--- title: "CSA 2024 Ransomware Payment Reporting Workflow" canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-workflow" source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-workflow" author: "Sorena AI" description: "Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Australia Cyber Security Act 2024" - "ransomware payment report" - "ransomware payment reporting workflow" - "Cyber Security Ransomware Payment Reporting Rules 2025" - "Australia Cyber Security Act" - "Ransomware payment reporting" - "Cyber extortion reporting" - "Incident response" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # CSA 2024 Ransomware Payment Reporting Workflow Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources. *Workflow Guide* *Australia* *Ransomware Payment Reports* ## Cyber Security Act 2024 ransomware payment reporting workflow Use this workflow after a ransomware or cyber extortion payment to decide whether Part 3 applies, start the 72-hour report clock, collect the required report fields, and preserve the evidence behind the submission. The workflow is grounded in the Cyber Security Act 2024 and the Cyber Security (Ransomware Payment Reporting) Rules 2025. It is operational guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. Australia's Cyber Security Act 2024 requires a reporting business entity to give a ransomware payment report within 72 hours after making the payment or becoming aware that the payment has been made, whichever applies. The operational task is to identify the trigger quickly, confirm whether the entity is in scope, gather the information the entity knows or can find by reasonable search or enquiry within the reporting window, and keep a clean record of what was submitted. ## Start with the payment trigger and scope test Open this workflow when the incident team confirms that the entity has provided, or is aware another entity has provided on its behalf, a payment or benefit to an extorting entity that is seeking to benefit from a cyber security incident or its impact. Treat ransom, cyber extortion, and non-monetary benefits as report-triage inputs, because the Act and Rules focus on the ransomware payment and the demand rather than only on a cash transfer. Assign the first decision to the incident commander and legal or compliance lead: confirm whether the affected entity is a reporting business entity at the time the payment is made. The Rules describe the common in-scope categories as responsible entities for critical infrastructure assets to which Part 2B of the Security of Critical Infrastructure Act 2018 applies, or businesses carried on in Australia whose previous-financial-year annual turnover exceeds the prescribed threshold. - Record the incident identifier, affected legal entity, payment-maker, payment date and time, and the time the reporting entity became aware that payment had been made. - Record the scope basis: responsible entity for a Part 2B critical infrastructure asset, business carried on in Australia above the turnover threshold, or out of scope with the reason. - For the turnover path, record previous-financial-year turnover and whether the part-year formula in the Rules is relevant. - If another entity paid on behalf of the reporting entity, capture that entity's contact and business details because the Act and Rules require those details in the report. Sources for this answer: - [Cyber Security Act 2024, section 26](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Supports the trigger for Part 3: a cyber security incident, an extorting demand, and a payment or benefit provided by the reporting business entity or on its behalf. - [Cyber Security (Ransomware Payment Reporting) Rules 2025, sections 5 and 6](https://www.legislation.gov.au/F2025L00278/latest/text?ref=sorena.io) - Supports the reporting-business-entity scope test and the prescribed turnover threshold used in the workflow. ## Run the 72-hour report clock from payment or awareness The workflow clock starts from the applicable statutory event: making the ransomware payment, or becoming aware that the ransomware payment has been made. The owner should log both timestamps when they are different, then calculate the 72-hour deadline from the event that applies to the reporting entity. Do not wait for perfect attribution or full forensic certainty. The Rules state that information is only required to the extent the reporting business entity knows it or can find it by reasonable search or enquiry within the 72-hour period. The practical control is a timestamped evidence log showing what was known, who searched for missing information, and which fields remained unknown at submission time. - Incident commander: confirms the payment or awareness trigger and keeps the incident timeline. - Legal or compliance lead: confirms the reporting entity, deadline, report approval path, and any privilege handling. - Finance or treasury owner: provides payment amount, payment method, wallet or payment-route details where known, and payment approval evidence. - Security operations and forensics owner: provides incident timing, ransomware or malware variant, exploited vulnerabilities where known, infrastructure impact, and customer impact. - Communications or negotiator owner: provides the nature, timing, and brief description of communications and any pre-payment negotiations with the extorting entity. Sources for this answer: - [Cyber Security Act 2024, section 27](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Supports the 72-hour reporting deadline and the rule that the clock runs from payment or awareness, whichever is applicable. - [Cyber Security (Ransomware Payment Reporting) Rules 2025, section 7](https://www.legislation.gov.au/F2025L00278/latest/text?ref=sorena.io) - Supports submitting known or reasonably discoverable information within the reporting period instead of delaying for unavailable details. ## Build the report from statutory and Rules fields Use the Act's six field groups as the report structure, then add the more specific fields prescribed by the Rules. The report should be prepared as a factual incident record: who is reporting, who paid if different, what happened, what was demanded, what was provided, and what communications