Australia first in global move to mandate ransomware payment reporting

Australia has become the first country in the world to require that ransoms paid to cybercriminals be reported to the government.

It's not illegal for Aussie firms to pay ransoms, but the Australian Signals Directorate (ASD) like many government cyber entities doesn't recommend it. In its last annual report, the agency investigated 121 ransomware incidents, a figure that's likely substantially lower than the true scale of the threat and one reason for the new legislation.

From 30 May, if you're a reporting entity as defined under Part 3 of the Cyber Security Act 2024, you now have an obligation to make a report on the ASD website when you make a ransomware payment or you're aware that a payment has been made on your behalf, within 72 hours.

This mandatory notification applies to organisations with annual revenue of AUD$3 million (USD$1.95m) or more.

A grace period has been built into the roll out - from 30 May 2025 to 31 December 2025, the Australian Department of Home Affairs will be monitoring compliance with the obligation to report ransomware payments via an 'education first' approach focused on helping rather than hindering organisations impacted by and currently handling serious incidents.

This includes publicising the new requirements, the purpose and intent and hosting Town Hall meetings to communicate why, who and when the ransomware reporting must be actioned. Organisations can catch the latest recorded one hour session on the Cyber and Critical Infrastructure Security Centre (CISC) website where a demo of the ransomware reporting form was also given.

From 1 January 2026, this education campaign switches into a 'compliance and enforcement' approach with regulatory action. Fines up to AUD$19,000 (USD$ 12,300) could apply for non-reporting. What needs to be reported is listed on the summary handout.

Using incident reporting to gain intelligence

Over the last 12-15 years, many organisations and cyber insurers have paid ransoms to enable a quick recovery of critical systems and data, potentially at a lesser cost or effort than a full recovery or restoration of IT assets or where faced with no other option when backups have also been encrypted.

Paying up has also been seen as a means to avoid sensitive data from being disclosed by attackers under the threat of extortion, not always with the desired outcome.

In the 2024 lead up to the Act, the Australian government gave three primary reasons for this new reporting regime:

1. To observe what threat actors are most active, what types of businesses they target, what types of malicious software are used, the method of attacker contact, and how much money or productivity is lost in the Australian economy
2. To assist the Government in publishing tailored advice to businesses on how to uplift their cyber hygiene, protect and secure their data, and make them hard targets for cyber criminals based on the trends identified in mandatory reports
3. To assist the Government with future programmes that directly target ransomware operators

Initial feedback from regulated entities included a serious concern that reported information could be used for civil, criminal or regulatory action against them via penalties, fines or lawsuits. Australia has witnessed a massive rise in cyber breaches in the last few years and there are multiple class action lawsuits underway as a result.

The 2024 Act made efforts to address these concerns. The Insurance Council of Australia which provides cyber insurance cover has also supported the mandated reporting as a way to enhance threat intelligence and landscape analysis.

Global reporting requirements

Mandatory cyber incident reporting is not new - many nations make requirements under security or privacy laws or sector specific regulatory regimes that include provision and penalties for reporting major incidents or breaches, events which impact system availability or cause business disruption.

Over the past decade, many countries, including the United States, Australia and India, have imposed mandatory cyber incident reporting requirements. The European Union recently expanded its mandatory reporting requirements through its Network and Information Security Directive 2.0 (NIS2).

The intent is common across countries - increase central visibility over the scope, scale and intensity of malicious cyber activity. As a recent deep dive in the Havard Business Review stated: "No government currently has the incident information it needs to protect its national security, economic prosperity, or public health and safety in cyberspace."

In 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) which set out a requirement for covered entities to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of making any ransom payments made as a result of a ransomware attack.

The proposed rule was published on 4 April 2024 and was meant to be actioned within 18 months, making a target date of 4 October 2025 likely. CISA though has suffered significant cuts under the current U.S. government and this timing is not certain.

The UK government launched a consultation at the start of 2025 on a set of legislative proposals to reduce the impact of ransomware and increase the amount of intelligence available on incidents and payments.

The three proposals were wide ranging and included:

1. A targeted ban on ransomware payments for the public sector and regulated critical national infrastructure (CNI) sectors
2. A new ransomware payment prevention regime requiring victims to seek authorisation from the government before they can proceed with a ransom payment
3. A mandatory ransomware incident reporting regime

The Royal United Services Institute for Defence and Security Studies (RUSI) declared the approach to be "the most consequential intervention by any national government on ransomware to date" and held a workshop event to evaluate the impact of the concepts. Feedback was detailed and highlighted the risk that government regulation could lead to organisations trying to evade such mandates and doubt that the approach would deter ransomware attackers from striking the UK.

Overcyte will continue to monitor global regulatory and legislative changes as ransomware reporting regimes evolve.