Mandatory Ransomware-Payment Reporting: What Australian Businesses Need to Know
What the New Rules Require
- Businesses with Annual Turnover of ≥ A$3 Million
- Critical Infrastructure Entities
Organisations considered “responsible entities for a critical infrastructure asset” under Part 2B of the Security of Critical Infrastructure Act 2018 must report any ransom payment. This applies to sectors such as energy, water, telecommunications, transport, and other assets formally designated as critical.
When and what to report
- The reporting framework commenced on 30 May 2025. For the remainder of 2025, the Department is prioritising education and will only pursue regulatory action for serious non-compliance. From 1 January 2026 onwards, enforcement becomes more active.
- Reports must be lodged within 72 hours of payment. This deadline applies regardless of weekends or public holidays.
-
Reporting is submitted through the ASD/ACSC Single Reporting Portal. The portal now includes a dedicated ransomware-payment reporting component.
Businesses must provide detailed information, including:
- how the incident started
- the systems or data affected
- the negotiation timeline
- the amount demanded
- the amount paid
- the method of payment
- the reasoning behind the decision to pay
Practical Implications for Your Business
1. A defensible decision-making process
- criteria for considering payment
- consultation sequence (legal, insurance, executive)
- impact assessment methodology
- alternative response options
- approval authority and escalation path
2. Real-time documentation during an incident
- timestamps of attacker communications
- screenshots or copies of messages
- negotiation history
- observable attack indicators
- backup validation outcomes
- business impact summaries
3. A predefined payment protocol
- who holds or manages crypto wallets
- who validates wallet addresses
- who liaises with negotiators (if used)
- who authorises the transfer of funds
A Practical Next-Step Checklist
- Review or update their incident response plan
- Establish a ransomware decision-making framework
- Conduct a tabletop exercise in the near term
- Validate the recoverability of all critical backups
- Prepare a reporting template in advance
- Confirm insurance requirements and obligations
How Centrix Can Support You
- Incident response planning
- Ransomware decision frameworks
- Essential Eight uplift
- Backup and recovery validation
- Vulnerability scanning
Ready to future-proof your business?
We understand that figuring out mandatory ransonware reporting and what it means for your organisation and where to begin can be challenging.
That’s why our team at Centrix is staying close to these developments, helping small businesses and large organisations build awareness and prepare for what’s ahead.
Backed by our extensive knowledge and expertise, Centrix is here to support your organisation with comprehensive solutions, as well as IT Connectivity and Collaboration Service Packages, Cloud IT, Cybersecurity Protection, Managed IT Services , and other IT Solutions.
To learn more, book an IT Health Check or contact us today.