Pay a ransom and you now have 72 hours to tell the government

Picture the worst version of a Monday. Your systems are locked, a screen is demanding payment, and your bookkeeper can’t process a thing. You decide to pay to get the business running again. Under Australia’s Cyber Security Act, that decision now comes with a second obligation most owners have never heard of: you have 72 hours to report the payment to the government.

What the law requires

The Cyber Security Act 2024 introduced a mandatory ransomware payment reporting scheme. If a business makes a ransomware payment, or becomes aware that one was made on its behalf, it must report it to the Department of Home Affairs within 72 hours, through a portal on cyber.gov.au run by the Australian Cyber Security Centre.

The obligation does not catch every business. According to the explanatory memorandum, the turnover threshold is likely to be at least $3 million, which lines up with the small business threshold in the Privacy Act. Businesses responsible for critical infrastructure are also covered. Failure to report carries a civil penalty of 60 penalty units, currently around $18,780. The reporting obligations commenced within six months of the Act receiving Royal Assent.

The point of the scheme is to give the government visibility of how much ransomware is actually being paid in Australia, which has been largely invisible because most businesses stayed quiet about it.

What it means for you

Two things change for an owner turning over more than $3 million.

First, paying a ransom is no longer a private operational decision you can make quietly and move on from. It is now a reportable event with a legal clock attached, and the clock starts at 72 hours whether or not you have your head around what just happened to your business.

Second, and more useful day to day, the threshold is a prompt to know two things in advance: whether your turnover puts you inside the scheme, and who in your business would actually make the report if the worst happened. A decision made at 2am during an active incident is a bad time to be reading legislation for the first time.

There is a longer game here too. Cyber posture has quietly become part of what a buyer checks before they purchase a business. An owner who can show they understood their obligations and had basic protections in place is handing over a cleaner business than one whose systems are a question mark. The work that protects you from an incident this year is the same work that makes the business easier to sell later.

You can’t prevent every attack. You can decide, before anything goes wrong, that you know where you stand under this scheme rather than finding out the hard way.