This isn’t just a new rule — it’s a turning point in how Australian businesses manage risk and build resilience.
On 30 May 2025, a new government-mandated ransomware payment reporting regime came into effect, marking a major turning point for Australian businesses.
For the Australian channel community, it represents a critical juncture in managing their cybersecurity defences and response planning.
This comes as Australia remains a prime target for threat actors, with Arctic Wolf research finding 85 percent of respondents across Australia and New Zealand had experienced a ‘significant’ cyberattack in the last 12 months, compared to the 76 percent global average.
“It’s more than just a compliance obligation for the channel; it’s a strategic inflection point,” Peter Cardassis, technical services director with Logicalis Australia says.
The implications extend to how businesses manage their defences, including third-party relationships, incident management and executive oversight.
“Partners need to play an active role in helping customers understand what’s changed, embed these requirements into their incident response plans, and integrate reporting into business-as-usual practices in the event of a breach,” Cardassis says.
The new regime requires businesses with a turnover of $3 million a year, or those involved in critical infrastructure such as energy providers and telecoms, to report payments made in relation to ransomware and cyber extortion attacks to the Australian Signals Directorate (ASD) via cyber.gov.au.
For businesses captured by the regime, any ransomware payment, whether monetary or not, must be reported, regardless of whether data was exfiltrated or stolen beforehand.
Fred Thiele, CISO at Interactive explains, “The obligation to disclose applies across the board, with the exception of Commonwealth and state government entities.”
Where the payment reporting obligations apply
Australian businesses have proven willing to meet the demands, with 74 percent of victim organisations in ANZ paying to prevent the release of stolen data, well above the global average of 50 percent, according to Arctic Wolf data.
If a payment is made after the initial attack, such as to unlock data or after data has been exfiltrated or stolen, businesses must still report the payment.
Vidit Sehgal, CEO of IT service provider V4 IT explains this is a very important part of the rule.
“Even if hackers steal data and the ransom is paid afterward, not during the attack, the business still has to report it,” he says.
It tightens the regime and requires businesses to treat all payment situations carefully.
Cardassis at Logicalis says this shifts the focus from how the attack occurred to how the business responds and puts added emphasis on incident response plans.
“This reinforces the need for strong post-incident protocols, such as having legal counsel on standby, data governance front and centre, and the ability to act with speed and clarity under pressure,” he tells CRN Australia.
It’s important to note that the reporting requirements are triggered if payments are made by the business and not simply where there’s a demand for ransom or other payment.
However, it can get complicated in that third-party businesses, including overseas entities, that provide essential services to Australian businesses can trigger the reporting requirement if they make a cyber extortion payment.
The reporting requirement also applies to non-monetary payments, which could include assistance or free services.
“If your business, or someone acting on your behalf, like an insurer or IT provider, pays a ransom — even in the form of a service or non-cash deal — it must be reported. It’s not just about money, even indirect help to attackers counts,” says Sehgal
If the business has made, or is aware another entity has made a payment on their behalf, it needs to be reported within 72 hours. The reporting regime also includes penalties for failing to report payments.
“Failure to comply with the new ransomware reporting requirements may result in severe penalties—up to 60 penalty units,” says Dan Boufarhat, director at IT First Responder.
Boufarhat points out that this regime means ransomware payments and cyber extortion are no longer just a technical issue for businesses
“Executive and board-level oversight is essential, and leaders must treat ransomware response as a governance priority. Businesses operating across borders should also be aware of jurisdictional differences in reporting obligations, which can complicate compliance,” he says.
While reporting data will not be made public at this stage, intel gathered by the reporting system will feed into national threat coordination networks and advisories, including the Cyber Incident Review Board, according to Mark Thomas, director of security services, ANZ at Arctic Wolf.
“That said, greater public-private collaboration with government, business and the security community will uplift Australia’s cyber resilience as a whole as threats continue to evolve,” Thomas tells CRN.
How should partner businesses address the new requirements?
