Ransomware and Cyber Extortion Payment Reporting is Now Mandatory in Australia – What This Means for Your Business

As of 30^th May 2025, Australia became the first country in the world to introduce mandatory ransomware payment reporting obligations under the Cyber Security Act 2024 (Cth) (“Act”).  Entities covered by the Act include businesses in Australia with an annual turnover for the previous financial year that is equal or exceeds $3 million*. Such entities will now be required to submit a ransomware and/or cyber extortion payment report within 72 hours of making the payment or becoming aware such a payment has been made.

The move, led by the Australian Signals Directorate (ASD)’s Australian Cyber Security Centre (ACSC), aims to improve the government’s visibility and understanding of such cyber threats; and help enhance overall cyber resilience and incident response within Australia. 

*As prescribed by the Cyber Security (Ransomware Payment Reporting) Rules 2025.

Why now?

Cybercrime has become one of the greatest threats to Australian organisations — and ransomware is leading the charge. In its most recent Annual Cyber Threat Report, the ASD confirmed what many IT leaders already know: cybercriminals, including state-sponsored actors, are relentlessly targeting Australian businesses, critical infrastructure, and government services.

In 2024 alone:

• 69% of Australian businesses experienced a ransomware attack, up from 56% in 2023.[1]
• 84% of those affected opted to pay the ransom, often under duress, with the average payment reaching $1.35 million, up from $1.03 million in 2023.[2]
• Australia ranked seventh globally for ransomware attacks, accounting for 2% of global incidents.[3]

In response, Australia has mandated ransomware payment reporting with the view to creating a clearer national picture of how often these attacks are succeeding, what vulnerabilities are being exploited, and what response capabilities exist across industries.

What needs to be reported?

Reporting business entities must make a report via the online reporting form on ASD’s website within 72 hours of making a ransomware or cyber extortion payment, or becoming aware such a payment has been made.

Payments of any kind (monetary and non-monetary) must be reported.

The Act provides that reports must include the following basic information, where it is known or able to be known by reasonable search or enquiry*:

• Business and contact details of the entity that made the payment
• Details of the cybersecurity incident (such as when and how it was discovered), including its impact on the reporting business entity (and its customers)
• Any vulnerabilities exploited
• The type of ransomware or malware used
• The demand made by the extorting entity
• Details of the ransomware payment (including the ransom amount and how it was paid)
• Details of communications with the extorting entity relating to the incident, demand and payment

There’s no requirement to report if you receive a demand but don’t pay. But once a payment is made — whether by you or a third party — the clock starts.

*Note Cyber Security (Ransomware Payment Reporting) Rules 2025 prescribes more specific information required in the ransomware report.

What’s the bigger message here?

Our view is that this isn’t just a compliance requirement – it’s a signal to leadership teams that cyber security is no longer a background concern or an isolated IT function. It’s a governance issue, a reputation risk, and a legal obligation.

Boards and executives need to ask themselves:

• Do we have a response plan that reflects today’s threat environment?
• Are we confident in our backup and recovery capabilities?
• Could we withstand public scrutiny if a ransom payment had to be reported?

Ransomware response is a trust issue

Public and stakeholder trust depends not just on preventing cyber incidents, but on how organisations respond when they happen. The introduction of mandatory reporting makes that response more visible — and potentially reputationally damaging.

But there may be opportunity in this too.

Organisations that proactively assess their cyber maturity, close known gaps, and build real-world incident response strategies can help to minimise downtime, protect sensitive data, stay compliant and reassure customers and investors.

Where to from here?

The ASD has made it clear: this initial phase is focused on education and awareness. Come 2026, more enforcement action can be expected.[4]

It’s time to shift from reactive to proactive.

Let’s talk cyber resilience

At FUJIFILM IT Services, we work with businesses across Australia to help assess cyber risk, build robust defence strategies, and prepare for compliance with regulatory obligations.

Book a Cyber Security Assessment
Our experts will review your current posture, test your readiness to respond, and help you align with best practices.

Contact us today to get started.