April 2, 2025
Why Do I Need to Report a Ransomware Payment?
Who Has to Report a Ransomware Payment in Australia?
Misunderstandings That Could Lead to Non-Compliance
Preparing Your Business: The Ransomware Reporting Toolkit
Free Download: Ransomware Payment Reporting Template
Starting 30 May 2025, Australian businesses will be legally required to report any ransomware payments under new federal legislation. If your business makes a payment — either directly or through a third party such as an insurer or incident response provider — you must notify the Australian Signals Directorate (ASD) within 72 hours.
With strict timeframes and potential penalties for non-compliance, businesses face not only the threat of cyberattack but also the legal risk of unintentionally breaching federal law. To help you prepare, we’ve created a practical guide and a free reporting template aligned with the Cyber Security (Ransomware Payment Reporting) Rules 2025.
Ransomware attacks are becoming more sophisticated, more frequent, and more targeted in Australia. For many businesses, the result is not just a temporary disruption, but a complete shutdown of operations, significant financial loss, loss of client trust, and permanent data loss.
Recognising the scale of the threat, the Australian Government has introduced the Cyber Security Act 2024, which come into effect from 30 May 2025. These rules make it mandatory for eligible businesses to report any ransomware payment made — whether directly or through a third party — to the Australian Signals Directorate (ASD) within 72 hours.
The aim of the legislation is fourfold:
For business owners, these new rules introduce an added layer of responsibility. While penalties for non-compliance do exist, the reporting requirement ultimately serves to benefit businesses by contributing to a more coordinated national response to ransomware threats.
However, meeting this obligation requires more than awareness — it demands a clear internal process. Whether a ransom payment is made directly or through a third party, your business remains accountable for ensuring that the incident is reported within the required 72-hour window.
To comply effectively, businesses must have response plans, roles, and procedures in place before an incident occurs. Early preparation will reduce risk, improve coordination, and help your business meet its legal responsibilities while contributing to broader cybersecurity efforts.
You don’t need to be a major enterprise or a critical infrastructure provider to fall under the new rules. The reporting obligation applies to any Australian business with an annual turnover of $3 million or more.
This includes a wide range of industries — from legal and healthcare providers to financial services firms, educational institutions, and recruitment agencies.
You must report a ransomware payment if:
Importantly, the responsibility to report remains with your business, even if the actual payment is executed by someone else. This is where many businesses are at risk of misunderstanding their obligations — and unintentionally breaching federal law. Explore the business impact of Australia’s new ransomware reporting rules in our LinkedIn article here.
Yes. The rules apply to any business over the $3 million turnover threshold, regardless of industry. Whether you’re in professional services, education, retail, or any other sector — if you pay a ransom, you must report it. There’s no exemption based on business type.
Absolutely. Even if an insurer or third party pays the ransom on your behalf, your business is still legally responsible for reporting the payment to the ASD. Legal liability for reporting cannot be outsourced. Relying on your insurer to “handle it” could leave you non-compliant.
Ransomware doesn’t just target big corporations. Small and mid-sized Australian businesses are increasingly in the crosshairs due to their valuable data and often weaker defences. Waiting until after an incident occurs to understand your obligations could result in missed deadlines and financial penalties. Preparation is key.
To comply with the new rules, your business should proactively establish a ransomware reporting process. This should be part of your broader cyber incident response plan.
Key components include:
Ensure your team knows who is responsible for each stage of incident response — from detection and escalation to reporting and recovery.
Your systems should be capable of capturing attack data in real time, including user activity, affected assets, and security alerts.
Retain all interactions with the attacker, such as ransom notes or negotiation threads, in a secure and auditable format.
Having a ready-to-use ransomware payment reporting template will save critical time and ensure consistency across responses.
To help your business meet the new reporting requirements under we’ve created a free, downloadable Ransomware Payment Reporting Template for Australian Businesses.
This practical resource is designed to help you collect and document all the key information required for reporting a ransomware payment to the Australian Signals Directorate (ASD). It ensures your submission is clear, complete, and compliant.
The template includes sections for:
At Superior IT, we specialise in helping Australian businesses strengthen their cyber defences and meet their obligations under the Cyber Security Act 2024. With ransomware attacks on the rise, it's never been more important to have systems in place to detect threats early, respond effectively, and stay compliant with new federal reporting laws.
Whether you need help building an incident response plan, implementing proactive security measures, or understanding your reporting obligations, our team is here to support you.
At Superior IT, we specialise in helping Australian businesses protect against ransomware and meet their compliance obligations under the Cyber Security Act 2024.
Call Us: 1300 93 77 49
Email: info@superiorit.com.au
Explore DefenderSuite: https://www.superiorit.com.au/defendersuite-au
Australian Signals Directorate (ASD). Australian Signals Directorate. ASD.
Australian Government Department of Home Affairs. Cyber Security Act. Home Affairs.
Australian Government Department of Home Affairs. Ransomware payment reporting fact sheet. Home Affairs.
Gallagher (AJG). Ransomware reporting mandates: Understanding Australia’s latest cybersecurity laws. Gallagher Australia.
If you're looking for more info or assistance, we're a call, email or message away.
App Development, Business & Tax, and Digital Marketing. Super Charge Your Growth.
Existing Customer Support Portal, speak to one of our experts in no time.