Newsletter Article

AUSTRALIA’S RANSOMWARE REPORTING REGIME: NOW IN ACTIVE COMPLIANCE

Snare Insider Newsletter Series Article

Make sure you Subscribe

Australia’s mandatory ransomware and cyber-extortion payment reporting requirements sit in Part 3 of the Cyber Security Act 2024 (Cth) and commenced on 30 May 2025. Since 1 January 2026, the regime has moved from its initial “education-first” stage into a more active compliance and enforcement posture under the Department of Home Affairs, and it is now well into that phase.

A “reporting business entity” is defined under section 26(2) of the Act as either an entity carrying on business in Australia with annual turnover exceeding AUD $3 million in the previous financial year (the threshold is set by section 6 of the Cyber Security (Ransomware Payment Reporting) Rules 2025), or a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies, regardless of turnover.

Where a covered entity makes, or becomes aware that another party has made, a ransomware or cyber-extortion payment on its behalf, it has 72 hours to submit a report to ASD via the ReportCyber portal. Failure to report within that window can attract a civil penalty of up to 60 penalty units (currently AUD $19,800).

The stakes are not theoretical. Industry surveys cited in recent legal analysis of the regime put the proportion of Australian businesses hit by a ransomware attack at 69% in 2024, up from 56% in 2023, with 84% of victims paying, an average payment of AUD $1.35 million.

Why logs become critical

The reporting process may require organisations to determine:

  • When the incident occurred
  • When the organisation became aware of it
  • Which systems and customers were affected
  • What ransomware or malware was involved
  • Which vulnerabilities may have been exploited
  • How the attacker entered and moved through the environment
  • What communications and actions took place during the incident

These questions cannot be answered reliably when logs are missing, inconsistent, overwritten, or spread across disconnected systems.

Ransomware evidence readiness checklist

☐  Retain authentication, endpoint, network and privileged-access logs

☐  Protect evidence from modification during an active incident

☐  Record the initial detection and subsequent response timeline

☐  Preserve indicators of compromise and attacker activity

☐  Maintain logs from relevant cloud and third-party services

☐  Confirm that historical evidence can be retrieved quickly

☐  Test the ability to produce an incident timeline within 72 hours

Incident reporting readiness begins long before an incident occurs.

Snare Solutions
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.