Introduction of mandatory ransomware payment reporting in Australia today is a welcome development. But it won’t reach its full potential as a cybersecurity mechanism unless the government openly shares what it learns from these reports.
The ransomware problem is too big for the government to solve alone. Public reporting of the information, with identities removed, would help the broader cybersecurity ecosystem to direct resources where they’re needed most.
From today, 30 May, Australian businesses with an annal turnover exceeding $3 million and ‘responsible entities’ of critical infrastructure assets, as defined by the Security of Critical Infrastructure Act 2018, must report any ransomware or cyber extortion payment to the Australian Signals Directorate (ASD) within 72 hours. The regime, set out in the Cyber Security Act 2024, covers payments and any non-monetary benefits, whether made directly or through a third party. This new requirement addresses an important visibility gap: previously, ransomware payments and incident responses often occurred in silence, kept quiet under legal advice and assessments of risks to reputations. This has resulted in a lack of public reporting, and a fragmented insight into the threat environment.
The case for mandatory reporting is clear. When done properly, it helps build a clearer picture of how attacks unfold: who is being targeted, what methods are being used, how attackers communicate with victims, the nature of the demands and payments, and what kinds of effects they have on businesses. This insight is essential for shaping smarter, more targeted, and more-timely policies and responses. It’s a dataset that, if used well, can significantly improve our understanding of Australia’s ransomware threat landscape.
But at present, the legislation does not require the government to release this data publicly. Information may be used by select government agencies to assist in responding to the incident or coordinate a national response and may not be used in legal or regulatory proceedings against the victim.
Ransomware is not just a government problem; it is also a commercial, legal, insurance, technological and social one. Cybersecurity firms, managed service providers, and researchers all play a role in deterring, defending against and responding to ransomware. If the reported information remains siloed within government agencies, we will miss an opportunity to harness it more broadly. That’s why the information from reporting should be shared—in an aggregated, not case-by-case, form and with identities removed—through public channels such as ASD’s annual cyber threat report or a dedicated ransomware trend webpage on its website. Public sharing of this data could also facilitate the measurement of the new policy’s impact on the ransomware problem over time.
At present, public understanding of the sectors most hit by cyberattacks is skewed. According to ASD’s annual threat reports, the largest volume of cyber incident reports comes from federal and state government agencies. That says more about their compliance posture than it does about who is being targeted. Many ransomware incidents, let alone payments, affecting businesses never make it into the public record. Mandatory reporting has the potential to rebalance that picture—if the data is shared openly. It would help the public to understand which sectors are most targeted, which attack methods are trending, what operational weaknesses are being exploited, and the societal cost of such attacks.
This data may also reveal why businesses continue to pay ransomware demands, despite ASD’s recommendations against doing so. This knowledge could support better risk management practices, more targeted advice from cybersecurity professionals, and more informed public debate.
The new regime may also help to shift a culture of blame to one of resilience. When reporting is mandatory, businesses will no longer have to justify their decision to report. They can spend those resources on preventing recurrence. A ransomware victim is, after all, a victim. Hopefully, over time it will help to normalise open discussion of cyber incidents and improve cyber resilience, breaking the silence that often benefits only the attackers.
In the initial phase, the Department of Home Affairs has committed to an education-first approach. From now until the end of 2025, the focus will be on raising awareness and encouraging compliance, rather than immediate enforcement. That’s a sensible way to build trust and maturity in the system. But as the scheme evolves, the focus should expand from compliance to effect. That means not only collecting data, but also using it to improve public visibility and strengthen collective defences.
The ransomware problem will not be solved behind closed doors. Transparency, even in anonymised form, is one of the strongest tools we have. Sharing data across sectors is what will allow Australia to target its response, inform its investments, and bring in the full breadth of capability needed to push back against this threat.
Mandatory reporting is the right move. But now we need to follow through. Let’s make the data count by making it public knowledge.
