Australia has introduced new rules that require large businesses to report when they pay ransoms to cybercriminals. Under the Cyber Security Bill 2024, companies generating over AUD $3 million must notify the Australian Signals Directorate (ASD) within 72 hours of a ransomware payment. This regulation officially came into effect on May 30, 2025.

While paying a ransom is not illegal in Australia, authorities strongly discourage it. The ASD noted just 121 ransomware-related investigations in its last annual report—suggesting a major underreporting problem. The new legislation aims to change that.

Details and Compliance Guidelines for Businesses

The reporting obligation includes several data points. Companies must provide their Australian Business Number (ABN), the attack date, the nature of the breach (data theft or encryption), vulnerabilities exploited, total financial impact, and the ransom amount paid—including currency.

The Department of Home Affairs offers a six-month grace period for compliance, focusing on serious violations only. However, from 2026, non-compliant firms will face penalties of up to 60 penalty units (currently AUD $19,800). This fine is expected to increase over time.

Broader Impact on National Cybersecurity Strategy

This reporting requirement affects fewer than 7% of Australian businesses—those considered the most at-risk due to their size and customer data volumes. Authorities believe data gathered through mandatory disclosure will help identify ransomware trends and guide future legislation.

Australia’s move mirrors international efforts. In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) is drafting similar rules, expected by October 2025. The UK is also reviewing proposals, including bans on public-sector ransom payments and a government approval system for private-sector ransom negotiations.

By improving visibility into ransomware incidents, Australia is setting a new precedent in proactive cyber defense policy.