Cybercrime is an escalating threat to Australian businesses, driving the government to implement stricter measures. The Cyber Security Act 2024, the country’s first standalone cyber security legislation, introduces mandatory ransomware reporting to address the increasing risk. By shifting from voluntary to compulsory reporting, this law aims to provide authorities with accurate data to mitigate cyber threats more effectively and disrupt ransomware operations.
Understanding the implications of this change is crucial for businesses. From reporting obligations to privacy safeguards, this article breaks down what you need to know about mandatory ransomware reporting and how it will impact your organisation.
Understanding the Cyber Security Act 2024
The Cyber Security Act 2024 represents Australia’s first standalone legislation dedicated to cyber security. It provides a clear legislative framework for addressing systemic cyber threats and protecting critical infrastructure. The Act received Royal Assent in November 2024, and various provisions, including mandatory ransomware reporting, are set to take effect by May 2025.
This Act is part of the broader 2023-2030 Australian Cyber Security Strategy, which aims to position Australia as a global leader in cyber security. It introduces several key measures, such as:
- Mandating minimum cyber security standards for smart devices.
- Establishing a Cyber Incident Review Board.
- Enhancing protections under the Security of Critical Infrastructure Act 2018.
However, the mandatory ransomware reporting requirement stands out as the most immediate concern for many Australian businesses.
The Impact of Mandatory Ransomware Reporting to Businesses
The mandatory reporting framework addresses a critical gap in Australia’s cyber security landscape—the underreporting of ransomware incidents. Historically, voluntary reporting mechanisms have failed to provide the government with a comprehensive understanding of the threat landscape. This new measure is designed to disrupt the ransomware business model and prevent cybercriminals from profiting at the expense of Australian businesses.
Who Needs to Report?
Mandatory ransomware reporting applies to businesses with an annual turnover exceeding AUD $3 million, as confirmed in the Cyber Security (Ransomware Reporting) Reporting Rules 2024. This threshold ensures that larger businesses, which are more likely to be targeted by ransomware attacks, comply with the reporting obligations.
Key criteria include:
- The business must operate in Australia and meet the turnover threshold.
- The incident must involve a ransomware payment, either made directly or by a third party on behalf of the business.
What Needs to Be Reported?
Businesses are required to report ransomware payments within 72 hours of making the payment or becoming aware of it. The reporting obligation is triggered only when a ransomware payment is made, not upon receipt of a ransom demand. This means that if a business receives a ransom demand but does not make a payment, it is not required to report the incident under this specific obligation. The report must include:
- Contact and business details of the reporting entity.
- Details about the cyber security incident, including its impact.
- Information about the ransom demand and payment, such as the amount and method of transfer.
- Communications with the extorting entity.
Privacy Safeguards
The Act includes strict provisions to protect the privacy of reporting businesses. Information provided in ransomware payment reports can only be used for specific purposes, such as:
- Assisting the business in responding to the incident.
- Supporting government intelligence and response strategies.
- Advising on national cyber security policy.
Critically, this information is shielded from use in most legal proceedings, ensuring businesses are not penalised for complying with their reporting obligations.
Implementation Timeline and Compliance
The ransomware reporting obligation will come into effect in May 2025, six months after the Act’s Royal Assent. This grace period allows businesses to prepare for compliance. It’s essential for organisations to review their cyber security frameworks, establish reporting protocols, and educate key personnel about the new requirements.
Non-compliance with the mandatory reporting obligation can result in civil penalties, with fines of up to 60 penalty units. However, the government has committed to an education-first approach, prioritising support and engagement with businesses to facilitate compliance.
The Road Ahead for Businesses in Australia
The Cyber Security Act 2024 marks a significant step forward in Australia’s fight against cybercrime. By introducing mandatory ransomware reporting, the government aims to disrupt the ransomware business model and build a stronger, more secure cyber environment. While the new obligations may pose initial challenges, they represent a critical investment in the long-term resilience and security of Australian businesses.
As the mandatory reporting deadline approaches in May 2025, businesses must act now to ensure they are ready to comply. By doing so, they contribute to a safer digital landscape for all.
How Can Virtuelle Group Help?
Virtuelle Group is well-positioned to assist businesses in navigating these changes and ensuring compliance with the new rules.
- Security Framework Review – Assess and strengthen your current cyber security measures to align with best practices and regulatory requirements.
- Reporting Protocols – Develop and implement clear incident response and reporting procedures to meet the 72-hour ransomware payment reporting rule
- Compliance Support – Provide ongoing guidance and managed services to ensure your business meets all new legal obligations and avoids penalties.
Contact us today to learn how Virtuelle Group can help you confidently address the new mandatory ransomware reporting requirements, strengthen your security frameworks, and ensure ongoing compliance with the Cyber Security Act 2024.