Today (30 May 2025), the Australian Government’s new ransomware payment reporting rules have come into effect.
As outlined under the Cyber Security Act 2024, any organisation with an annual turnover of more than $3 million will be required to report any ransomware or cyber extortion payment they make.
This must be done within 72 hours of making the payment via the Australian Signal Directorate’s new reporting tool.
The new legislation also paves the way for:
- A new power to mandate security standards for smart devices, that are set to come into effect next year
- A ‘limited use’ obligation that restricts how cyber security incident information provided to the National Cyber Security Coordinator can be used.
- A new Cyber Incident Review Board – akin to the (previous) U.S. equivalent - to conduct post-incident reviews into significant cyber security incidents, and which could see senior executives more likely to face scrutiny over their cyber strategy decisions
Tim Dillon, Director of Professional Services, APAC, comments:
"The introduction of Australia's latest cyber security laws is a significant step in bolstering national digital resilience against an ever-evolving threat landscape. Governments and regulators globally are grappling with limited visibility into cyber risks - particularly ransomware - which hinders their ability to effectively detect, disrupt, and deter cyber attacks. The concerning underreporting of ransomware incidents, with only one in five victims reporting attacks according to the Australian Institute of Criminology, highlights the urgent need for proportionate regulatory interventions."
"At NCC Group, we have witnessed firsthand the growing complexity of incident reporting requirements. Organisations are now navigating an intricate web of global cyber security regulations, making proactive response planning more critical than ever. We advocate for not only meeting mandatory reporting obligations but also engaging national security bodies and law enforcement, which play a vital role in improving industry-wide resilience."
"Furthermore, we welcome the Government's commitment to advancing security standards in smart devices - a move essential in protecting consumers from cyber threats. Our ongoing research has demonstrated the vulnerabilities inherent in connected devices, reinforcing the need for stringent security principles to become legally binding. As previously advised, investment in regulatory bodies such as the Australian Cyber Security Centre (ACSC) is paramount to ensuring enforcement capabilities align with legislative ambition. Without adequate resources, the effectiveness of these new safeguards could be compromised."