Mandatory Reporting of Ransomware and Cyber Extortion Payments: Make Sure You Know The Rules

New 72-hour mandatory ransomware payment reporting for entities with a prescribed annual turnover and responsible for critical infrastructure assets will come into force shortly.[i]

Overview

Australia’s Cyber Security Act 2024 (the Act) received Royal Assent and became Law on 29 November 2024.  Though the Act has commenced, subordinate legislation in the form of Rules is needed to give effect to some of the Act’s measures.  The Department of Home Affairs published an Exposure Draft of the Cyber Security (Ransomware Reporting) Rules 2024 and conducted public consultation that ended 13 February 2025.  The Act’s Part 3 ransomware reporting obligations take effect on a date to be fixed by Proclamation or by 30 May 2025, whichever comes earlier.

These obligations to report to the Australian Signals Directorate’s Australian Cyber Security Centre sit alongside notification requirements in the event of a data incident under earlier existing legislation, such as the Privacy Act 1988 (Cth) (the Notifiable Data Breach scheme), the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), the Telecommunications Act 1997 (Cth), the Privacy and Personal Information Protection Act 1998 (NSW,) the Victorian Protective Data Security Standards, ASX Listing Rules and APRA Standards – CPS 234.

Time is running out for businesses to revisit their cyber breach response plans, to ensure they’re prepared to meet these new obligations.

The when, who and what of the new obligations

Part 3 of the Act imposes an obligation to provide a ransomware payment report within 72 hours if an entity:

(a) is a reporting business entity; and

(b) is impacted by a cyber security incident; and

(c) has provided, or is aware that another entity (for example, an insurer) has provided on the impacted entity’s behalf, a ransomware payment to an entity that is seeking to benefit from the impact or the cyber security incident.

Is your business a ‘reporting business entity’? Generally the answer is YES if, at the time of the ransomware payment, it:

(a) is a responsible entity for a critical infrastructure asset to which Part 2B of the SOCI Act applies; or

(b) is carrying on a business in Australia with an annual turnover for the previous financial year that exceeds the turnover threshold for that year (A$3m was proposed by the draft Rules.)

Commonwealth and State bodies are not included.

Are all cyber security incidents relevant? The Act’s definition of ‘cyber security incident’ is complex and quite broad (encompassing, for example, denial of service and malware attacks).

A cyber security incident is one or more acts, events or circumstances:

(a) of a kind covered by the meaning of cyber security incident in the SOCI Act; or

(b) involving unauthorised impairment of electronic communication to or from a computer, within the meaning of that phrase in that Act, but as if that phrase did not exclude the mere interception of any such communication.

Put another way, an incident is not a cyber security incident for the Act’s purposes unless specified circumstances apply, including if:

• the incident involves a critical infrastructure asset; or
• the incident is or was effected by means of a telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution (including, for example, by means of the internet); or
• the incident is impeding or impairing, or has impeded or impaired, the ability of a computer to connect to such a service.

In summary, the Part 3 reporting obligations apply when the following conditions are met:

(a) An incident has occurred, is currently happening, or is expected to happen in the near future.

(b) The incident is categorised as a cyber security incident.

(c) The incident has directly or indirectly affected, is affecting, or could reasonably be expected to affect a reporting business entity.

(d) An entity, referred to as the extorting entity, demands payment or any form of benefit from the reporting business entity or any other entity with the intention of benefiting from the incident or its impact on the reporting business entity.

(e) The reporting business entity, or the entity being aware of it on their behalf, provides payment or benefit, known as a ransomware payment, directly linked to the extorting entity’s demand.

What information must be reported? Do penalties apply?

The Rules specify what information the ransomware payment report must contain for the purposes of subsection 27(2) of the Act.  Under section 7 of the draft Rules this includes not only the reporting business entity’s details but also:

• extensive information relating to the cyber security incident, including potentially sensitive details such as the impact of the incident on the reporting entity’s infrastructure and customers;
• the demand made by the extorting entity; and
• quantum and method of the ransomware payment.

Importantly, the draft Rules note that the prescribed information is only required to be given to the extent that the reporting business entity knows or is able, by reasonable search or enquiry, to find out within the 72-hour time period for giving the report.

