199/68 Wednesday, June 4, 2025
Australia has introduced new regulations mandating organizations with annual revenues of over AUD 3 million (approximately USD 2 million) to report ransomware payments and any related communications within 72 hours of the incident. The move is part of Australia’s broader national cybersecurity strategy, which aims to position the country as a global leader in cybersecurity by 2030.
Under the new rules, affected organizations must report to the Australian Signals Directorate (ASD) within 72 hours. The report must include key information such as the impact of the cyber incident on the organization’s infrastructure, the type of ransomware or malware involved, exploited vulnerabilities, and any data that can aid government response and mitigation efforts. Furthermore, organizations must disclose the ransom amount demanded and paid, payment methods used, negotiation details, and timelines of communication with the ransomware actors.
This reporting obligation represents the first legally binding ransomware payment disclosure requirement in the world. Non-compliance may result in civil penalties. Notably, the regulation does not apply to government agencies. This policy forms part of the proposed Cyber Security Bill 2024, which calls for the creation of a national cyber incident review board and reflects Australia’s increasing urgency in responding to the growing threat landscape.
Source https://www.darkreading.com/threat-intelligence/australia-ransomware-payment-disclosure-rules
