Ransomware Reporting Obligations—Regulatory changes now in force

Effective 30^th May 2025, as part of ongoing efforts to strengthen national cyber security resilience, the Australian Government has introduced new mandatory reporting requirements concerning ransomware payments.

Organisations must now report any ransom payment - whether monetary or non-monetary (demand for goods, services, or the transfer of information) - to the Australian Signals Directorate (ASD) within 72 hours of making the payment.

What are the penalties for Non-Compliance?

Failure to report within the required timeframe may result in a civil penalty of up to 60 penalty units, currently equivalent to $19,800.

Who is Affected?

Organisations that meet either of the following criteria:

• Have an annual turnover of $3 million or more; and/or
• Are a responsible entity for a critical infrastructure asset as defined under the Security of Critical Infrastructure Act 2018 (SOCI) [physical facilities, IT systems, supply chains, or communication networks whose prolonged disruption would significantly impact Australia’s economic or social wellbeing, or national defence or security].

The SOCI Act applies across 11 key sectors comprising 22 asset classes, including:

• Communications
• Data storage & processing
• Defence industry
• Higher education & research
• Energy
• Financial services & markets
• Food & grocery
• Healthcare & medical
• Space technology
• Transport
• Water & sewerage

What you need to do:

GSA recommend that all organisations:

1. assess whether they are subject to this new mandatory reporting obligation; and, if so:
2. ensure that robust internal protocols exist to ensure timely compliance (e.g. Incident Response Plan that clearly defines individual roles and responsibilities and contingencies);
3. seek advice from your broker regarding the cover provided by your current insurance policy in terms of limit adequacy, core coverages (e.g. incident response costs, ransom payments, regulatory penalties)and any key exclusions; and
4. if you don’t purchase Cyber insurance, consider how this investment could strengthen the business’s risk management posture.

For personalised guidance on compliance and to gain better understanding on how Cyber insurance fits into your risk management strategy, connect with our team.