Australia Cyber Security Act 2024 Ransomware payment reporting in 72 hours

The ransomware payment reporting obligation under the Australia Cyber Security Act 2024 applies only to a reporting business entity. Under section 26(2) of the Act, an entity qualifies as a reporting business entity if, at the time the ransomware payment is made, it meets one of two tests. The first test applies to any entity that is carrying on a business in Australia with an annual turnover for the previous financial year that exceeds the turnover threshold, and that is not a Commonwealth or State body, and is not a responsible entity for a critical infrastructure asset. The second test applies to any entity that is a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 (SOCI Act) applies.

The Cyber Security (Ransomware Payment Reporting) Rules 2025 set the turnover threshold at $3 million for the previous financial year. If a business was carried on for only part of the previous financial year, the threshold is calculated on a pro rata basis using the formula: $3 million multiplied by the number of days in the part divided by the number of days in the previous financial year. This $3 million threshold was selected to align with the Privacy Act 1988 small business threshold and captures approximately 6.56 percent of registered Australian businesses.

Entities that are responsible entities for critical infrastructure assets under Part 2B of the SOCI Act are captured as reporting business entities regardless of their turnover. This means that a critical infrastructure responsible entity with turnover below $3 million must still comply with Australia Cyber Security Act 2024 ransomware reporting if it makes a ransomware payment.

Section 26(1) of the Australia Cyber Security Act 2024 defines a ransomware payment broadly. The obligation is triggered when five conditions line up. First, an incident has occurred, is occurring, or is imminent. Second, the incident is a cyber security incident. Third, the incident has had, is having, or could reasonably be expected to have a direct or indirect impact on a reporting business entity. Fourth, an extorting entity makes a demand of the reporting business entity or any other entity in order to benefit from the incident or the impact on the reporting business entity. Fifth, the reporting business entity provides, or is aware that another entity has provided on its behalf, a payment or benefit to the extorting entity that is directly related to the demand.

The definition covers payments or benefits. That means monetary transfers such as cryptocurrency, wire transfers, or cash are covered, but non monetary benefits are also covered. If an entity provides any benefit to an extorting entity that is directly related to the demand arising from a cyber security incident, the ransomware payment reporting obligation under the Australia Cyber Security Act 2024 is triggered.

Payments made by a third party on behalf of the reporting business entity are included. If an insurer, parent company, incident response firm, or negotiation service makes the payment on behalf of the reporting business entity, and the reporting business entity becomes aware of that payment, the 72 hour reporting clock starts from the moment of awareness.

Section 27(1) of the Australia Cyber Security Act 2024 requires the reporting business entity to give the designated Commonwealth body a ransomware payment report within 72 hours. The clock starts from the earlier of two events: the moment the reporting business entity makes the ransomware payment, or the moment the reporting business entity becomes aware that the ransomware payment has been made by another entity on its behalf.

The 72 hour reporting window is strict. There is no extension mechanism in the Act. However, the Act and the Ransomware Payment Reporting Rules 2025 recognise that not all information will be available within 72 hours. Section 27(2) specifies that the report must contain information that, at the time of making the report, the reporting business entity knows or is able, by reasonable search or enquiry, to find out. This means you should report what you know and what you can reasonably discover within 72 hours, rather than delaying the report to gather complete information.

The designated Commonwealth body that receives the ransomware payment report is defined in section 8 of the Act. If no rules specify otherwise, the designated Commonwealth body is the Department of Home Affairs and the Australian Signals Directorate (ASD). In practice, the report should be submitted through the channels specified by the Department.

Section 27(2) of the Australia Cyber Security Act 2024 and section 7 of the Cyber Security (Ransomware Payment Reporting) Rules 2025 together define the required content of a ransomware payment report. The report must cover six categories of information. Each category has specific data points mandated by the Rules. The ransomware payment report is a structured factual submission, not a legal memo or a narrative summary.

The first category is the contact and business details of the reporting business entity that made the ransomware payment. Under section 7(2) of the Rules, this must include the entity's Australian Business Number (ABN), if any, and its address. The second category applies when another entity made the ransomware payment on behalf of the reporting business entity. Under section 7(3) of the Rules, the other entity's contact details, ABN (if any), and address must be included.

The third category is information about the cyber security incident and its impact on the reporting business entity. Section 7(4) of the Rules requires seven specific data points: when the incident occurred or is estimated to have occurred, when the reporting business entity became aware of the incident, the impact on the entity's infrastructure, the impact on the entity's customers, the variants of ransomware or other malware used (if known), the vulnerabilities exploited in the entity's systems (if known), and any information that could assist a Commonwealth or State body in responding to or resolving the incident.