In response to this new regime, businesses should treat this as a catalyst to revisit their entire cybersecurity posture, starting with governance, says Cardassis.
“Building transparency and accountability from the boardroom down is critical to navigating this new era,” he says.
To begin with, businesses need to clearly understand their reporting obligations and document them within their crisis, business continuity and incident response frameworks, Thiele at Interactive says.
“These plans should be tested regularly to ensure reporting obligations are covered,” he says.
Boufarhat notes that when reviewing incident responses plans, clear escalation pathways should be established so staff know when and how to act.
He says accurate documentation of incidents, including timelines, payment details, communications with attackers and evidence of data exfiltration, will be crucial to meet reporting obligations quickly and correctly.
“Using integrated platforms, which combine backup and cybersecurity visibility, can help streamline this documentation process and support timely, compliant reporting,” he says.
Executives and the board must be fully aware of these new obligations, with a clear process that outlines how ransomware payment decisions are approved.
“It’s essential to embed board-level accountability, ensuring executives are briefed on the 72-hour reporting window and their role in governance,” he adds.
There also needs to be transparency around payment decisions, which can be particularly sensitive when it comes to ransomware.
Thiele says,“A well-documented and clearly understood decision-making framework is critical so everyone knows who has the authority to make that final call – whether to pay.”
Thiele also stresses that it’s important to have open discussions about the ethical implications of making extortion payments.
“These payments ultimately fund criminal activity, and that needs to be part of the decision-making conversation,” he says.
Harden defences against ransomware and build cyber resilience
Businesses also need to assess and strengthen their cyber posture in response to the new payment reporting regime.
“It’s essential to align your internal processes and technologies with these new obligations,” Boufarhat says.
If they haven’t already, businesses should implement fundamental security measures such as those outlined in the Essential Eight, ISO27001 and NIST frameworks.
“This can guide improvements and ensure a structured, risk-based approach to security,” he ays.
A multi-layered approach needs to include endpoint protection, regular patching, application controls and network segmentation to reduce exposure.
“Phishing-resistant multi-factor authentication (MFA) should be deployed widely, particularly for administrative and privileged accounts,” he says.
Cardassis also reminds business leaders not to wait for an incident to test the organisation’s readiness. The goal is to stress test response plans, clarify roles and ultimately build confidence in the organisation’s ability to respond to a real-world ransomware attack.
“Run simulated breach scenarios to expose any gaps and educate all team members on the basics as many ransomware attacks still come through a phishing email,” Cardassis says.
Human error remains one of the most common entry points for cyber attacks. With this in mind, employee training is crucial to reduce human error, particularly around phishing awareness so they don’t click risky links.
“Training employees is one of the most powerful things an organisation can do,” he says.
In addition, recovery can’t be overlooked.
“Businesses need reliable backups that are immutable, encrypted, stored offline and tested regularly, to ensure they can recover quickly and effectively if an attack occurs,” Thiele says.
Finally, businesses will most likely need to seek support from IT and security partners to help with incident response planning, cyber defences and in the case of a real-world attack.
The goal is to uplift security maturity so that businesses are better protected, able to respond to incidents appropriately and meet their governance requirements.
“It’s not just about selling tools, it’s about giving clients a clear strategy and the confidence to act decisively,” Cardassis adds.
Step-by-step: How to respond to the ransomware payment reporting regime
Sehgal suggests a multi-step approach to understanding and responding to these new requirements.
- Check if the law applies to your business. Do you earn over $3 million a year, or work in critical sectors?
- Update policies so it’s clear what to do if a ransomware attack happens.
- Review incident response plan. Make sure it includes ransomware payment reporting. within the 72-hour window.
- Assign a team or person to take care of the report if an incident happens.
- Run practice drills to stress test responses and find gaps.
- Get leadership involved because this is now a business risk.
- Seek expert advice and support from IT, legal and cybersecurity professionals.
To find out more about the ransomware payment reporting regime, download this information sheet from Home Affairs. To report a payment made by you or on behalf of your business, go to the ACSC reporting page.