occurred with the extorting entity. Where the approved form or prescribed manner for giving the report is not confirmed in the working record, keep a task open for the compliance owner to verify the current designated Commonwealth body form and submission channel before the deadline. This page cites the Act and Rules for the reporting duty and report contents; current submission-channel instructions should be checked against official operational guidance before filing. - Reporting entity details: contact and business details, ABN if any, and address. - Payment-maker details: if another entity paid, its contact and business details, ABN if any, and address. - Incident details: when the incident occurred or is estimated to have occurred, when the reporting entity became aware, infrastructure impact, customer impact, ransomware or malware variant if any, exploited vulnerabilities if any, and information that could assist Commonwealth or State response, mitigation, or resolution. - Demand details: amount or quantum demanded, or a description if the demanded ransomware payment was a non-monetary benefit, plus the method of provision demanded. - Payment details: amount or quantum actually provided, or a description if the ransomware payment was a non-monetary benefit, plus the method of provision. - Communications details: nature and timing of communications with the extorting entity, a brief description of those communications, and a brief description of any pre-payment negotiations. Sources for this answer: - [Cyber Security Act 2024, section 27](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Supports the six mandatory categories of ransomware payment report information in the workflow. - [Cyber Security (Ransomware Payment Reporting) Rules 2025, section 7](https://www.legislation.gov.au/F2025L00278/latest/text?ref=sorena.io) - Supports the specific report fields for ABN, address, incident timing, impacts, malware, vulnerabilities, demand, payment, and extorting-entity communications. *Recommended next step* *Placement: after the workflow guidance* ## Turn the ransomware payment report workflow into assigned incident tasks Use this Australia Cyber Security Act workflow to assign the 72-hour clock owner, report-field owners, evidence requests, approval checkpoints, and submission records inside Sorena. - [Open Assessment Autopilot for Australia Cyber Security Act](/solutions/assessment.md): Convert the ransomware reporting trigger, scope test, report fields, and evidence index into assigned incident-response tasks. - [Review Australia Cyber Security Act source evidence](/solutions/research-copilot.md): Use Research Copilot to check follow-up questions against the Act, Rules, and explanatory material. - [Talk through implementation](/contact.md): Review ransomware payment reporting ownership, evidence handling, and report preparation with Sorena. ## Approve, submit, and preserve the evidence record Before submission, run a short approval checkpoint that checks scope, deadline, field completeness, source of each fact, and whether any unknown field has a reasonable-search note. The reviewer should confirm the report is factual, limited to the required incident and payment information, and consistent with any parallel incident reporting obligations. After submission, retain the report package as an incident evidence record. Include the submitted report, timestamped approval, submission confirmation, source artifacts used for each field, unresolved information notes, and follow-up tasks. Also retain a privilege note where legal counsel has assessed privileged material, because the Act states that providing information in a ransomware payment report does not otherwise affect a claim of legal professional privilege. - Keep a field-by-field evidence index that links each report answer to the incident ticket, finance record, forensic note, communication log, or counsel-approved summary that supports it. - Keep a clock record showing the payment or awareness event, the 72-hour deadline, approval timestamp, and submission timestamp. - Keep a reasonable-search record for fields that were unknown, including who searched, what systems or people were checked, and when the search closed for reporting purposes. - Keep a distribution and use-control note for the report package, because the Act limits use and disclosure of information provided in ransomware payment reports and includes admissibility protections for the reporting business entity. Sources for this answer: - [Cyber Security Act 2024, sections 28 to 32](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Supports retaining evidence around good-faith compliance, legal professional privilege, admissibility protections, and use or disclosure limits for ransomware payment report information. - [Cyber Security Act 2024, section 29](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Supports treating report information as controlled incident information that may only be used or disclosed for permitted purposes. ## Primary sources - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Primary Act source for the Part 3 ransomware payment reporting trigger, 72-hour deadline, report categories, civil penalty, privilege, admissibility, and use or disclosure protections. - Quote: "within 72 hours of making the ransomware payment or becoming aware" - [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/latest/text?ref=sorena.io) - Rules source for the $3 million turnover threshold, part-year turnover formula, and detailed report-content requirements. - Quote: "Information is only required to be given to the extent that the reporting business entity knows or is able" ## Related Topic Guides - [Australia Cyber Security Act 2024 scope and definitions](/artifacts/apac/australia-cyber-security-act/scope-and-definitions.md): Grounded scope guide for Australia's Cyber Security Act 2024: relevant connectable products, consumer-grade smart devices, reporting business entities, ransomware payment reports, and SOCI overlap. - [Australia Cyber Security Act and SOCI Act overlap](/artifacts/apac/australia-cyber-security-act/security-of-critical-infrastructure-act-overlap.md): How the Australia Cyber Security Act overlaps with the Security of