The fourth category is information about the demand made by the extorting entity. Section 7(5) of the Rules requires the amount or quantum of the ransomware payment demanded (or a description if non monetary) and the method of provision demanded. The fifth category is information about the ransomware payment itself. Section 7(6) of the Rules requires the actual amount or quantum of the payment (or a description if non monetary) and the actual method of provision. The sixth category is information about communications with the extorting entity. Section 7(7) of the Rules requires the nature and timing of communications, a brief description of those communications, and a brief description of any pre payment negotiations.

Section 27(5) of the Australia Cyber Security Act 2024 creates a civil penalty for failure to submit a ransomware payment report within the 72 hour reporting window. The penalty is 60 penalty units. For a body corporate, the maximum civil penalty is five times that amount, which equates to 300 penalty units. The value of a Commonwealth penalty unit is set under the Crimes Act 1914 and is adjusted periodically.

The civil penalty applies to any reporting business entity that contravenes the obligation under section 27(1). This includes failure to submit the report at all, failure to submit it within 72 hours, and failure to include the required information in the report. The Regulatory Powers (Standard Provisions) Act 2014 applies for enforcement, though section 27(6) disapplies subsection 93(2) of that Act for this particular provision.

Non compliance with Australia Cyber Security Act 2024 ransomware reporting also carries reputational risk. If the Cyber Incident Review Board conducts a review of the incident under Part 5 of the Act, a failure to report may become part of the record. The government has stated an education first approach to compliance, but the civil penalty framework is in place from commencement.

The Australia Cyber Security Act 2024 includes strong protections designed to encourage ransomware payment reporting rather than penalise it. Section 28 provides that an entity is not liable to an action or proceeding for damages for any act done or omitted in good faith in compliance with the reporting obligation. This good faith shield extends to officers, employees, and agents of the reporting business entity.

Section 29 restricts how the designated Commonwealth body may use or disclose information from a ransomware payment report. The information may only be used for permitted purposes, such as assisting the entity to respond to the incident, performing regulatory functions under Part 3, supporting law enforcement for false information offences, performing functions of the National Cyber Security Coordinator, informing Ministers, and supporting intelligence agency functions. The designated Commonwealth body must not use ransomware payment report information to investigate or enforce any civil or regulatory contravention by the reporting business entity, except for contraventions of Part 3 itself or criminal offences.

Section 31 preserves legal professional privilege. The fact that a reporting business entity included information in a ransomware payment report does not waive privilege over that information in other proceedings. Section 32 provides that information from a ransomware payment report is not admissible in evidence against the reporting business entity in criminal proceedings (other than false information offences), civil penalty proceedings (other than under Part 3), or proceedings before a tribunal. These protections mean that the ransomware payment reporting obligation under the Australia Cyber Security Act 2024 is designed as a safe harbour intelligence sharing mechanism, not a self incrimination tool.

Section 44 of the Australia Cyber Security Act 2024 makes clear that information provided under one reporting regime does not discharge obligations under another. A ransomware incident in Australia can trigger up to three separate mandatory reporting obligations that run concurrently, each with its own trigger, timeline, recipient, and content requirements.

Under Part 2B of the SOCI Act, responsible entities for critical infrastructure assets must report significant cyber security incidents within 12 hours of becoming aware that the incident is having a significant impact (section 30BC), and other cyber security incidents within 72 hours (section 30BD). These SOCI Act timelines are triggered by the impact of the incident on the critical infrastructure asset, regardless of whether a ransomware payment is made. The ransomware payment reporting obligation under Part 3 of the Cyber Security Act 2024 is triggered separately by the act of making or becoming aware of the ransomware payment.

Under Part IIIC of the Privacy Act 1988, the Notifiable Data Breaches (NDB) scheme requires entities that experience unauthorised access to, disclosure of, or loss of personal information likely to result in serious harm to assess the breach within 30 days (section 26WH) and then notify the Office of the Australian Information Commissioner and affected individuals as soon as practicable. A ransomware incident involving exfiltration or encryption of personal data will typically trigger this NDB obligation in addition to the ransomware payment reporting requirement.

For a critical infrastructure entity hit by a ransomware attack that involves personal data and a ransom payment, all three reporting obligations may run simultaneously. The SOCI incident notification is due first (12 hours for critical incidents), followed by the ransomware payment report under the Cyber Security Act 2024 (72 hours from payment), and then the NDB notification (30 day assessment period followed by notification as soon as practicable). Your incident response playbook must coordinate all three paths with separate timelines, owners, content requirements, and submission channels.

