New reporting laws that dictate the mandatory reporting of cyber ransom payments came into effect on May 30, 2025.
The new regulations apply to businesses with a $3million turnover.
Companies that have made payments to a third party as the result of extortion must report the payment β whether it be in cash or kind β to the Australian Signals Directorate portal within 72 hours.
While the authority that manages the Cyber Security Act 2024 (ital.), the Department of Home Affairs, says it will take an education first approach, companies who deliberately fail to report a payment face fines of up to 60 penalty units (nearly $20,000).
βThe Department will prioritise an education-first approach period for the first six months after commencement, to socialise the reporting form with regulated entities, manage any challenges and identify key compliance barriers. During this phase, the Department would aim to pursue regulatory action only in cases of egregious non-compliance,β the Department of Home Affairs outlined on its mandatory cyber ransom payments face sheet, which is available from its website.
Material that is provided under the reporting procedure cannot be used in a court of law against the company providing the information.