Australia’s ransomware laws have changed. From 30 May 2025, certain businesses must report ransomware incidents under new national rules. This isn’t just an IT issue; it’s a board-level risk.
The Cyber Security Act 2024 introduces strict reporting requirements and hefty penalties for non-compliance. CFOs and IT managers will carry shared responsibility for what happens when a cyber incident strikes.
Failure to act quickly, or to report correctly, could lead to fines, legal exposure, and reputational fallout. Knowing what the law says about ransomware is a must.
Here’s what you need to know now.
What the Law Says About Ransomware
The Cyber Security Act 2024 mandates that businesses meeting specific criteria must report ransomware incidents to the Australian Signals Directorate (ASD). This applies to:
- Any business classified as operating critical infrastructure assets
- Companies with annual turnover above thresholds defined in the legislation
- Organisations already subject to cyber obligations under other regulatory frameworks
You must report a cyber incident if:
- A system is compromised
- Sensitive data is encrypted or exfiltrated
- You are asked to pay a ransom, regardless of whether payment occurs
Reports must be filed within a strict timeframe. Late, partial, or inaccurate submissions can trigger a civil penalty. Law enforcement also has increased authority to investigate and respond.
The legislation doesn’t just cover ransomware attacks; it’s been updated to reflect ransomware payments. Any decision to pay ransoms must be documented and justified, and may need to be reported separately under anti-money laundering provisions.
In short, ransomware laws in Australia now link cyber security with compliance. Silence is no longer safe.
Have you got a clear, actionable cyber security strategy?
What Australian Businesses Must Do
Not every business is caught by the new rules. But many are.
If you operate in sectors like retail, logistics, healthcare, or financial services and have critical infrastructure assets or a high annual turnover, you’re likely in scope.
Start by confirming if your organisation is covered. Then prepare to act.
You’ll need a clear incident response plan. Not just technical recovery, but internal reporting, stakeholder escalation, and legal sign-off on any ransom payments.
Board members and executives can be held accountable. That includes the CFO. Failing to report a ransomware incident correctly could expose directors to risk. Insurance alone won’t solve this.
Auditors may request evidence of compliance with ransomware laws. So will regulators. So will your customers.
This is about more than policy. It’s about readiness.
5 Proactive Steps to Strengthen Cyber Resilience
1. Map Your Exposure
You can’t defend what you don’t understand. Start by identifying critical systems, data flows, and known vulnerabilities. Run a tabletop exercise simulating a ransomware threat. Who gets the first call? Who decides whether to notify the ASD? Can you recover without paying? If the answer is unclear, your risk is higher than you think.
Include finance, legal, IT, and operations in the test. Use the results to revise your incident response plan. Response speed, not perfection, will define your outcome.
2. Align with the Essential 8
The Australian Signals Directorate (ASD) has made it clear: maturity against the Essential 8 matters. It’s also what auditors, insurers, and regulators expect to see.
Focus on core controls: patch management, admin restrictions, MFA, and backups. Measure where you stand today and define the maturity level you need to hit. Many mid-sized Australian businesses still sit below baseline.
Treat this as a business investment, not a technical checklist. Strong controls reduce downtime, lower breach costs, and speed up recovery.
3. Train Key Roles
Many CFOs assume cyber response is a tech team issue. It’s not.
Mandatory reporting under the Cyber Security Act 2024 puts financial, legal, and reputational risk in the CFO’s hands. Yet few finance leaders know the exact steps to take in the hours after a ransomware attack.
Your legal counsel needs to know what constitutes a reportable cyber incident. Your finance lead needs to track and document any decision to pay a ransom. Your comms team needs to coordinate messaging if regulators, clients, or media get involved.
Keep the training role-specific and focus on decisions.
4. Monitor and Protect
Too many businesses rely on backups without knowing if they work. Too many SIEM dashboards light up with alerts that go ignored.
Invest in tools that give real-time visibility into suspicious activity, like encryption of large volumes of data, unauthorised admin changes, or traffic to known command-and-control servers.
Ensure you have working, tested backup infrastructure with instant restore capability. Include systems outside of M365: file shares, databases, and endpoints. If you can’t restore within hours, you may feel forced to pay.
Proactive monitoring, coupled with verified recovery, puts you back in control.
5. Review Partner Capabilities
A cyber security provider isn’t just a vendor. It’s your front line in a crisis.
Ask your MSP or MSSP how they support clients during ransomware incidents. Can they support mandatory reporting obligations? Will they assist with evidence collection for ASD or law enforcement? Do they have experience with incident response plans under the new legal framework?
Don’t wait until a breach to ask.
Choose a partner who understands the stakes. One who can support your compliance journey, strengthen your defences, and restore operations when it matters most.
Post-Deadline Reality: What Compliance Should Look Like Now
The Australian Government’s Ransomware Payment Reporting law is now live.
If your business falls under the regulation and hasn’t formalised a compliance process, you’re already exposed. The ASD can request reporting records at any time. So can insurers, regulators, and industry partners.
Compliance requires ongoing visibility, clear accountability, and tested recovery paths.
You need to know:
- How fast you can detect and contain a threat
- Who takes the lead on incident triage
- How reporting will be completed and validated
- What evidence you’ll supply if the ASD or law enforcement investigates
Fines aren’t the only concern. A failed response damages brand, trust, and board confidence. Businesses that treated this as an optional issue (rather than a legal one) will now have to play catch-up.
If your response plan hasn’t been tested, or your reporting process still sits in draft, the time to course-correct is now.
Ransomware Readiness Needs to Be Part of Your Business Baseline
Ransomware is now a compliance issue with serious financial, operational, and reputational stakes.
The businesses handling this well have three things in place: strong security measures, clear processes, and the right partners.
Planet6 helps mid-sized Australian enterprises meet compliance head-on. Our managed security services support real-time threat detection, Essential 8 maturity, and incident response plans built for the new reporting regime.
We don’t just help you recover. We help you prove compliance.
Talk to our team about how to secure your business under Australia’s new ransomware laws. No pushy sales talk, only factual answers to your pressing questions.