Australia Mandates Ransomware Payment Disclosure, Signals Broader Cybersecurity Crackdown

Australia’s war on cybercrime has entered a new phase. As of May 30, 2025, companies operating in the country with revenues exceeding AUD $3 million must report any ransomware or cyber extortion payments within 72 hours—a landmark shift intended to pierce the secrecy surrounding ransomware economics.

The new disclosure requirement is part of the Cyber Security Act 2024, a sweeping legislative package designed to strengthen the country’s digital defenses amid a relentless uptick in ransomware attacks. Reporting will be funneled through a new online tool operated by the Australian Signals Directorate (ASD), the nation’s top cyber intelligence body.

But the move is just one pillar of a broader strategy. In addition to the mandatory reporting regime, the legislation lays the groundwork for:

• A binding minimum security standard for consumer smart devices, coming in 2026.

• New legal limits on how cyber incident data shared with the National Cyber Security Coordinator can be used, preserving confidentiality.

• The establishment of a Cyber Incident Review Board modeled after similar U.S. bodies, which will analyze major attacks and potentially hold corporate leaders accountable for weak cyber postures.

The government’s message is clear: cyber resilience is no longer optional—and neither is transparency.

For years, ransomware has thrived in the shadows, its impact underestimated by policymakers due to widespread underreporting. According to the Australian Institute of Criminology, only one in five victims come forward. That opacity has stymied law enforcement efforts and distorted the perceived scale of the threat.

Dillon sees the legislation as a long-overdue course correction. “Governments and regulators globally are grappling with limited visibility into cyber risks—particularly ransomware—which hinders their ability to effectively detect, disrupt, and deter cyber attacks,” he said.

Australia’s new mandate places it among a growing cadre of nations, including the U.S. and U.K., that are leaning on mandatory disclosures to gain real-time intelligence on digital extortion trends. But compliance could prove complex, especially for global firms already juggling differing incident reporting laws.

“At NCC Group, we have witnessed firsthand the growing complexity of incident reporting requirements,” Dillon noted. “Organisations are now navigating an intricate web of global cyber security regulations, making proactive response planning more critical than ever.”

The Cyber Security Act also extends its gaze beyond ransomware. A key focus is the Internet of Things (IoT), where weak security baselines have made consumer devices a recurring vulnerability. From smart speakers to connected doorbells, millions of endpoints lack even basic protections.

“Advancing security standards in smart devices [is] essential in protecting consumers from cyber threats,” Dillon said. “Our ongoing research has demonstrated the vulnerabilities inherent in connected devices, reinforcing the need for stringent security principles to become legally binding.”

Still, even the strongest legislation can falter without the institutional muscle to enforce it. Dillon warned that without adequate investment in enforcement bodies such as the Australian Cyber Security Centre (ACSC), the reforms may struggle to meet their potential.

With ransomware gangs becoming more industrialized, tools more accessible, and attack surfaces wider than ever, Australia’s updated cyber playbook signals a shift toward a more aggressive, state-backed defense posture. Whether this results in a measurable decrease in extortion or merely shifts the battleground remains to be seen—but the era of cyber impunity is coming to an end.