software development disputes

Ransomware payment reporting obligations

HomePrivate: BlogLegal insightsRansomware payment reporting obligations

by

reviewed by

Malcolm Burrows

A “Ransomware Attack” is a cyber security breach in which a malicious actor gains unauthorised access to a computer system or network and then encrypts, exfiltrates, or otherwise compromises data or functionality.[1]  Ransomware Attacks have become increasingly sophisticated, financially motivated, and disruptive across all sectors, prompting legislative intervention to regulate responses and improve national cyber security.

Cyber Security Act 2024 (Cth)

In response to this threat, the Cyber Security Act 2024 (Cth) (Cyber Security Act) was enacted with the stated aim of improving the detection of and response to cyber security threats and minimising their impact when they do occur.  For more information on the proposed legislation prior to its enactment, see our article on the Ransomware Payments Bill 2021 (Cth).

Although strongly discouraged by the Department of Home Affairs (Department) and the Australian Cyber Security Centre (ACSC), paying cyber ransom demands is not illegal as long as this ‘Ransomware Payment‘ does not contravene anti-money-laundering legislation,[2] or make funds available to a terrorist organisation[3] or to an organisation proscribed by United Nations sanction.[4]

Part 3 of the Cyber Security Act established mandatory reporting obligations when Ransomware Payments are made and commenced 30 May 2025.  From this date, all Reporting Entities are required to comply with the reporting regime, despite the lack of enforcement during the current six (6) month period of ”transition and familiarisation”.[5]

What ‘Reporting Entities’ must comply with the Act?

The Cyber Security Act’s obligations are only mandatory for specific entities referred to as reporting business entities (Reporting Entity).  According to section 26(2), any Commonwealth entity, any State or Territory or agency of a State or Territory or any other person is a Reporting Entity if it:

  • is carrying on a business in Australia;
  • has an annual turnover greater than $3 million;
  • is not a Commonwealth body or a State body; and
  • is not a responsible entity for a critical infrastructure asset.

Small businesses with a turnover of less than $3 million are also encouraged by the ACSC to report Ransomware Payments, but this is not a legal obligation under the Cyber Security Act.

What is a ‘Ransomware Payment’?

A Ransomware Payment involves the following components outlined in section 26(1) of the Cyber Security Act, including that:

  •  an incident has occurred, is occurring or is imminent; and
  •  the incident is a Cyber Security Incident; and
  • the incident directly or indirectly impacts the Reporting Entity; and
  • the Extorting Entity makes a demand of the Reporting Entity in order to benefit
  •  the Reporting Entity provides a payment to the Extorting Entity in response to the demand.

A Cyber Security Incident, defined in section 12M of the Security of Critical Infrastructure Act 2018 (Cth) (Critical Infrastructure Act), occurs when someone intentionally and without authorisation:

  • accesses computer data or a computer programs;
  • modifies computer data or a computer programs;
  • impairs electronic communication to or from a computer; or
  • impairs the availability, reliability, security or operation of a computer, or the software, data or communications it contains.

The person responsible for the Ransomware Attack is known as the ‘Extorting Entity’.

Section 12N of the Critical Infrastructure Act also requires that the Extorting Entity knows the access, modification or impairment is unauthorised, and that the modification or impairment either:

  • restricts access by an authorised person to data held in a computer; or
  • will, or gives an unauthorised person the ability to, modify, damage or destroy data held in a computer or on a computer disk or other device used to store data by electronic means.

The final requirement of an eligible Ransomware Payment is that the Extorting Entity has demanded a payment in order to:

  • end the unauthorised access, modification or impairment;
  • prevent publication of any of the data;
  • end the restriction on access to the data;
  • prevent damage or destruction of the data; or
  • otherwise remediate the impact of the unauthorised access, modification or impairment.

A Ransomware Payment need not be purely monetary and can instead comprise non-monetary benefits that are given or exchanged to an Extorting Entity including gifts, services or other benefits.

Reporting obligations

Under the Cyber Security Act, organisations that pay ransomware demands are required to notify the ACSC which uses the information to build a better understanding of the ransomware threat landscape.  Reporting Entities must submit a Ransomware Payment Report to the ACSC within seventy-two (72) hours of a Ransomware Payment being made.  

Section 27(2) of the Cyber Security Act outlines that a compliant Ransomware Payment Report must include information regarding:

  • the Reporting Entity’s contact and business details;
  • the Cyber Security Incident, including its impact on the Reporting Entity;
  • the demand made by the Extorting Entity; and
  • the amount paid as the Ransomware Payment.

To be compliant with the Cyber Security Act, a Ransomware Payment Report must also be given in the approved form, available here.

Limited use provisions

Information provided in Ransomware Payment Reports may only be used or disclosed by the ACSC for permitted purposes which are limited to assisting the Reporting Entity concerned, and responding to and resolving the relevant Cyber Security Incident.[6]

Section 32 of the Cyber Security Act explicitly provides that no information from Ransomware Payment Reports will be admissible for criminal proceedings, civil proceedings for contraventions of a civil penalty provision, breaches of any Commonwealth or State law, including common law.

