Australia has enforced new regulation that requires reporting businesses to inform the government if they make ransomware or other cyber extortion payments.
Per the legislation, organizations in the country with an annual turnover of $3 million AUD (approximately $1.94 million USD) or higher within the last financial year are considered reporting businesses and are covered by the legislation.
All organizations within the critical infrastructure sector are considered reporting business entities.
According to the ransomware payment reporting rules, which became mandatory on May 30, all covered companies are required to report ransomware or cyber extortion payments, made by them or by others on their behalf, within 72 hours of making that payment.
Reports about such payments should include information on the cybersecurity incident, the attackers’ demands, their contact information, the communication with the attackers, the ransom amount itself, and any other relevant information.
“The legislation captures both monetary and non-monetary benefits that are given or exchanged to an extorting entity as being ransomware or cyber extortion payments. For example, this may include the exchange of gifts, services or other benefits to an entity in respect of the demand,” a factsheet (PDF) accompanying the legislation reads.
The reports should be submitted to the Australian Signals Directorate (ASD) using an online form. The ASD will not monitor organizations’ compliance with the ransomware reporting regulation and assist entities in responding to, mitigating, and resolving cyberattacks.
For the first six months, Australia’s Department of Home Affairs will focus on guiding organizations through the reporting process, to identify challenges and compliance issues.
Beginning January 1, 2026, after the reporting entities become acquainted with the obligation, the department will adopt a more active regulatory focus.
The reports will be used to collect information on the threat actors and the type of malware they use, to keep small and medium-sized enterprises (SMEs) informed on active threats, and to assist the government in designing future legislative programs.
“Governments and regulators globally are grappling with limited visibility into cyber risks, particularly ransomware, which hinders their ability to effectively detect, disrupt, and deter cyberattacks. The concerning underreporting of ransomware incidents, with only one in five victims reporting attacks according to the Australian Institute of Criminology, highlights the urgent need for proportionate regulatory interventions,” NCC Group director Tim Dillon said in an emailed comment.
Related: CISA Releases Guidance on SIEM and SOAR Implementation
Related: The Hidden Cost of Compliance: When Regulations Weaken Security
Related: Australian Human Rights Commission Discloses Data Breach