The most common reason organisations fail to meet the 72 hour reporting window for ransomware payment reporting under the Australia Cyber Security Act 2024 is that they did not prepare the data collection model, decision authority, and submission path in advance. The report fields, the escalation chain, and the evidence preservation approach must be designed and tested before a ransomware event occurs.

Start by building a pre approved ransomware payment report collection sheet that mirrors the six categories required by section 27(2) of the Act and section 7 of the Ransomware Payment Reporting Rules 2025. Assign each data point to the team or individual most likely to hold that information during an active incident. Contact and business details should come from legal or corporate affairs. Incident timing and impact should come from the incident response team. Malware variant and vulnerability information should come from the technical forensics lead. Demand and payment details should come from the party authorising or executing the payment. Communication logs should come from whoever manages the negotiation channel, whether that is an internal team, external counsel, or a specialist negotiation firm.

Define the decision authority for two key moments. The first is the decision to make or authorise a ransomware payment. The second is the moment that awareness of a payment by a third party reaches the entity. Both of these moments start the 72 hour reporting clock. If the decision authority is unclear, or if there is a gap between payment authorisation and payment execution, your organisation risks starting the clock late and breaching the 72 hour window.

Prepare the submission channel in advance. Identify the approved form (if the Secretary has published one) and the prescribed manner for submission. Keep contact details for the designated Commonwealth body (the Department of Home Affairs and ASD) in the incident response documentation, not in someone's personal contact list.

Evidence preservation is critical during a ransomware payment reporting event under the Australia Cyber Security Act 2024. The ransomware payment report must contain information about the incident, the demand, the payment, and communications with the extorting entity. If this evidence is lost, overwritten, or fragmented during the crisis response, the entity may be unable to comply with the reporting obligation or unable to defend the accuracy of its report.

Create a controlled evidence folder structure before an incident occurs. The folder should have separate sections for incident timeline logs, infrastructure and customer impact records, malware samples and forensic artifacts, demand communications (screenshots, email headers, decryptor portal links, chat logs), payment authorisation records, payment execution records (wallet addresses, transaction hashes, wire confirmations), negotiation records, and internal decision records showing who authorised the payment and when.

All evidence should be timestamped and stored in a manner that supports legal hold requirements. If the entity uses an external negotiation service, the contract with that service should include clauses requiring the negotiator to preserve and hand over communication logs and payment records within the 72 hour window.

Most failures in Australia Cyber Security Act 2024 ransomware reporting happen because of organisational confusion rather than technical difficulty. The report content is factual and structured. The 72 hour reporting window is generous compared to many real time obligations. The failures come from delayed awareness, unclear decision authority, evidence loss, and internal disputes about scope.

The most frequent mistake is starting the 72 hour reporting clock too late because internal teams disagree about whether a payment counts as a ransomware payment under the Act. The definition is broad: any payment or benefit to an extorting entity that is directly related to a demand arising from a cyber security incident. If there is doubt, start the clock and prepare the report while the legal analysis continues.

The second most frequent mistake is failing to account for third party payments. If an insurer, parent company, or external negotiation firm makes the ransomware payment on behalf of the reporting business entity, the entity must still report. The 72 hour window starts from the moment the entity becomes aware the payment was made. Contracts with third parties must include notification obligations that allow the entity to start the reporting process immediately.

The best way to test your ability to meet the 72 hour reporting obligation under the Australia Cyber Security Act 2024 is to run a tabletop exercise that includes the payment decision, the clock start, the data collection, and the report submission. Many organisations run cyber incident tabletop exercises that stop at containment and recovery. To test ransomware payment reporting readiness, the exercise must continue through the payment decision, the evidence capture, and the report handoff.

Design the exercise scenario so that the payment decision is contested. Include a scenario where an external negotiation firm makes the payment before the board has formally approved it, which forces the team to address the awareness trigger and the third party payment path. Include a scenario where the incident response team cannot determine the malware variant within 72 hours, which forces the team to submit the report with incomplete technical information and understand that this is acceptable under the reasonable search or enquiry standard.

After the exercise, assess three things. First, how long it took from the payment decision to the submission of a complete report template. Second, whether all six categories of report content were populated with available information. Third, whether the evidence folder was maintained in a condition that would support a post incident review by the Cyber Incident Review Board.