These reporting obligation also do not otherwise affect a claim of legal professional privilege.[7]

Penalties

The ACSC does not act as a regulator or monitor compliance with the reporting obligations, but where there is a failure to comply with reporting obligations, the Department can issue injunctive orders, enforceable undertakings and fines of up to 60 penalty units, equivalent to $19,800.[8]  According to section 82(5) of the Regulatory Powers (Standard Provisions) Act 2014 (Cth), this penalty increases to 300 penalty units or $99,000 for non-compliant body corporate Reporting Entities.

This penalty will not be enforced until 1 June 2026, to allow the Department to focus on ”assisting and supporting entities to meet their legal obligations”.[9]

Takeaways

Ransomware is not just a threat to individual businesses, but a national security concern and while the ASCS discourages Ransomware Payments, new reporting obligations will provide better insight into the evolving cybersecurity landscape.  All businesses, irrespective of size, should familiarise themselves with their legal obligations for preventing, responding to and reporting Ransomware Attacks.

Links and further references

Legislation

Charter of the United Nations Act 1945 (Cth)

Crimes Act 1914 (Cth)

Criminal Code Act 1995 (Cth)

Cyber Security Act 2024 (Cth)

Ransomware Payments Bill 2021 (Cth)

Regulatory Powers (Standard Provisions) Act 2014 (Cth)

Security of Critical Infrastructure Act 2018 (Cth)

Further information about legal obligations for Reporting Entities hit by Ransomware Attacks

If you need advice on the legal implications of a Ransomware Attack or your company’s notification obligations, contact us for a confidential and obligation-free discussion:

[1] Ransomware Payments Bill 2021 (Cth) section 4.

[2] Criminal Code Act 1995 (Cth) division 400.

[3] Criminal Code Act 1995 (Cth) section 102.7.

[4] Charter of the United Nations Act 1945 (Cth) section 21.

[5] Department of Home Affairs, Ransomware Payment Reporting Factsheet.

[6] Cyber Security Act 2024 (Cth) section 29.

[7] Cyber Security Act 2024 (Cth) section 31.

[8] Crimes Act 1914 (Cth) section 4AA.

[9] Department of Home Affairs, Ransomware Payment Reporting Factsheet.


Related insights for cybersecurity consultants

  • Dundas Lawyers achieves SMB1001 gold level cyber security certification

    Dundas Lawyers achieves SMB1001 gold level cyber security certification

    On 14 November 2025 Dundas Lawyers achieved the Gold level of the SMB1001 cybersecurity standard.

    Read more …

  • Aust Clinical Labs fined $5.8mil for failing to report data breach

    Aust Clinical Labs fined $5.8mil for failing to report data breach

    On 8 October 2025, the Federal Court published the judgement of Justice Halley in the case of Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (AIC v ACL).  Australian Clinical Labs Limited (ACL) was ordered to pay $5.8 million in civil penalties in relation to a 2022 data breach.  This…

    Read more …

  • Australians soon facing age checks when viewing adult websites

    Australians soon facing age checks when viewing adult websites

    On 9 September 2025, the eSafety Commissioner, Mrs Julie Inman Grant (Commissioner), registered six (6) new codes (New Codes) under the Online Safety Act 2021(Cth) (Online Safety Act) aimed at protecting children from the “clear and present” dangers of harmful AI chatbots and other online adult content.  On 9 March 2026, these New Codes will…

    Read more …

  • Ransomware payment reporting obligations

    Ransomware payment reporting obligations

    A “Ransomware Attack” is a cyber security breach in which a malicious actor gains unauthorised access to a computer system or network and then encrypts, exfiltrates, or otherwise compromises data or functionality.[1]  Ransomware Attacks have become increasingly sophisticated, financially motivated, and disruptive across all sectors, prompting legislative intervention to regulate responses and improve national cyber…

    Read more …

  • Federal parliament enacts cyber security legislation

    Federal parliament enacts cyber security legislation

    On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024.  The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.

    Read more …

  • The Digital ID Bill 2023 (Cth) – key points

    The Digital ID Bill 2023 (Cth) – key points

    On 30 November 2023, the Digital ID Bill 2023 (Cth) and the Digital ID (Transitional and Consequential Provisions) Bill 2023 (Digital ID Bills) were introduced in the Australian Senate.  Digital IDs are designed to provide individuals with a convenient way to verify their identity when completing certain online transactions and dealing with government and certain…

    Read more …

  • Misinformation and Disinformation Bill 2023 – draft insights

    Misinformation and Disinformation Bill 2023 – draft insights

    The Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill 2023 (Cth) (Misinformation Bill) was announced by the Department of Infrastructure, Transport, Regional Development, Communication and the Arts (DITRDCA) in January 2023.  The Misinformation Bill is aimed at restricting the flow of misinformation and disinformation by providing the Australian Communications and Media Authority (ACMA) with increased…

    Read more …

  • What are adequate cybersecurity measures?

    What are adequate cybersecurity measures?

    The adequacy of cyber security measures was considered in the case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (ASIC v Ri Advice Group).  One of the issues raised was whether the respondent had adequate cyber security and cyber resilience in place across its network of financial advisors. …

    Read more …

  • Introduction of cryptocurrency and hacking offences to Parliament

    Introduction of cryptocurrency and hacking offences to Parliament

    The Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 is set to revolutionize the way cybercrime is prosecuted. Learn more about the changes it brings and the implications they have.

    Read more …

Send this to a friend