6 min read

Ransomware payment reporting: Australia leads a new era of mandatory regimes

Read more

By Hans Allnutt & Heasha Wijesuriya

|

Published 03 July 2025

Overview

In recent years, Governments worldwide have been developing their national policies to protect against the scourge of cybercrime, particularly ransomware through which cyber criminals hold business systems "hostage" and use extortion tactics such as payment for their release. Policy options are varied, spanning outright bans on payments, excluding certain payments via sanctions, or simple centralised reporting.

On 30 May 2025, Australia made a significant statement to the international community on the issue of addressing cybercrime by becoming the first country to introduce a mandatory ransomware and cyber extortion payment reporting regime.

The reporting obligation is enforced through Australia's Cyber Security Act 2024 which is administered by The Department of Home Affairs. Reports are to be made either directly (i.e. by the affected entity) or indirectly (e.g. through a law firm) using the reporting form found on the Australian Signal Directorate's (ASD) website.

Reports must be made within 72 hours of making a ransom payment. A civil penalty of 60 units (currently equivalent to AUD $19,800) may apply for non-compliance with the reporting timeframe. Although, how strictly the reporting regime is enforced is yet to be seen.

That said, the Australian Government has flagged that between 30 May 2025 to 31 December 2025 there will be an "education first approach" which will be treated as a type of grace period before a phase 2 enforcement approach takes place from January 2026.

 

Who is captured by the regime?

The reporting regime applies to a 'business reporting entity'. This means an entity that is carrying on a business in Australia with an annual turnover for the previous year that meets or exceeds the AUD $3m threshold for that year (approximately GBP £1.4m). Exceptions include Commonwealth or State entities or an entity responsible for a critical infrastructure asset.

 

Purpose of the Australian reporting regime

The information requested in the ransomware reporting form is not too dissimilar to what would be requested by regulators, such as the Office of the Australian Information Commissioner (Australia's equivalent of the UK Information Commissioner's Office). However, as expected, security is the main focus as opposed to personal data. For example, the reporting regime will request the following:

  • The impact of the incident on the reporting entity
  • What vulnerabilities in the reporting entity's systems were exploited, and
  • The impact of the incident on the reporting entity's customers

At first glance, businesses may view the new reporting regime as compliance "red-tape" to navigate during the immensely stressful 72 hour period following discovery of a ransomware attack. When faced with significant business interruption and other regulatory concerns, it is understandable why businesses could feel that the reporting regime is not commercially minded.

However, legislators will want businesses to consider the bigger picture. As flagged in our article on the UK government's consultation on ransomware, cybercrime is a national level threat of the highest order, with impact on country's critical infrastructure. The intention behind these policies are part of assertive step to enhance national security.

For instance, a key outcome that is hoped to be achieved by Australia's reporting regime is to build a clearer picture of how ransomware attacks on businesses are occurring and the challenges that certain industries are facing when falling victim to cyber criminals.

Those charged with countering the threat can only do so if they are aware of what is happening. This intelligence gathering approach is hoped to place Australia in a stronger position to navigate future ransomware attacks, reduce funding of cybercrime and improve national security which should consequently make Australian businesses a harder target to pursue by cyber criminals.

 

The UK Government's ransomware policy

Similarly, the UK is also progressing its own policy to reduce the ransomware threat.

The UK Home Office's recent consultation – Ransomware legislative proposals: reducing payments to cyber criminals and increasing incident reporting" – presented three proposals:

  1. A targeted ban on ransomware payments for public sector bodies and Critical National Infrastructure (CNI) owners and operators
  1. Implementation of a ransomware payment prevention regime
  1. Institution of a mandatory reporting regime for ransomware incidents

The consultation is currently considering responses to the consultation, which was open to the public to submit their views. Many welcomed the Government's consultation and positive action against the ransomware threat. Some commentators felt that the proposals did not go far enough, or that the focus on CNI failed to appropriately address the impact on more typical organisations, such as SMEs.

The proposals on banning payments in CNI have also been criticised as crediting criminals with greater victim selection activity, rather than recognising factors such as espionage, political disruption, and perhaps the most significant of them all being simple opportunism.

Therefore, it may be that Australia has taken the most effective first step approach of mandatory reporting, rather than a ban, which is also relatively consistent with the UK Joint Committee of the National Security Strategy report on ransomware. A key point of difference is that the UK Joint Committee suggested a much more manageable longer 3 month reporting period rather than a tight 72 hour timeframe.

In any event, it now remains a waiting game to see how the UK Home Office adopts the responses received to its consultation on ransomware and what, if any, proposals will take legal effect.

 

The UK business impact of Australia's reporting regime

Despite there being no new UK legislative changes on ransomware, this does not mean UK businesses do not have increased obligations to be mindful of.

Key considerations for UK businesses created by Australia's reporting regime are outlined below:

  • If an Australian subsidiary of a UK parent company were impacted, either directly or indirectly, by a cyber incident that was suffered by their UK parent company, and a ransom payment is made with its knowledge:
    • It would be prudent to proceed on the basis that the Australian subsidiary would be required to report any ransom payment, made either by itself or by another entity on the Australian subsidiary's behalf, within 72 hours of payment, and
    • If the UK parent company was itself directly "carrying on business in Australia", then it would be prudent to proceed on the basis that the UK parent company itself would be required to report any ransom payment within 72 hours of payment
  • The reporting obligation does not appear to be affected by whether a cyber incident originated outside of Australia or whether it impacts non-Australian entities
  • It is important for organisations to keep detailed records of any communications with cyber criminals, including any pre-payment negotiations, as the ASD and Australian Cyber Security Centre will likely request this information when investigating the reported ransom payment

 

Summary

Given that the Australian ransomware reporting regime has only just become active, there is limited guidance on the extent to which it may be applied extra-territorially.

In the interim, businesses and governments around the world will be keeping a watchful eye on how this development will impact the Australian operations of cyber criminals and how Australia responds to their threats. For the UK, the Australian stance taken towards cybercrime may be the push the UK needs to act on its own ransomware proposals.

Authors