On 30 May 2025, mandatory ransomware payment reporting came into force in Australia, marking a significant shift in how organisations respond to ransomware incidents. Businesses that make ransom payments and have an annual turnover of $3 million or more, are now required to report these transactions to the Australian Signals Directorate, ensuring greater visibility into ransomware trends and helping authorities respond more effectively. While this framework aims to improve Australia’s national cybersecurity response, its implementation presents both challenges and opportunities. We outline both the new requirements and these challenges below.

Will The Changes Impact Me?

From 30 May 2025, if you are an organisation covered by the Security of Critical Infrastructure Act 2018 (Cth) (SOCI) or had a turnover of greater than $3 million AUD in the last financial year (or on a pro rata basis you carried on business for part of the last financial year) these changes will impact you if you pay a ransom connected to a cyber security incident. Businesses which fall outside of this threshold, such as small businesses, and Commonwealth and State bodies, are exempt from this obligation.

There is no mandatory reporting obligation where there is no ransomware or cyber extortion payment. For example, if there is only a demand, but a reporting business entity elects to not make payment, then there is no obligation to report. This is one of the key downsides to the Scheme from a data capturing perspective.

WHAT ABOUT THIRD PARTIES WITH KNOWLEDGE OF A PAYMENT?

There has already been considerable industry interest in the reporting obligations for third parties with knowledge of a ransom payment (including ransom negotiators, insurers, brokers, forensic and legal advisors, third parties with jointly held information involved, downstream or upstream suppliers, MSPs, or global parent companies).

In the last few weeks of operation, we have already seen third parties request information from victim businesses about whether a ransom has been or will be paid on the assumption that they have independent reporting obligations. This has begs the question – who needs to report?

When considering who needs to report, there are three relevant thresholds that must be reached:

1. The cyber security incident must have a “direct or indirect impact” on a reporting business entity.
2. A Threat Actor (the ‘extorting entity’) makes a demand of the reporting business entity, or any other entity (secondary extortion), to benefit from the incident or impact on the reporting business entity
3. The reporting business entity pays a ransom, or another party pays “on behalf” of the reporting business entity.

There isn’t the same carve outs that exist say in the Privacy Act 1988 (Cth) where a report made by one entity absolves all other entities from reporting, thereby creating a scenario where multiple parties may consider they have an obligation to report.

Advisors supporting the impacted entity (including incident response advisors and ransom negotiators) do not have obligations to report ransomware payments, even if they facilitate the payment or have knowledge of it. The obligations rest with the reporting business entity directly or indirectly impacted by the cyber security incident. That said, in practice, we are seeing some parties request undertakings from reporting business entities that they have complied with their obligations.

International organisations with an Australian footprint will need to consider the application of this regime should their Australian operations be directly or indirectly impacted by a ransomware incident and if a payment is made by the global entity on behalf of the Australian entity. If your organisation has a parent company based outside of Australia that makes the ransom payment on your behalf, you will likely need to submit a report.

There also needs to be consideration of who needs to report where a multi-party data breach or supply chain attack occurs, particularly if the directly impacted entity falls outside the reporting thresholds (i.e. is a small business with revenues less than $3m). Much will turn on whether an extortion demand is made of the other entities and whether the payment itself is made “on behalf of” the other entities. The knowledge that each party has about the purpose of the payment being made and who it was intended to benefit will become relevant.

The most likely scenario we will see, is if a secondarily extorted entity (indirectly impacted entity) pays, then a reporting obligation will be triggered if they are a reporting business entity. A reporting obligation may also apply to the primary extorted party (directly impacted) if they too are a reporting business entity. The explanatory memorandum specifically calls out global supply chain incidents particularly where downstream entities are impacted operationally, and where jointly held data is concerned. A waterfall of reporting requirements could apply.

Finally, unless insurers are paying ransoms directly (and by and large, most insurers don’t but rather indemnify Policyholders and reimburse after the fact) the obligation won’t exist. Care needs to be taken in circumstances where insurers pre-fund the payment of ransoms under the Policy to make it clear that they are reimbursing the Policyholder under the insurance contract, not actively paying a ransom on behalf of the reporting business entity.

What do I need to do?

Following payment of a ransomware demand either by your business or a third party on your behalf, you must disclose information regarding the payment to the Australian Signals Directorate (ASD) within 72 hours.

What do I have to report and how do I report it?

You must include in the report:

• the contact and business details of the entity that made the payment (i.e. the reporting business entity or the entity that paid on their behalf);
• details of the cyber security incident, including its impact on the reporting business entity;
• details of the demand made by the extorting entity;
• the ransomware payment;
• communications with the extorting entity (Threat Actor) relating to the incident, the demand and the payment; and
• any other information relating to the cyber security incident.

