Australia’s New Ransomware Payment Reporting Rules: What Your Business Needs to Know

Written By Nemean Cyber

To combat the growing threat of ransomware, the Australian Government has introduced the Cyber Security (Ransomware Payment Reporting) Rules 2025, which came into effect on 30 May 2025. These new rules mark a major shift in how Australian businesses are expected to respond to ransomware incidents, with transparency, accountability, and coordination now front and centre.

Who Needs to Report?

The rules apply to:

  • Australian businesses with annual turnover of more than $3 million

  • Entities operating critical infrastructure, as defined under the Security of Critical Infrastructure Act 2018

If your organisation falls into one of these categories and makes a ransomware payment, either directly or through a third party like an insurer or incident response firm, you’re now legally required to report it.

What Must Be Reported?

A report must be submitted using a form on the Australian Signals Directorate (ASD) website within 72 hours of making or becoming aware of the payment. It must include:

  • Business details (including ABN)

  • A summary of the cyber incident (such as when it happened, the malware involved, and the impact)

  • Details of the ransom (amount, payment method, and any communications)

  • Whether the payment was monetary or non-monetary

This requirement is designed to give the government better visibility of the ransomware landscape and help coordinate national response efforts.

What Happens If You Don’t Report?

Failure to report can result in a civil penalty of up to $19,800 (60 penalty units). However, the government has announced an “education-first” enforcement approach until the end of 2025. This gives organisations time to adapt while still holding them accountable for serious breaches.

What’s the Purpose?

Rather than banning ransomware payments outright, the focus is on improving awareness, data sharing, and response coordination. The introduction of the Cyber Incident Review Board will also allow for “no-fault” reviews of major incidents, helping other businesses learn from real-world attacks without victim-blaming.

What Should You Do Now?

  • Reviewing and updating your incident response plan to include the new reporting requirements

  • Ensuring your legal, risk, and security teams are across their obligations

  • Engaging a cybersecurity partner if you're unsure about your current readiness

Need Support?

At Nemean Cyber, we specialise in helping organisations navigate complex cyber threats and stay ahead of regulatory requirements. Whether you're reviewing your policies or preparing your team, we're here to support you.

Get in touch today to make sure your business is compliant and resilient under the new ransomware reporting rules.

Nemean Cyber
Next

Big News: Nemean Cyber Is Now ISO 27001 Certified