-hour clock are the ones that put the basics in place and keep them monitored. That is exactly what our managed security service is for. If you are not sure whether your business is even covered, or whether you could recover without paying, that is the conversation to have now.
Common questions
Do I actually have to report if I pay a ransom?
If your business turns over more than $3 million a year, or you run critical infrastructure, then yes. Under the Cyber Security Act 2024 you must report a ransomware or cyber extortion payment to the Australian Signals Directorate within 72 hours of making it. This has been the law since 30 May 2025, and there is no minimum payment amount that lets you off.
Does this mean paying a ransom is now illegal?
No. The law does not ban paying, and it does not make paying legal or safe either. It simply adds a duty to report if you do pay. The advice from the ACSC, and from us, is still not to pay: it does not guarantee your data back, it funds crime, and now it also triggers a reporting obligation on top. This rule is about visibility, not permission.
What if my cyber insurer or IT provider pays on my behalf?
You still have to report. The obligation belongs to your business, not to whoever actually transfers the money. The 72-hour clock starts when you become aware a payment has been made on your behalf, so make sure your insurer and your incident responders know that reporting is your responsibility and coordinate it with you.
My business is under $3 million turnover. Am I exempt?
For now, yes, you sit below this particular threshold. But do not read that as 'this does not concern me'. The threshold captures a lot of businesses that feel small, thresholds like this tend to broaden over time, and every other reason not to pay a ransom still applies to you in full.
Will reporting get my business into trouble?
The scheme is built to make reporting safe. Limited-use protections mean the information in your report generally cannot be used against you in civil or regulatory action. The intent is to encourage victims to come forward and get help from the ACSC, not to punish them for being attacked.
What happens if we do not report in time?
Failing to report a payment within the 72-hour window can attract a civil penalty of up to around $19,800, on top of the reputational damage of a mishandled incident. It is a small number next to the cost of the attack itself, but it is an entirely avoidable one.
This article is general information, not legal advice. For how these obligations apply to your specific business, check the current guidance at cyber.gov.au or speak to a qualified adviser.