Cyber Security Act 2024 Ransomware payment reporting within 72 hours

Part 3 applies only when the incident is a cyber security incident, the incident has had, is having, or could reasonably be expected to have a direct or indirect impact on a reporting business entity, an extorting entity makes a demand to benefit from the incident or its impact, and the reporting business entity provides or becomes aware that another entity has provided a payment or benefit on its behalf that is directly related to the demand.

The trigger analysis should therefore be documented before treating every ransom negotiation as reportable. Capture the incident facts, the demand, the payment or benefit, who paid, whether the payment was on behalf of the reporting business entity, and how the incident connects to the reporting business entity.

The duty applies to a reporting business entity at the time the ransomware payment is made. The Act covers a business carrying on business in Australia with annual turnover for the previous financial year above the threshold, provided it is not a Commonwealth body, State body, or responsible entity for a critical infrastructure asset. It also covers a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies.

The 2025 Rules set the ordinary turnover threshold at $3 million for the previous financial year and include a pro-rata formula where the business operated for only part of that year. Once the scoped entity makes the payment, or becomes aware that the payment has been made, the report is due within 72 hours, whichever clock-start is applicable.

Section 27 requires the report to contain information the reporting business entity knows, or is able by reasonable search or enquiry to find out at the time of reporting, about the relevant entity details, the cyber security incident, the demand, the ransomware payment, and communications with the extorting entity.

The Rules make those categories more concrete. The report should include ABN and address details where applicable, the incident timing and awareness timing, impacts on infrastructure and customers, ransomware or malware variants if known, vulnerabilities exploited if known, information that could assist response or mitigation, the amount or quantum and method demanded, the amount or quantum and method actually provided, and the nature, timing, description, and pre-payment negotiation details for communications with the extorting entity.

The report must be given to the designated Commonwealth body. The Rules also require it to be given in the form approved by the Secretary, if any, and in the manner prescribed by the rules.

Keep the submission record with the report itself so you can show who it was sent to, when it was sent, and which filing method was used.

The report-content duty is limited to information the reporting business entity knows or can find out by reasonable search or enquiry within the 72-hour reporting period. That makes the search log important: teams should show what was checked, who was asked, what was known at submission time, and which items remained genuinely unknown.

Keep the report itself, the deadline calculation, the scope assessment, the demand and payment evidence, communication records, malware or vulnerability findings, customer and infrastructure impact notes, approval records, and any follow-up corrections or incident-response actions. Separate the ransomware payment report from other SOCI, privacy, law-enforcement, insurer, or contractual notifications so each obligation has its own trigger and evidence trail.