Failure to make a ransomware payment report as required under Part 3 of the Act may expose reporting business entities to a civil penalty of 60 penalty units (currently $19,800) for each contravention, adding another potential layer of pain to their cyber incident experience.

How is the prescribed information protected?

This Act is a key component of the Australian Cybersecurity Strategy 2023-2030. By making reporting mandatory and backed by civil penalties, the Government is hoping to gain better insights into the cyber threat landscape and disrupt the ransomware business model.

This was considered necessary because firms subject to cyber attacks have tended to be slow and reluctant to disclose information about the incident, and not just to regulators and law enforcement agencies but even to legal advisers or insurers.

Nevertheless, the Act also reflects the Government’s understanding of the multiple reasons why entities might prefer not to disclose factual information and observations concerning a cyber breach incident, and seeks to overcome them in several ways, notably:

• by specifying limited Permitted Purposes for which the Department of Home Affairs and Australian Signals Directorate may use and disclose information contained in ransomware payment reports (such as assisting to resolve or mitigate the cyber security incident, and the performance of the functions of an intelligence agency);
• by providing that (with some exclusions and exceptions) any information required in a report is not admissible in
  • certain criminal proceedings
  • civil proceedings for contravention of a civil penalty provision
  • provision for a breach of any other Commonwealth, State or Territory law (including common law) and
  • proceedings before a tribunal of the Commonwealth, State or a territory, against the entity that provided the information; and
• by providing that supplying information in a ransomware report does not otherwise affect a claim of legal professional privilege in relation to that information.

This protection of privilege is an important feature.  All too frequently during a cyber breach crisis, businesses forget to properly coordinate their Response Plan and overlook the importance of seeking to preserve this important protection against unwanted disclosure of sensitive material.[ii]

Litigation following Optus’s infamous 2022 data breach revealed the extent to which this was forgotten by Optus’s Board and senior management as they responded to the breach.  Optus’s response had included engagement of Deloitte to prepare an investigation report, in respect of which aggrieved Applicants in the Federal Court[iii] subsequently sought discovery and inspection.  Despite the testimony of Optus’s General Counsel and Company Secretary, Beach J found that in the circumstances the report had not been created for the dominant purpose of legal advice, although he accepted that it was intended, among other things, to assist Optus’s external lawyers to provide their advice.  Accordingly the privilege claim was not made out.[iv]

Get ready

These mandatory reporting provisions of the Cyber Security Act formed part of a broader legislative package including:

• introduction of a framework covering security standards for specified smart/IoT devices (‘relevant connectable products’), together with an enforcement and compliance regime (Part 2 of the Act);
• establishment of a Cyber Incident Review Board (CIRB) to review cyber security incidents. Its functions include the identification of contributing factors, making of recommendations to government and the private sector and public reporting on the review (Part 5 of the Act); and
• amendments to the SOCI Act to clarify the protected information framework, including in relation to use and disclosure of that information, and to make clear that data storage systems that hold business critical data form part of the primarily critical infrastructure asset.[v]

All these measures demonstrate the Commonwealth Government’s resolve to strengthen Australia’s cyber security capabilities and pave the way for further reform.

Keypoint’s privacy, data security and technology experts welcome questions about your cyber security and privacy obligations.  We can support you to establish a practical cyber breach Response Plan and provide timely advice and assistance if your business is affected by a cyber security incident. If you would like to get in touch, please contact Deidre Missingham using the contact information below this article.

This article is for general information purposes only and does not constitute legal or professional advice.  It should not be used as a substitute for legal advice relating to your particular circumstances.

[i] For background discussion of disclosure considerations and ransom payment issues see Deidre Missingham’s Keynote ‘How golden is silence? Data breaches involving personal information’ published in November 2022 at https://www.keypointlaw.com.au/keynotes/how-golden-is-silence-data-breaches-involving-personal-information/

[ii] Legal professional privilege applies to confidential communications made for the dominant purpose of the client obtaining legal advice or professional legal services in actual or anticipated litigation or regulatory investigations or proceedings.

[iii] Robertson v Singtel Optus Pty Ltd [2023] FCA 1392

[iv] This first instance decision was upheld on appeal to the Full Court of the Federal Court of Australia: Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58.

[v] These were introduced via the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024, and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024.