Cyber Security Act 2024: Mandatory Ransomware Reporting Obligations for Australian Businesses
Australia's Cyber Security Act 2024 requires businesses with $3M+ turnover to report ransomware payments to the ASD within 72 hours. Here's what you must know.
Australia's cyber security regulatory landscape shifted dramatically in 2025 and 2026, with new mandatory reporting obligations now applying to thousands of businesses. If your organisation makes a ransomware or cyber extortion payment, you are legally required to report it to the Australian Signals Directorate (ASD) within 72 hours — and penalties for non-compliance are significant. Understanding these obligations is no longer optional; it is a core business risk management responsibility.
Understanding the Cyber Security Act 2024 and Its Reporting Obligations
The Cyber Security Act 2024 introduced Australia's first standalone cyber security legislation, creating a mandatory ransomware payment reporting regime that commenced on 30 May 2025. After an initial education-first phase through the end of 2025, the Australian Government shifted to active compliance and enforcement from 1 January 2026.
The regime applies to reporting business entities — defined as any entity carrying on business in Australia with an annual turnover of $3 million or more, or those responsible for critical infrastructure assets. If your business falls within this threshold and makes a ransomware or cyber extortion payment in response to a cyber security incident, you must notify the ASD within 72 hours of making that payment.
This obligation sits alongside the existing Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988, which requires APP entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an eligible data breach occurs. Together, these two regimes create a layered reporting framework that businesses must navigate carefully.
What Counts as a Reportable Ransomware Payment
A reportable event under the Cyber Security Act 2024 is triggered when a business makes a payment — whether in cryptocurrency, funds transfer, or any other form — in direct response to a ransomware or cyber extortion demand connected to a cyber security incident.
Importantly, there is no obligation to report if the business elects not to pay. The reporting duty attaches to the act of payment, not to the incident itself. However, this does not mean non-paying businesses are free from all obligations — a data breach resulting from the same incident may still trigger NDB scheme notification requirements.
The 72-hour reporting window is strict. Businesses should have pre-established internal processes to identify, escalate, and report qualifying payments without delay. Waiting until legal counsel is engaged or the full scope of the incident is understood is not a valid reason to miss the deadline.
Key Obligations Under the NDB Scheme in 2026
The NDB scheme remains the primary framework for data breach reporting in Australia. It applies to Australian Privacy Principle (APP) entities, which generally includes private sector organisations and not-for-profits with annual turnover exceeding $3 million, all private health service providers, credit reporting bodies, and entities that trade in personal information regardless of size.
A breach becomes notifiable when there is unauthorised access to, disclosure of, or loss of personal information that is likely to result in serious harm to affected individuals. Once a suspected breach is identified, organisations have 30 calendar days to assess whether it qualifies as an eligible data breach. If it does, notification to both the OAIC and affected individuals must occur as soon as practicable.
Following 2024 Privacy Act reforms, civil penalties for serious or repeated privacy violations can reach up to $50 million, three times the value of any benefit obtained, or 30 percent of the entity's adjusted turnover during the breach period — whichever is greater. Since June 2025, a new statutory tort also allows individuals to sue businesses directly for serious invasions of privacy, regardless of the business's size.
Common Mistakes Australian Businesses Make With Cyber Reporting
Many businesses underestimate the complexity of dual-regime compliance. The most common errors include treating the Cyber Security Act and the NDB scheme as mutually exclusive, when in fact a single ransomware incident can trigger obligations under both frameworks simultaneously.
Other frequent mistakes include:
- Delayed internal escalation — Failing to notify senior leadership and legal counsel immediately after a payment is made, causing the 72-hour window to expire before a report is lodged with the ASD.
- Inadequate incident response plans — Not having a documented, tested cyber incident response plan that specifically addresses ransomware payment scenarios and reporting timelines.
- Assuming small size provides exemption — Businesses just above the $3 million turnover threshold often incorrectly assume these obligations apply only to large enterprises.
- Confusing notification with disclosure — Reporting to the ASD under the Cyber Security Act is a confidential regulatory obligation; it does not automatically require public disclosure or notification to customers.
