Mandatory Ransomware Reporting Starts 30 May: What the Cyber Security Act 2024 Asks Of You

This is an IT operator’s perspective on the Cyber Security Act 2024’s ransomware payment reporting obligation, commencing 30 May 2025. It isn’t legal advice or a government-compliance opinion. Whether a particular payment is reportable, who bears the reporting obligation in a given corporate group, and how to word a report to Home Affairs are your legal advisors’ calls. We respond to ransomware incidents and help businesses prepare for the reporting obligation. They sign off on the reporting text.

Twenty-eight days from today, Australian businesses above the AUD 3 million annual-turnover threshold will be legally required to report any ransomware or cyber-extortion payment they make within 72 hours. Same obligation on every entity responsible for a critical-infrastructure asset, regardless of turnover. The Cyber Security Act 2024 (the first standalone cyber security statute in Australian federal law) establishes the reporting regime; the commencement date is 30 May 2025. Home Affairs has confirmed that Phase 1 through to 31 December 2025 will take an education-first posture, with active enforcement beginning 1 January 2026.

“Education-first” does not mean the obligation is optional. It means the regulator will prefer guidance over penalty in ambiguous cases during the first seven months, and reserve penalty action for clearly egregious non-compliance. The obligation itself is live from 30 May. An entity that makes a ransomware payment on 3 June 2025 owes a report to Home Affairs within 72 hours, whether or not it would be the first to test the enforcement posture.

For CCP-sized clients, this is genuinely a new regulatory surface. The AUD 3 million turnover threshold captures almost every firm in our 20-to-250-staff band (we have one or two sub-threshold clients, but not many). The controls that reduce the likelihood of needing to make a ransomware payment are the controls our CSBO baseline already requires. What the Cyber Security Act adds is a regulatory layer on top of the incident response: if a payment happens, there is now a 72-hour clock running alongside everything else.

What does the Cyber Security Act 2024 actually require?

The Act creates a ransomware payment reporting obligation on specified reporting entities. An entity that makes a ransomware payment (to restore access to data, prevent publication, or otherwise respond to a cyber-extortion demand) must report the payment to the Department of Home Affairs within 72 hours of making the payment, or 72 hours of becoming aware that a payment has been made on its behalf (for example, by an insurer or a third-party negotiator).

The report must include specified content: the nature of the cyber-extortion demand, the entity the demand came from (to the extent known), details of the payment, and any other information the rules require. The regime is administered by the Department of Home Affairs rather than ASD or the OAIC. Penalties for non-reporting during Phase 2 (from 1 January 2026) start at 60 penalty units per contravention (currently around AUD 19,800 per penalty unit unit count).

The reporting is not punitive. The Act’s explanatory materials are clear that the purpose is intelligence (understanding the ransomware threat landscape so Home Affairs and the broader cyber-security community can respond to it), not discipline of the reporting entity. In practice, a report lodged responsibly should not create any additional exposure beyond what the entity already has through the incident itself.

Which entities does the reporting obligation capture?

Two categories. Entities responsible for a critical-infrastructure asset under Part 2B of the Security of Critical Infrastructure Act 2018, regardless of size or turnover. And businesses carrying on a business in Australia with annual turnover exceeding AUD 3 million, as measured per the GST Act. The annual-turnover threshold catches the overwhelming majority of mid-market Australian businesses.

For a CCP-sized legal, accounting, construction, health, or mining-services firm, the threshold is almost certainly met. The rarer edge cases are not-for-profits operating below turnover (many still exceed it once grant income is included) and very small specialist consultancies. For any of our clients, we default to assuming the obligation applies and confirm only if the turnover picture genuinely doesn’t reach it.

Are there any exemptions?

Small businesses under the AUD 3 million threshold are not caught on the turnover limb. Entities that are not themselves carrying on business in Australia are outside scope. Beyond those, the obligation is broad. There is no industry-specific exemption, no exemption for paying via an insurer (the policy-holder still has the reporting obligation), and no exemption for paying via a third-party negotiator. If a payment is made in connection with an Australian-resident entity’s assets or operations, it is almost certainly reportable.

Entities that make a payment on behalf of another entity (insurers, incident-response firms, ransomware negotiators) do not generally bear the primary reporting obligation. The primary reporting obligation sits with the entity the payment was made on behalf of. But a professional adviser should not count on the obligation landing somewhere other than with their client.

What does the 72-hour window actually mean in an incident?

It means that within 72 hours of the payment being made (or the reporting entity becoming aware that a payment has been made on its behalf), a compliant report must have been lodged with Home Affairs. The clock does not start at the beginning of the incident. It starts at the payment moment. For most incidents, that is several days after the incident first hit, depending on whether negotiation has occurred and how the payment mechanics played out.

In practice, the 72-hour window sits on top of other clocks that have already started. The Notifiable Data Breaches clock under the Privacy Act (if personal information has been compromised) runs for 30 days from awareness of the breach circumstances. The cyber-insurance notification clock typically runs 24 to 72 hours depending on policy. The board or executive-notification clock is usually same-day. A ransomware payment in the middle of an incident response is therefore a moment where multiple reporting obligations converge, and pre-preparing templates and response patterns makes the difference between a controlled report and a scramble.

