The Cyber Security (Ransomware Payment Reporting) Rules 2025 were registered on 3 March 2025 to implement the requirements of the Cyber Security Act 2024 which imposes a mandatory reporting obligation for a ransomware payment. Background.

The obligation applies to prescribed entities impacted by a cyber incident, and who have provided or are aware that another entity has provided on their behalf a payment or benefit to an entity seeking to benefit from the impact of the cyber security incident.

The reporting obligations will commence on 30 May 2025.

Who must report?

The reporting business entities are either responsible entities for a critical infrastructure asset under the Security of Critical Infrastructure Act 2018 (SOCI Act), or another entity that meets the criteria of a reporting business entity in section 26(2) of the Cyber Security Act.

Section 26(2) provides that an entity will be subject to the reporting obligation if, at the time the ransomware payment is made, the entity:

• is carrying on a business in Australia with an annual turnover threshold for the previous financial year that exceeds the turnover threshold for that year prescribed in the Rules, and is not a Commonwealth or State body, or a responsible entity for a critical infrastructure asset;
  or
• is a responsible entity for a critical infrastructure asset to which Part 2B of the SOCI Act applies.

For this purpose, the Rules establish a turnover threshold of $3 million.

When must the report be made?

Entities subject to the mandatory reporting obligation must provide a ransomware payment report to the designated Commonwealth body within 72 hours of the making of a ransomware payment or becoming aware the payment has been made.

What must be in the report?

The ransomware payment report must contain information specified in section 27(2) of the Act, which includes contact and business details of the entity that made the report, details about the cyber security incident, the demand made and payment provided, and any communications with the extorting entity.

The Rules prescribe that the following information must be contained as part of a ransomware payment report for the purposes of section 27(2) of the Act:

• an Australian Business Number for the reporting business entity, or the entity that made the report on the reporting business entity’s behalf (paragraph 27(2)(b));
• information about the cyber security incident should include when the incident occurred, the impact of the incident, the variant of ransomware used, the
  vulnerabilities that were exploited and other information that could assist a Commonwealth body or State body respond to the cyber security incident;
• information about the ransomware payment itself should include the quantum and method of the ransomware payment, or equivalent details if the payment was non-monetary; and
• information about the communications with the extorting entity should include the nature and timing of communications and a description of those communications.

The Cyber Security (Cyber Incident Review Board) Rules 2025 and the Cyber Security (Security Standards for Smart Devices) Rules 2025 have also been registered.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.