Ransomware Reporting in Australia: What Businesses Must Do Under the New Law (with Free Reporting Template)

Starting 30 May 2025, Australian businesses will be legally required to report any ransomware payments under new federal legislation. If your business makes a payment — either directly or through a third party such as an insurer or incident response provider — you must notify the Australian Signals Directorate (ASD) within 72 hours.

With strict timeframes and potential penalties for non-compliance, businesses face not only the threat of cyberattack but also the legal risk of unintentionally breaching federal law. To help you prepare, we’ve created a practical guide and a free reporting template aligned with the Cyber Security (Ransomware Payment Reporting) Rules 2025.

‍

Why Do I Need to Report a Ransomware Payment?

Ransomware attacks are becoming more sophisticated, more frequent, and more targeted in Australia. For many businesses, the result is not just a temporary disruption, but a complete shutdown of operations, significant financial loss, loss of client trust, and permanent data loss.

Recognising the scale of the threat, the Australian Government has introduced the Cyber Security Act 2024, which come into effect from 30 May 2025. These rules make it mandatory for eligible businesses to report any ransomware payment made — whether directly or through a third party — to the Australian Signals Directorate (ASD) within 72 hours.

The aim of the legislation is fourfold:

• Increase national visibility of ransomware activity to better understand the threat landscape
• Support law enforcement with intelligence on criminal operations
• Coordinate government response and assistance for impacted industries
• Deter ransomware actors by creating legal and procedural barriers to anonymous ransom payments

For business owners, these new rules introduce an added layer of responsibility. While penalties for non-compliance do exist, the reporting requirement ultimately serves to benefit businesses by contributing to a more coordinated national response to ransomware threats.

However, meeting this obligation requires more than awareness — it demands a clear internal process. Whether a ransom payment is made directly or through a third party, your business remains accountable for ensuring that the incident is reported within the required 72-hour window.

To comply effectively, businesses must have response plans, roles, and procedures in place before an incident occurs. Early preparation will reduce risk, improve coordination, and help your business meet its legal responsibilities while contributing to broader cybersecurity efforts.

‍

Who Has to Report a Ransomware Payment in Australia?

You don’t need to be a major enterprise or a critical infrastructure provider to fall under the new rules. The reporting obligation applies to any Australian business with an annual turnover of $3 million or more.

This includes a wide range of industries — from legal and healthcare providers to financial services firms, educational institutions, and recruitment agencies.

You must report a ransomware payment if:

• Your annual turnover is $3 million or more
• A payment is made in response to a ransomware or extortion demand
• The payment is made directly by your business or on your behalf by a third party (e.g. an insurer, incident response provider, or broker)

Importantly, the responsibility to report remains with your business, even if the actual payment is executed by someone else. This is where many businesses are at risk of misunderstanding their obligations — and unintentionally breaching federal law. Explore the business impact of Australia’s new ransomware reporting rules in our LinkedIn article here.

‍

Misunderstandings That Could Lead to Non-Compliance

“Do I Need to Report a Ransomware Attack if I’m Not in Critical Infrastructure?”

Yes. The rules apply to any business over the $3 million turnover threshold, regardless of industry. Whether you’re in professional services, education, retail, or any other sector — if you pay a ransom, you must report it. There’s no exemption based on business type.

“If My Cyber Insurer Pays the Ransom, Do I Still Need to Report It?”

Absolutely. Even if an insurer or third party pays the ransom on your behalf, your business is still legally responsible for reporting the payment to the ASD. Legal liability for reporting cannot be outsourced. Relying on your insurer to “handle it” could leave you non-compliant.

“We’ve Never Had a Ransomware Attack — So Why Prepare Now?”

Ransomware doesn’t just target big corporations. Small and mid-sized Australian businesses are increasingly in the crosshairs due to their valuable data and often weaker defences. Waiting until after an incident occurs to understand your obligations could result in missed deadlines and financial penalties. Preparation is key.

‍

Preparing Your Business: The Ransomware Reporting Toolkit

To comply with the new rules, your business should proactively establish a ransomware reporting process. This should be part of your broader cyber incident response plan.

Key components include:

1. A Documented Incident Response Plan

Ensure your team knows who is responsible for each stage of incident response — from detection and escalation to reporting and recovery.

2. Real-Time Logging and Evidence Collection

Your systems should be capable of capturing attack data in real time, including user activity, affected assets, and security alerts.

3. Secure Communication Handling

Retain all interactions with the attacker, such as ransom notes or negotiation threads, in a secure and auditable format.

4. Pre-Built Reporting Templates

Having a ready-to-use ransomware payment reporting template will save critical time and ensure consistency across responses.

‍

Free Download: Ransomware Payment Reporting Template

To help your business meet the new reporting requirements under we’ve created a free, downloadable Ransomware Payment Reporting Template for Australian Businesses.

This practical resource is designed to help you collect and document all the key information required for reporting a ransomware payment to the Australian Signals Directorate (ASD). It ensures your submission is clear, complete, and compliant.

The template includes sections for:

• Organisation and contact details
• Incident timeline and impact summary
• Vulnerabilities exploited during the attack
• Ransom demand and payment specifics
• Communications with attackers
• Internal response actions and evidence tracking

Download your free ransomware reporting template to ensure your business is prepared ahead of the 30 May 2025 compliance deadline.

‍

Protecting Your Business from Ransomware Threats

At Superior IT, we specialise in helping Australian businesses strengthen their cyber defences and meet their obligations under the Cyber Security Act 2024. With ransomware attacks on the rise, it's never been more important to have systems in place to detect threats early, respond effectively, and stay compliant with new federal reporting laws.

Whether you need help building an incident response plan, implementing proactive security measures, or understanding your reporting obligations, our team is here to support you.

‍

Need Help Getting Compliant?

At Superior IT, we specialise in helping Australian businesses protect against ransomware and meet their compliance obligations under the Cyber Security Act 2024.

Call Us: 1300 93 77 49

Email: info@superiorit.com.au

Explore DefenderSuite: https://www.superiorit.com.au/defendersuite-au