What should be reported?
According to the factsheet, the ransomware report should include the contact and business details of the company that made the payment, including its Australian Business Number.
It should also include the details of the cybersecurity incident, including its impact on the business entity, the demand made by the extorting entity, as well as the amount of the ransomware payment.
“The Cyber Security Act 2024 provides that a civil penalty of 60 penalty units may apply where a reporting business entity fails to make a mandatory ransomware payment or cyber extortion report,” the factsheet says.
Education-First Approach
However, it noted that the government is first taking an education-first approach to the new scheme from May 30, 2025, to December 31, 2025 and the Home Affairs Department will only pursue regulatory action “in cases of egregious non-compliance.”
“The Department will engage with Australian entities, industry groups, peak bodies, and other relevant stakeholders through Town Hall meetings and by providing practical resources, including Frequently Asked Questions (FAQs), factsheets, and user guides for incident reporting,” it added.