- Neglecting supply chain exposure — A cyber incident affecting a supplier or third-party service provider may still trigger your own reporting obligations if personal information you hold is compromised.
The ASD Essential Eight and Cyber Posture in 2026
Beyond mandatory reporting, the ASD continues to promote the Essential Eight as the baseline cyber security framework for Australian businesses. In 2026, the ASD is running its "Cyber Action Year" program, urging businesses to adopt an "assumed breach" mindset — planning for the likelihood of compromise rather than relying solely on preventative controls.
For most SMEs, achieving Maturity Level 1 (ML1) of the Essential Eight is the current baseline expectation. This level is frequently cited by insurers and large enterprise partners as a prerequisite for contracts and cyber liability coverage. The eight strategies — including application control, patching applications, restricting Microsoft Office macros, multi-factor authentication, and daily backups — form the foundation of a defensible security posture.
Notably, the ASD has announced plans to retire the Essential Eight within the next two years, transitioning to a new "Essentials" series with distinct chapters for Enterprise IT, Operational Technology, and Cloud environments. Businesses that have invested in Essential Eight compliance will find their efforts remain relevant, as the core principles of defence-in-depth persist in the new framework.
Australian Regulatory Context: OAIC, ASD, and the Privacy Act
Australian businesses must understand the distinct roles of the key regulators in this space. The Office of the Australian Information Commissioner (OAIC) administers the NDB scheme and the Privacy Act 1988, investigating complaints and enforcing privacy obligations. The Australian Signals Directorate (ASD), through its Australian Cyber Security Centre (ACSC), receives mandatory ransomware payment reports and provides cyber security guidance and incident response support.
These two regulators operate independently, and a report to one does not satisfy obligations to the other. Businesses must maintain separate notification processes for each regime. The OAIC focuses on the protection of personal information and individual rights, while the ASD focuses on national cyber security resilience and threat intelligence.
For businesses in regulated sectors — including financial services, health, and critical infrastructure — additional obligations may apply under the Security of Critical Infrastructure Act 2018, APRA's Prudential Standard CPS 234, and sector-specific guidance from ASIC. A qualified cyber consultant can map your specific regulatory obligations across all applicable frameworks.
Questions to Ask When Engaging a Cyber Consultant
Before engaging a cyber security consultant to help your business achieve compliance, consider asking the following questions to assess their suitability and expertise:
- Are you familiar with both the Cyber Security Act 2024 and the NDB scheme? — Your consultant should be able to explain how both regimes interact and apply to your specific business structure.
- Can you help us develop a ransomware incident response plan? — A practical, tested plan is essential for meeting the 72-hour reporting window.
- What is your experience with Essential Eight assessments? — Look for consultants who can conduct a gap analysis against the current maturity model and provide a prioritised remediation roadmap.
- Do you have experience in our industry sector? — Sector-specific regulatory overlays (APRA, ASIC, health) require specialist knowledge.
- How do you stay current with ASD and OAIC guidance? — The regulatory environment is evolving rapidly; your consultant should demonstrate active engagement with official guidance.
- Can you assist with post-incident reporting? — Ensure your consultant can support you through the actual notification process, not just the preparation phase.
How MyMoney® Can Help
Navigating Australia's cyber security reporting obligations requires specialist expertise that goes beyond general IT support. A qualified cyber consultant can assess your current posture, build a compliant incident response framework, and ensure your business is prepared to meet both the 72-hour ASD reporting window and the 30-day NDB assessment timeline.
MyMoney® connects Australian businesses with verified, experienced cyber security consultants who understand the full regulatory landscape — from the Cyber Security Act 2024 to the Privacy Act 1988 and sector-specific requirements. Whether you need a one-off compliance assessment or ongoing advisory support, our platform makes it easy to find the right professional for your needs.
Post a Brief to describe your cyber security requirements and receive competitive proposals from qualified consultants. Or Browse Cyber Consultants to explore professionals available in your area today.
This article provides general information only and does not constitute personal financial advice. Consider whether the information is appropriate for individual circumstances before acting on it. MyMoney® Marketplace is operated by Global Mutual Funds Pty Ltd (ABN 20 090 555 436, AFSL 222640).