Use this workflow after a ransomware or cyber extortion payment to decide whether Part 3 applies, start the 72-hour report clock, collect the required report fields, and preserve the evidence behind the submission.
The workflow is grounded in the Cyber Security Act 2024 and the Cyber Security (Ransomware Payment Reporting) Rules 2025. It is operational guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.
Structured answer sets in this page tree.
Cited legal and guidance references.
Australia's Cyber Security Act 2024 requires a reporting business entity to give a ransomware payment report within 72 hours after making the payment or becoming aware that the payment has been made, whichever applies. The operational task is to identify the trigger quickly, confirm whether the entity is in scope, gather the information the entity knows or can find by reasonable search or enquiry within the reporting window, and keep a clean record of what was submitted.
Open this workflow when the incident team confirms that the entity has provided, or is aware another entity has provided on its behalf, a payment or benefit to an extorting entity that is seeking to benefit from a cyber security incident or its impact. Treat ransom, cyber extortion, and non-monetary benefits as report-triage inputs, because the Act and Rules focus on the ransomware payment and the demand rather than only on a cash transfer.
Assign the first decision to the incident commander and legal or compliance lead: confirm whether the affected entity is a reporting business entity at the time the payment is made. The Rules describe the common in-scope categories as responsible entities for critical infrastructure assets to which Part 2B of the Security of Critical Infrastructure Act 2018 applies, or businesses carried on in Australia whose previous-financial-year annual turnover exceeds the prescribed threshold.
The workflow clock starts from the applicable statutory event: making the ransomware payment, or becoming aware that the ransomware payment has been made. The owner should log both timestamps when they are different, then calculate the 72-hour deadline from the event that applies to the reporting entity.
Do not wait for perfect attribution or full forensic certainty. The Rules state that information is only required to the extent the reporting business entity knows it or can find it by reasonable search or enquiry within the 72-hour period. The practical control is a timestamped evidence log showing what was known, who searched for missing information, and which fields remained unknown at submission time.
Use the Act's six field groups as the report structure, then add the more specific fields prescribed by the Rules. The report should be prepared as a factual incident record: who is reporting, who paid if different, what happened, what was demanded, what was provided, and what communications occurred with the extorting entity.
Where the approved form or prescribed manner for giving the report is not confirmed in the working record, keep a task open for the compliance owner to verify the current designated Commonwealth body form and submission channel before the deadline. This page cites the Act and Rules for the reporting duty and report contents; current submission-channel instructions should be checked against official operational guidance before filing.
Use this Australia Cyber Security Act workflow to assign the 72-hour clock owner, report-field owners, evidence requests, approval checkpoints, and submission records inside Sorena.
Convert the ransomware reporting trigger, scope test, report fields, and evidence index into assigned incident-response tasks.
Use Research Copilot to check follow-up questions against the Act, Rules, and explanatory material.
Review ransomware payment reporting ownership, evidence handling, and report preparation with Sorena.
Before submission, run a short approval checkpoint that checks scope, deadline, field completeness, source of each fact, and whether any unknown field has a reasonable-search note. The reviewer should confirm the report is factual, limited to the required incident and payment information, and consistent with any parallel incident reporting obligations.
After submission, retain the report package as an incident evidence record. Include the submitted report, timestamped approval, submission confirmation, source artifacts used for each field, unresolved information notes, and follow-up tasks. Also retain a privilege note where legal counsel has assessed privileged material, because the Act states that providing information in a ransomware payment report does not otherwise affect a claim of legal professional privilege.
"Information is only required to be given to the extent that the reporting business entity knows or is able"
"the nature and timing of any communications between the entity and the extorting entity"
"the amount of turnover threshold for a business for the previous financial year is $3 million"
"within 72 hours of making the ransomware payment or becoming aware"
"provides, or is aware that another entity has provided on their behalf, a payment or benefit"
"the cyber security incident, including its impact on the reporting business entity"
"only for the purposes of one or more of the following"
"does not otherwise affect a claim of legal professional privilege"