software development disputes

Ransomware payment reporting obligations

HomePrivate: BlogLegal insightsRansomware payment reporting obligations

by

reviewed by

Malcolm Burrows

A “Ransomware Attack” is a cyber security breach in which a malicious actor gains unauthorised access to a computer system or network and then encrypts, exfiltrates, or otherwise compromises data or functionality.[1]  Ransomware Attacks have become increasingly sophisticated, financially motivated, and disruptive across all sectors, prompting legislative intervention to regulate responses and improve national cyber security.

Cyber Security Act 2024 (Cth)

In response to this threat, the Cyber Security Act 2024 (Cth) (Cyber Security Act) was enacted with the stated aim of improving the detection of and response to cyber security threats and minimising their impact when they do occur.  For more information on the proposed legislation prior to its enactment, see our article on the Ransomware Payments Bill 2021 (Cth).

Although strongly discouraged by the Department of Home Affairs (Department) and the Australian Cyber Security Centre (ACSC), paying cyber ransom demands is not illegal as long as this ‘Ransomware Payment‘ does not contravene anti-money-laundering legislation,[2] or make funds available to a terrorist organisation[3] or to an organisation proscribed by United Nations sanction.[4]

Part 3 of the Cyber Security Act established mandatory reporting obligations when Ransomware Payments are made and commenced 30 May 2025.  From this date, all Reporting Entities are required to comply with the reporting regime, despite the lack of enforcement during the current six (6) month period of ”transition and familiarisation”.[5]

What ‘Reporting Entities’ must comply with the Act?

The Cyber Security Act’s obligations are only mandatory for specific entities referred to as reporting business entities (Reporting Entity).  According to section 26(2), any Commonwealth entity, any State or Territory or agency of a State or Territory or any other person is a Reporting Entity if it:

  • is carrying on a business in Australia;
  • has an annual turnover greater than $3 million;
  • is not a Commonwealth body or a State body; and
  • is not a responsible entity for a critical infrastructure asset.

Small businesses with a turnover of less than $3 million are also encouraged by the ACSC to report Ransomware Payments, but this is not a legal obligation under the Cyber Security Act.

What is a ‘Ransomware Payment’?

A Ransomware Payment involves the following components outlined in section 26(1) of the Cyber Security Act, including that:

  •  an incident has occurred, is occurring or is imminent; and
  •  the incident is a Cyber Security Incident; and
  • the incident directly or indirectly impacts the Reporting Entity; and
  • the Extorting Entity makes a demand of the Reporting Entity in order to benefit
  •  the Reporting Entity provides a payment to the Extorting Entity in response to the demand.

A Cyber Security Incident, defined in section 12M of the Security of Critical Infrastructure Act 2018 (Cth) (Critical Infrastructure Act), occurs when someone intentionally and without authorisation:

  • accesses computer data or a computer programs;
  • modifies computer data or a computer programs;
  • impairs electronic communication to or from a computer; or
  • impairs the availability, reliability, security or operation of a computer, or the software, data or communications it contains.

The person responsible for the Ransomware Attack is known as the ‘Extorting Entity’.

Section 12N of the Critical Infrastructure Act also requires that the Extorting Entity knows the access, modification or impairment is unauthorised, and that the modification or impairment either:

  • restricts access by an authorised person to data held in a computer; or
  • will, or gives an unauthorised person the ability to, modify, damage or destroy data held in a computer or on a computer disk or other device used to store data by electronic means.

The final requirement of an eligible Ransomware Payment is that the Extorting Entity has demanded a payment in order to:

  • end the unauthorised access, modification or impairment;
  • prevent publication of any of the data;
  • end the restriction on access to the data;
  • prevent damage or destruction of the data; or
  • otherwise remediate the impact of the unauthorised access, modification or impairment.

A Ransomware Payment need not be purely monetary and can instead comprise non-monetary benefits that are given or exchanged to an Extorting Entity including gifts, services or other benefits.

Reporting obligations

Under the Cyber Security Act, organisations that pay ransomware demands are required to notify the ACSC which uses the information to build a better understanding of the ransomware threat landscape.  Reporting Entities must submit a Ransomware Payment Report to the ACSC within seventy-two (72) hours of a Ransomware Payment being made.  

Section 27(2) of the Cyber Security Act outlines that a compliant Ransomware Payment Report must include information regarding:

  • the Reporting Entity’s contact and business details;
  • the Cyber Security Incident, including its impact on the Reporting Entity;
  • the demand made by the Extorting Entity; and
  • the amount paid as the Ransomware Payment.

To be compliant with the Cyber Security Act, a Ransomware Payment Report must also be given in the approved form, available here.

Limited use provisions

Information provided in Ransomware Payment Reports may only be used or disclosed by the ACSC for permitted purposes which are limited to assisting the Reporting Entity concerned, and responding to and resolving the relevant Cyber Security Incident.[6]

Section 32 of the Cyber Security Act explicitly provides that no information from Ransomware Payment Reports will be admissible for criminal proceedings, civil proceedings for contraventions of a civil penalty provision, breaches of any Commonwealth or State law, including common law.

These reporting obligation also do not otherwise affect a claim of legal professional privilege.[7]

Penalties

The ACSC does not act as a regulator or monitor compliance with the reporting obligations, but where there is a failure to comply with reporting obligations, the Department can issue injunctive orders, enforceable undertakings and fines of up to 60 penalty units, equivalent to $19,800.[8]  According to section 82(5) of the Regulatory Powers (Standard Provisions) Act 2014 (Cth), this penalty increases to 300 penalty units or $99,000 for non-compliant body corporate Reporting Entities.

This penalty will not be enforced until 1 June 2026, to allow the Department to focus on ”assisting and supporting entities to meet their legal obligations”.[9]

Takeaways

Ransomware is not just a threat to individual businesses, but a national security concern and while the ASCS discourages Ransomware Payments, new reporting obligations will provide better insight into the evolving cybersecurity landscape.  All businesses, irrespective of size, should familiarise themselves with their legal obligations for preventing, responding to and reporting Ransomware Attacks.

Links and further references

Legislation

Charter of the United Nations Act 1945 (Cth)

Crimes Act 1914 (Cth)

Criminal Code Act 1995 (Cth)

Cyber Security Act 2024 (Cth)

Ransomware Payments Bill 2021 (Cth)

Regulatory Powers (Standard Provisions) Act 2014 (Cth)

Security of Critical Infrastructure Act 2018 (Cth)

Further information about legal obligations for Reporting Entities hit by Ransomware Attacks

If you need advice on the legal implications of a Ransomware Attack or your company’s notification obligations, contact us for a confidential and obligation-free discussion:

[1] Ransomware Payments Bill 2021 (Cth) section 4.

[2] Criminal Code Act 1995 (Cth) division 400.

[3] Criminal Code Act 1995 (Cth) section 102.7.

[4] Charter of the United Nations Act 1945 (Cth) section 21.

[5] Department of Home Affairs, Ransomware Payment Reporting Factsheet.

[6] Cyber Security Act 2024 (Cth) section 29.

[7] Cyber Security Act 2024 (Cth) section 31.

[8] Crimes Act 1914 (Cth) section 4AA.

[9] Department of Home Affairs, Ransomware Payment Reporting Factsheet.


Related insights for cybersecurity consultants

Send this to a friend