Mandatory reporting of ransomware and cyber extortion payments

According to the Report of the Australian Cyber Network State of the Industry Report in April 2024, Australia is one of the top five most targeted nations in the world for cyber threats against critical infrastructure; on average a cybercrime report occurs every six minutes.

It should come as no surprise with these types of statistics that the Federal Government has taken steps to record incidents that seriously prejudice or are seriously prejudicing:

• the social or economic stability of Australia or its people, or
• the defence of Australia, or
• national security.

Mandatory reporting obligations commenced 30th May 2025

One of the key objectives of the Cyber Security Act 2024 (the Act) is to ‘encourage the provision of information relating to the provision of payments or benefits (called ransomware payments) to entities seeking to benefit from cyber security incidents by imposing reporting obligations on entities in relation to the payment of such payments or benefits.’ (Section 3(b))

Mandatory reporting obligations are imposed by Part 3 of the Act. The reporting obligations are imposed on entities that have been impacted by a cyber security incident and made a ransomware payment to an entity seeking to benefit from the impact or the cyber security incident.

Incidents where the obligation to report is triggered

Part 3 applies when:

• an incident has occurred, is occurring or is imminent, and
• the incident is a cyber security incident, and
• the incident has had, is having, or could reasonably be expected to have, a direct or indirect impact on a reporting business entity, and
• an entity (the extorting entity) makes a demand of the reporting business entity, or any other entity, in order to benefit from the incident or the impact on the reporting business entity, and
• the reporting business entity provides or is aware that another entity has provided on their behalf, a payment or benefit (a ransomware payment) to the extorting entity that is directly related to the demand.

What is a cyber security incident

An incident is a cyber security incident for the purposes of the Act if:

1. the incident involves a critical infrastructure asset, or
2. the incident involves the activities of an entity that is a corporation to which paragraph 51(xx) of the Constitution applies, or

If the incident is or was effected by means of a telegraphic, telephonic, or other like service within the meaning of paragraph 51(v) of the Constitution (including, for example, by means of the internet); or (d) the incident is impeding or impairing, or has impeded or impaired, the ability of a computer to connect to such a service, or (e) the incident has seriously prejudiced or is seriously prejudicing:

1. the social or economic stability of Australia or its people, or
2. the defence of Australia, or
3. national security

Who has to report a payment?

An entity must comply with reporting obligations if, at the time the ransomware payment is made, it is conducting a business in Australia with an annual turnover that exceeds the $3 million threshold for the previous financial year. 

The term ‘entity’ can refer to an individual, body corporate, partnership, unincorporated association with a governing body, a trust, or a responsible entity for a critical infrastructure asset as defined under Part 2B of the Security of Critical Infrastructure Act 2018. Commonwealth or state bodies are excluded from these obligations.

What constitutes a payment

The legislation captures both monetary and non-monetary benefits that are given or exchanged with an extorting entity, constituting ransomware or cyber extortion payments. This may include gifts, services, or other benefits to an entity provided in response to the demand.

Information to be reported

The reporting must be in the format required by the Australian Signals Directorate, which is designated as the information collector by the Department of Home Affairs.

Section 7 of the Cyber Security (Ransomware Payment Reporting) Rules 2025 prescribes the information required for a ransomware payment or cyber extortion report. This information includes the following, where it is known or able to be known by reasonable search or enquiry:

• The contact and business details of the entity that made the payment, including an Australian Business Number (ABN).
• Details of the cyber security incident, including its impact on the reporting business entity.
• When the incident occurred or is estimated to have occurred.
• When the reporting business entity became aware of the incident.
• The impact of the incident on the reporting business entity.
• The impact of the incident on the reporting business entity’s customers.
• What variant (if any) of ransomware or other malware was used what vulnerabilities (if any) in the reporting business entity’s systems were exploited; and information that could assist the response to, mitigation or resolution of the cyber incident by a Commonwealth body, or state body. For example, this may include the Australian Signal’s Directorate or the Australian Cyber Security Centre.
• The other entity’s contact and business details including the ABN and address (in cases where the ransom was paid by another entity).
• The demand made by the extorting entity o the amount or quantum of the ransomware or cyber extortion payment (including non-monetary benefits) demanded and the method of provision demanded the ransomware payment.
• The amount or quantum of the ransomware or cyber extortion payment (including non-monetary benefits) given and the method of provision.
• Communications with the extorting entity relating to the incident, demand and the payment.
• The nature and timing of any communications with the extorting entity.
• A brief description of those communications (if any).
• A brief description of any pre-payment negotiations undertaken in relation to the ransomware demand or payment.

Timeframe for reporting

Entities have 72 hours to make a ransomware or cyber extortion payment report from the time when the ransomware or cyber extortion payment is made, or from the time the entity is aware that a payment has been made on its behalf.

Lessons from maritime pirates

For centuries, ship owners and maritime insurers have been forced to develop policies on how to deal with extortion demands from pirates who take control of ships, cargo and crew. Ince & Co, once an international law firm that monitored piracy demands, estimated that ransoms of about US$75 to US$85 million were paid in 2010 to secure the release of 21 ships. By March 2011, it was estimated that the average ransom payments had reached about US$4 million, doubling the figure from January 2010. This was the period where the threats from Somali pirates were at their peak.

Shipowners established predefined response protocols and guidelines on how to collaborate with security partners and engage expert crisis management specialists to ensure they are equipped to navigate complex security incidents. Key to managing these risks is the collaboration among shipowners, insurers, security professionals, and even the navies of various countries to deter piracy and extortion demands. The kidnapping of crew and the very real threat to life have been motivating factors for this approach.

However, one key aspect to the risk management is that very little is known about ransom payments outside this closely-knit insurance sector.  This confidentiality is intentional to prevent encouraging further acts of piracy.

Where to from here

As with any new legislation imposing compliance obligations and penalties for non-compliance, the new mandatory reporting obligations requires  impacted entities to develop and implement policies and protocols in advance of a ransomware or cyber extortion event.

Each entity must determine its approach to extortion demands, which will vary according the risks it faces. Factors to consider include the nature of the information at risk of exposure, the value of the information to the entity or its own clients, and the potential for such information to be sold to the dark web or made public.

It is important for entities to establish their position on payment of extortion demands in advance and develop processes for managing such situations. With the proliferation of cyber breaches and the extortion demands made on high profile Australian companies, including law firms and a Law Society, the likelihood of facing demands is rapidly rising. Being prepared in advance can save more than just reputations – it can save individuals.