Critical Infrastructure Act for responsible entities, ransomware payment reporting, smart devices, and evidence records. - [Australia Cyber Security Act Applicability Test](/artifacts/apac/australia-cyber-security-act/applicability-test.md): Decide whether the Australia Cyber Security Act 2024 applies to a smart-device product, supplier, manufacturer, or ransomware payment reporting scenario. - [Australia Cyber Security Act Compliance Checklist](/artifacts/apac/australia-cyber-security-act/checklist.md): Concrete checklist items for Australian Cyber Security Act smart-device and ransomware duties, with SOCI and APRA CPS 234 evidence checks. - [Australia Cyber Security Act Compliance Guide](/artifacts/apac/australia-cyber-security-act/compliance.md): A source-linked compliance guide for Australia Cyber Security Act smart-device statements, ransomware payment reporting, incident coordination, and review-board readiness. - [Australia Cyber Security Act Deadlines and Compliance Calendar](/artifacts/apac/australia-cyber-security-act/deadlines-and-compliance-calendar.md): Calendar of grounded Australia Cyber Security Act milestones for ransomware reporting, smart-device security standards, statements of compliance, and statutory review. - [Australia Cyber Security Act FAQ](/artifacts/apac/australia-cyber-security-act/faq.md): Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review. - [Australia Cyber Security Act penalties and fines](/artifacts/apac/australia-cyber-security-act/penalties-and-fines.md): Grounded guide to Australia Cyber Security Act civil penalties, smart-device enforcement notices, ransomware reporting exposure, Board notice failures, and evidence records. - [Australia Cyber Security Act recordkeeping FAQ](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md): What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks. - [Australia Cyber Security Act Requirements](/artifacts/apac/australia-cyber-security-act/requirements.md): Australia Cyber Security Act requirements for smart-device security standards, statements of compliance, ransomware payment reports, notices, and evidence records. - [Australia Cyber Security Act Statement of Compliance Evidence](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence.md): Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness. - [Australia Cyber Security Act templates](/artifacts/apac/australia-cyber-security-act/templates.md): Grounded template fields for Australia Cyber Security Act smart-device scope, statements of compliance, ransomware reports, notices, SOCI overlap, and records. - [Australia Cyber Security Act Timeline And Commencement Guide](/artifacts/apac/australia-cyber-security-act/timeline-and-commencement.md): Australia Cyber Security Act guidance for Timeline And Commencement, with practical decisions, evidence, edge cases, and external source citations. - [Australia Cyber Security Act vs EU Cyber Resilience Act](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Australia Cyber Security Act vs UK PSTI Act Guide](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [Australia ransomware payment reporting 72-hour duty](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-72-hours.md): Explain when Australia's Cyber Security Act 2024 requires a ransomware payment report, when the 72-hour clock starts, and what information the report must contain. - [Australia Smart Device Security Standards under the Cyber Security Act](/artifacts/apac/australia-cyber-security-act/smart-device-security-standards.md): Plain-English guide to Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025: scope, passwords, vulnerability reporting, support periods, statements of compliance, and evidence records. - [Australia Smart Device Statement of Compliance Evidence Workflow](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence-workflow.md): Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules. - [CSA 2024 Ransomware Threshold & Report FAQ](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md): FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence. - [CSA 2024 Smart Device Applicability Test](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-and-product-scope.md): Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules. - [CSA 2024 Smart Device Statement of Compliance](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-and-recordkeeping.md): What a smart-device statement of compliance must contain under Australia's Cyber Security Act 2024 and Smart Device Rules, who prepares and supplies it, how long to retain it, and how to prepare for examination. - [Cyber Security Act 2024 Smart Device Compliance Checklist](/artifacts/apac/australia-cyber-security-act/smart-device-compliance-checklist.md): Checklist for Australia Cyber Security Act 2024 smart-device scope, password controls, vulnerability reporting, security-update support periods, statements of compliance, retention, and evidence. - [Cyber Security Act 2024 Statements of Compliance FAQ](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md): FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations. - [Cyber Security Act vs EU CRA: scope and obligations comparison](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Cyber Security Act vs UK PSTI Act: device security obligations compared](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md): FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing. - [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md): FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties. - [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md): Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations. - [Smart Device Applicability: CSA 2024](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-workflow.md): A source-linked workflow for deciding whether a connected product is covered by Australia's Cyber Security Act 2024 smart-device standard and what evidence to keep. - [SOCI overlap triage workflow for Australia Cyber Security Act](/artifacts/apac/australia-cyber-security-act/soci-overlap-triage-workflow.md): Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks. - [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md): FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-workflow