Eddie Mahdi

Mandatory Ransomware-Payment Reporting: What Australian Businesses Need to Know

From 2025 onwards, ransomware is no longer just an operational disruption – it has become a regulated reporting event. Australia’s move toward mandatory ransomware-payment reporting is designed to strengthen national cyber-resilience, but it also creates new responsibilities for businesses that many are not yet prepared for.
This guide outlines what is changing, what the legislation requires, and the practical steps organisations should have in place before an incident occurs.

 

What the New Rules Require

Under the Department of Home Affairs framework, certain businesses must notify the government if they make a ransomware or cyber-extortion payment. Reporting is mandatory for:
  • Businesses with Annual Turnover of ≥ A$3 Million
If your business earned at least $3 million in the previous financial year and you make a ransom payment, you must report it. Newly formed businesses may need to perform a pro-rata turnover calculation to determine whether they meet the threshold.
  • Critical Infrastructure Entities

Organisations considered “responsible entities for a critical infrastructure asset” under Part 2B of the Security of Critical Infrastructure Act 2018 must report any ransom payment. This applies to sectors such as energy, water, telecommunications, transport, and other assets formally designated as critical.

If a ransom is paid by a third party, such as an insurer or cyber-response provider, the obligation to report still applies, provided your organisation meets the criteria of a reporting entity.

 

When and what to report

The requirement only applies when a ransom is actually paid. A ransom demand alone does not trigger the obligation.
  • The reporting framework commenced on 30 May 2025. For the remainder of 2025, the Department is prioritising education and will only pursue regulatory action for serious non-compliance. From 1 January 2026 onwards, enforcement becomes more active.
  • Reports must be lodged within 72 hours of payment. This deadline applies regardless of weekends or public holidays.
The obligation applies to ransom or cyber-extortion payments. Incidents that are scams or involve physical extortion are not captured by this reporting requirement and should be reported through other channels (e.g., Scamwatch for consumer scams).

Businesses must provide detailed information, including:

  • how the incident started
  • the systems or data affected
  • the negotiation timeline
  • the amount demanded
  • the amount paid
  • the method of payment
  • the reasoning behind the decision to pay

 

Practical Implications for Your Business

The reporting requirement introduces three operational challenges that businesses should prepare for in advance:
1. A defensible decision-making process
Boards need a clear, structured framework outlining:
  • criteria for considering payment
  • consultation sequence (legal, insurance, executive)
  • impact assessment methodology
  • alternative response options
  • approval authority and escalation path
2. Real-time documentation during an incident
Reconstructing events after the fact is extremely difficult. A well-designed template should capture:
  • timestamps of attacker communications
  • screenshots or copies of messages
  • negotiation history
  • observable attack indicators
  • backup validation outcomes
  • business impact summaries
3. A predefined payment protocol
Even businesses that intend never to pay are still expected to plan for the possibility. This includes:
  • who holds or manages crypto wallets
  • who validates wallet addresses
  • who liaises with negotiators (if used)
  • who authorises the transfer of funds

 

A Practical Next-Step Checklist

In many cases, communication challenges create more disruption than the technical attack itself. Businesses should prepare scripted guidance for employees, executive leadership, customers or partners, insurers, legal counsel, media or public statements, regulators etc.
To prepare effectively, businesses should:
  • Review or update their incident response plan
  • Establish a ransomware decision-making framework
  • Conduct a tabletop exercise in the near term
  • Validate the recoverability of all critical backups
  • Prepare a reporting template in advance
  • Confirm insurance requirements and obligations

 

How Centrix Can Support You

If your business requires assistance in strengthening its preparedness, Centrix can help with:
  • Incident response planning
  • Ransomware decision frameworks
  • Essential Eight uplift
  • Backup and recovery validation
  • Vulnerability scanning
 

Ready to future-proof your business?

We understand that figuring out mandatory ransonware reporting and what it means for your organisation and where to begin can be challenging.

That’s why our team at Centrix is staying close to these developments, helping small businesses and large organisations build awareness and prepare for what’s ahead.

Backed by our extensive knowledge and expertise, Centrix is here to support your organisation with comprehensive solutions, as well as IT Connectivity and Collaboration Service Packages, Cloud IT, Cybersecurity Protection, Managed IT Services , and other IT Solutions.

To learn more, book an IT Health Check or contact us today.

REQUEST YOUR

FREE IT HEALTH & WELLNESS CHECK

Schedule a free consultation with a Centrix expert to ensure your data is safe and secure. No obligation – just peace of mind.

    Leave a Reply

    Your email address will not be published. Required fields are marked *