What are my ransomware reporting obligations in Australia?

The Cyber Security Act 2024 (Cth) represents a major shift in how Australia handles ransomware and cyber extortion attacks. From 4 February 2025, most entities have a mandatory legal obligation to report ransomware payments to the Australian Signals Directorate (ASD).

1. When is a Report Required?

A report must be submitted if your business makes a ransomware or cyber extortion payment. This obligation is triggered by the payment itself, not merely the cyber security incident or the attack. The report must be made within 72 hours of the payment being made.

2. Who Must Report?

The obligation applies to “reporting entities” as defined in the scheme. This primarily includes:

• Systems of National Significance (SoNS): Designated by the Minister under the SOCI Act.
• Critical Infrastructure Assets: Entities responsible for critical infrastructure assets under the Security of Critical Infrastructure Act 2018 (Cth).
• Commonwealth Entities: Non-corporate Commonwealth agencies.

3. Reporting via ReportCyber

Reporting is managed through the ReportCyber portal. The report must include the identity and contact details of the entity, the nature of the attack, and specific details about the ransomware payment.

4. Penalties for Failure to Report

Failing to report a ransomware payment within 72 hours is a civil penalty offence. The maximum penalty is 60 penalty units, which as of early 2025 is approximately $99,000 for a body corporate, or $19,800 for an individual.

Related Topics

• Data Breach Notification Timeframes
• NDB Scheme Checklist for QLD Business
• Commercial Law Practice Area

Are you facing a ransomware attack? Bell & Senior Lawyers provides legal advice on ransomware and mandatory reporting obligations. Call (07) 5532 8777.

Read our Complete Startup Legal Guide for Queensland