Further specifics are contained in the Cyber Security (Ransomware Payment Reporting) Rules 2025 about what information is needed. The report can be made via the reporting portal on the ASD’s cyber.gov.au website (https://www.cyber.gov.au/report-and-recover/report/ransomware-payment-and-cyber-extortion-payment-reporting).

What happens if I don’t report within 72 hours?

Failure to report a payment could result in a civil penalty of $19,800 (60 penalty units), although the Department of Home Affairs is applying a ‘grace period’ for the first 6 months to focus on education and obtain feedback from reporting business entities.

What happens to the information I report?

The Government cannot use or disclose the information contained in ransomware payment or cyber extortion reports except for limited purposes (e.g. to carry out their functions to assist to respond to a cyber incident) and cannot release this information to the media, regulators or plaintiff law firms.

They can however use information in the report to support the reporting business entity or other entities acting on behalf of the reporting business entity, to respond to, mitigate, or resolve the cyber security incident. This does not mean the report can or should be provided to third parties involved indirectly in the incident. That said, if a ransom is paid, and data publication is suppressed, there is likely to be questions asked of the Government by entities involved to confirm whether a ransom has been paid to understand the data risk exposure of a publication event.

This is where the information sharing protocols will become extremely important. This ‘limited use disclosure’ framework is a key guardrail to both encourage reporting and minimise any information sharing concerns or legal liability. It is not a ‘safe harbour’ however and does not protect against liability in relation to the incident itself. Further, information provided in the report does not otherwise affect a claim for legal professional privilege, that otherwise applies.

It also does not bypass the need for authorised decision makers to conduct sanctions due diligence before making a payment which is a key requirement that must be completed prior to making a payment, by organisations that pay and insurers that reimburse.

Why does the Government need to collect this information?

Collecting this information will allow the Government to collect statistics on threat actors including their key targets, attack methodologies, and demand / payment amounts. It will also provide a clearer picture to the Government of the impact of ransomware incidents to organisations and to the Australian economy.

This will help the Government to better manage cyber risk in the future by informing policy and the efforts of law enforcement, and over time assist with national efforts to drive down cyber-crime.

Will there be any negative impact on my business?

As this is a new regulation, the full implications are yet to be tested however the reporting regime was well consulted with industry to ensure that it meets community and business expectations.

The focus now is on operationalising the reporting mechanism to ensure that it meets its objectives and allows organisations and Government to work hand in hand during a ransomware incident. The Department of Home Affairs will continue to obtain feedback and enhance the mechanism over the next 12 months.

Will small businesses be targeted by ransomware groups?

There has been speculation about whether the revenue thresholds will impact the way cyber criminals choose their targets, with a focus on small businesses that fall beneath the reporting radar.

We do not have any credible evidence that this will occur – however do warn of the need for small businesses to continue to focus on prevention and readiness. Small businesses should seriously consider the need to obtain cyber insurance to bolster their response capabilities should they experience a cyber security incident. This is a general concern that the cyber security and cyber insurance industry has been focussing on in recent times. Continued efforts are required to support these initiatives.

Generally, Threat Actor groups have moved towards mid-market and small businesses in recent times and so efforts ought to continue to support the small business community in any event, including encouraging the uptake of cyber insurance to enhance prevention and response capabilities.

What can I do to protect my organisation?

Being prepared is key.

Organisations should be updating their decision-making frameworks and ransomware response playbooks and simulating those at the executive and board level to ensure that they are best prepared to respond.

How Atmos Can Assist

With the ransomware payment reporting in full swing, businesses must adapt quickly to navigate these complexities should a ransomware incident occur. This includes workshopping how to leverage the support of the National Office of Cyber Security for large scale incidents.

Atmos is uniquely positioned to assist, providing expert guidance and legal support tailored to cyber, privacy, and digital risk management across Australia and New Zealand, with the complete backing of the Atmos First Response and Remediation Panel which includes broader cyber incident response experts.

1. Atmos Readiness: Proactive Preparation

We offer practical solutions to help businesses respond effectively:

• Executive Briefings – Strategic sessions to help organisations understand their new obligations.
• Development of Ransomware Response Frameworks – Decision-making structures for managing ransomware incidents within legal and operational guidelines.

2. Incident Response Support

For organisations affected by ransomware incidents, Atmos delivers industry-leading response services, including:

• Government Collaboration – Direct insights into regulatory requirements.
• Strategic Communications – Expert advice to ensure stakeholder messaging aligns with legal protections.
• Sanctions / Legality of Payment Advice – Guidance to navigate complex legal considerations surrounding ransom payments.

Conclusion

Australian businesses must adapt to new compliance requirements and operational realities. While this legislation improves visibility into ransomware incidents, further refinement may enhance the effectiveness of reporting.

Atmos remains committed to supporting organisations through these changes, providing expert legal and advisory services to navigate the evolving cyber risk landscape, and working with Government to provide insights for further development.

To hear more or to organise a chat, get in touch:

info@atmosgroup.com.au