Australia mandates first-of-its-kind reporting of ransomware payments

Who is required to report

A cyber security incident includes the unauthorised impairment of electronic communication to or from a computer, including the interception of this communication. If a payment is made in response to such an incident, including where the incident has already happened or is imminent, then eligible businesses are required to report this payment. Businesses will be required to make a report if they:

1. Carry on business in Australia and have an annual turnover of AUD 3 million or more; or 
2. Are an entity responsible for critical infrastructure assets as defined by the Security of Critical Infrastructure Act 2018.  

A business does not necessarily have to be Australian-based or owned to ‘carry on business’ in Australia. Rather, if they have any business operations that occur in Australia, and have an annual turnover of AUD 3 million or more, they may be required to report a ransomware payment.

Who must they report?

Within 72 hours of either making a ransomware payment or becoming aware of the payment, the business must submit a report on the ASD Government website. 

This report must include: 

1. The business’ contact and business details; 
2. Details of the cyber incident that the payment was made in response to; 
3. Details of any third party that made the payment; d)What was asked for and how; 
4. What was actually paid and how; f)Any communications with the extorting entity; and 
5. Any other relevant information regarding the incident. 

Importantly, ‘payment’ includes any non-monetary benefits given to the extorting entity. This may include the exchange of gifts, services, or other benefits. 

Consequences of non-compliance

While the law does not make ransomware payments themselves illegal, failure to report any such payments can lead to a penalty of up to 60 penalty units (currently this is AUD19,800). The Department of Home Affairs (Department) has indicated that the first six months (30 May 2025 to 31 December 2025) will be characterised by an ‘education first’ approach. During this period, regulatory action will only be pursued where there have been cases of egregious non-compliance. 

From 1 January 2026 onwards, however, the Department will take a more active regulatory focus and will publish further guidance on the regime taking into account feedback from the initial six months of its operation.  

Conclusion

Businesses need to take proactive steps to ensure that they are equipped to deal with any cyberattack in a manner consistent with the new regime. 

This will include determining whether they meet the eligibility thresholds and updating their cyber incident response plans to include the new reporting requirements. Training employees to identify and escalate ransomware incidents quickly is also essential as is having clear procedures in place that are understood and can be easily followed. 

In any event, aligning your incident response with the new reporting requirements in Australia will likely leave your business in good stead should other jurisdictions decide to follow Australia’s lead and introduce similar requirements. As the technological capabilities of would-be cyber attackers continue to advance, it is clear that this is an area that will continue to be the subject of regulatory and public focus going forward. It is critical that businesses adequately prepare themselves to deal with this scrutiny. 

Should you require any assistance, feel free to reach out to the authors or your usual Hogan Lovells contact.  

Authored by Charmian Aw and Paris Buti.