Australia Cyber Security Act Ransomware payment threshold and report content

The trigger is not every ransomware incident. Part 3 applies where a cyber security incident has had, is having, or could reasonably be expected to have a direct or indirect impact on a reporting business entity; an extorting entity makes a demand to benefit from the incident or its impact; and the reporting business entity provides, or knows another entity has provided on its behalf, a payment or benefit directly related to that demand.

A reporting business entity is either a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies, or an entity carrying on business in Australia whose annual turnover for the previous financial year exceeds the turnover threshold and that is not a Commonwealth body, State body, or responsible entity for a critical infrastructure asset under the other limb.

The 2025 Rules prescribe the ordinary turnover threshold as $3 million for the previous financial year. If the business operated for only part of the previous financial year, the Rules use a pro-rated formula based on $3 million multiplied by the number of operating days divided by the number of days in that previous financial year.

The reporting business entity must give the designated Commonwealth body a ransomware payment report within 72 hours of making the ransomware payment or becoming aware that the ransomware payment has been made, whichever applies.

The Act requires the report to include information the reporting business entity knows or can find out by reasonable search or enquiry at the time of reporting. The report must cover contact and business details for the reporting business entity if it made the payment, or the other entity if another entity paid; the cyber security incident and its impact; the extortion demand; the ransomware payment; and communications with the extorting entity about the incident, demand, and payment.

The Rules add detail: ABN if any and address for the reporting entity or other payer; when the incident occurred or is estimated to have occurred; when the reporting business entity became aware of it; impacts on infrastructure and customers; ransomware or malware variants; exploited vulnerabilities; response-useful information; the amount or quantum and method demanded; the amount or quantum and method provided, including non-monetary benefits; and the nature, timing, description, and any pre-payment negotiations in communications with the extorting entity.

The risky pattern is answering the FAQ with only an incident-response policy or a payment approval note. The grounded answer needs the reporting-business-entity scope analysis, the threshold calculation, the 72-hour clock, and a report-content inventory tied to the Act and Rules.

Do not rely on a generic ransomware playbook to decide whether the Part 3 report is triggered. Preserve the facts that distinguish a non-reportable incident from a reportable ransomware payment: entity status, Australian business activity, turnover, critical-infrastructure responsibility, the demand, the payment or benefit, and awareness that another entity paid on the reporting entity's behalf.