What information does the report have to contain?

The exact field set is defined in the rules being made under the Act. The structural content is broadly: the identity and contact details of the reporting entity, the nature of the cyber-incident that gave rise to the demand, the details of the demand itself (the threat actor to the extent identifiable, the demand amount, the currency and payment channel), and the details of the payment (amount, date, payment mechanism). Home Affairs has published a draft survey-response form and explanatory document indicating the likely content.

For most reporting entities, the report itself is not technically difficult once the incident-response team has assembled the incident timeline and payment details. What is difficult is having the incident documented to the standard a 72-hour report requires under active incident pressure. Entities that go into an incident with mature documentation discipline produce a clean report. Entities that improvise both their incident response and their reporting struggle on both.

Does the Cyber Security Act change what businesses should do to prevent ransomware?

No. The Act does not create new preventive obligations. It creates a reporting obligation if a payment is made. The preventive posture that reduces the likelihood of needing to pay in the first place sits in the same place it has always sat: the Essential Eight controls, identity and access management, incident-response capability, and well-maintained backups with tested restoration.

The Act does, however, create a secondary governance incentive to harden the preventive posture. A well-prepared entity that can produce clean incident documentation is the entity that will navigate the 72-hour clock smoothly. An entity that is still reconstructing what happened while the clock ticks is the entity that will produce a report Home Affairs has to come back to.

The effect is that the Cyber Security Act, taken together with the strengthened Privacy Act and the continuing evolution of the cyber-insurance underwriting environment, closes a set of grace periods that previously applied. A mid-market business that has been deferring investment in detection, response, and documentation has fewer reasons to continue deferring it in 2025.

What should businesses do in the runway to 30 May 2025?

Four things. Confirm whether the obligation applies (turnover threshold, critical-infrastructure nexus). Identify the officer or executive who will bear operational accountability for reporting if an incident occurs. Update the incident-response plan to incorporate the 72-hour reporting window, including the decision tree for when a payment is made via insurer or negotiator. And run a tabletop exercise against a ransomware scenario that reaches the payment decision, ensuring the reporting step is included in the runbook rather than discovered during a live incident.

Most entities we work with have the preventive controls in reasonable shape. Where they are less prepared is the specific runbook step that says “if a payment is made or imminent, trigger the 72-hour Home Affairs reporting process, contact privacy counsel, and engage the insurer”. That step does not exist in pre-2024 runbooks and needs to be added explicitly.

Does cyber insurance cover the cost of compliance with the reporting obligation?

Most policies we have reviewed through 2024 do not specifically cover compliance costs for the new reporting obligation as a named line item. The advisory and legal costs associated with preparing a 72-hour report are usually covered under the broader incident-response cover within the policy, but the cover is usually capped and is usually consumed by the broader incident before specific reporting-compliance costs arise. Entities relying on their cyber-insurance policy to fund reporting compliance should confirm the position with their broker rather than assume.

What CCP does on Cyber Security Act readiness

We don’t draft Home Affairs reports or opine on whether a particular payment is reportable. We set up the IT environment, the detection and response capability, and the incident documentation discipline that make a 72-hour reporting window survivable, and we are present during active incidents to support the operational response.

For a mid-market client preparing for 30 May 2025, our involvement typically covers three areas. Preventive controls: the Essential Eight baseline, backup posture (including tested recovery from offline or immutable backup, which is the technical answer that most reduces the need to pay), and identity and endpoint hardening. Detection and response: the tooling and discipline that lets an incident be reconstructed accurately under time pressure, including logging retention, EDR coverage, and the process integration that pulls legal, executive, and insurer into the response inside hours rather than days. And the reporting runbook itself: updating the incident-response plan to incorporate the 72-hour Home Affairs window, running a tabletop that exercises it, and ensuring the reporting step is rehearsed before it needs to be executed.

The legal interpretation of whether a payment is reportable, the specific content of the report, and the decision about whether to make a payment at all remain with the client’s legal advisors, executives, and board. Our boundary is explicit. We run the machinery. They run the judgement.

The 30 May 2025 date does not care whether preparation has been completed. Incidents do not schedule themselves around planning calendars. Entities that have done the preparatory work in April and May 2025 are going to navigate the first months of the regime cleanly. Entities that wait until the first incident will navigate both at once.

Primary sources

• Cyber Security Act 2024 official page, Department of Home Affairs. Accessed 2 May 2025.
• Mandatory ransomware and cyber extortion payment reporting factsheet, Department of Home Affairs official factsheet. Accessed 2 May 2025.
• Cyber Security (Ransomware Reporting) Rules explanatory document, Cyber and Infrastructure Security Centre explanatory material. Accessed 2 May 2025.
• Cyber Security Act 2024 (Cth), available via Federal Register of Legislation.