Australia’s Ransomware Reporting Laws to Clarify True Costs and Impact
This post was authored by Sezaneh Seymour, Coalition’s VP and Head of Regulatory Risk and Policy, with contributions from Stephanie Blase, Claims Counsel for Coalition Australia.
The Optus and Medibank breaches in 2022 transformed digital insecurity and ransomware from technical concerns into kitchen table issues for millions of Australians. Attackers accessed and exposed the personal data of almost 10 million Optus customers, including names, birthdates, and identification numbers.
Shortly after, cyber criminals targeted Medibank, stealing and publishing sensitive medical history and claims information when the company refused to pay a ransom. These major incidents exposed critical weaknesses in Australia’s data protection systems and galvanised public demand for stronger national cybersecurity reforms and better safeguards.
Australia responded with the Cyber Security Act of 2024, which introduced mandatory reporting of ransomware and cyber extortion payments starting 30 May 2025. While other countries have started to adopt reporting requirements, Australia’s legislation stands out as one of the first comprehensive mandates to take effect.
The government acted quickly, crafting a framework that balances national security needs with the realities organisations face as they recover from cybercrime. Importantly, the Act limits reporting obligations on the smallest businesses, keeping requirements targeted to larger organisations. This approach limits the reporting burden while ensuring the government can collect meaningful insights.
Below, we explain the new requirements, discuss the role of Active Cyber Insurance, and show how thoughtful, targeted reporting can strengthen national resilience.
Understanding how the new regulations impact businesses
The obligation to report applies if three criteria are met:
The reporting entity has more than AUD $3 million in annual turnover or is designated as critical infrastructure.
The organisation experiences a cybersecurity incident, either directly or indirectly, through its operations or partners.
The entity makes a payment (directly or through an intermediary) to an extorting entity.
Entities meeting all three criteria must notify the Australian Signals Directorate (ASD) within 72 hours of payment. The report should include: the incident’s impact, the ransomware variant (if known), any known exploited vulnerabilities, the payment amount and method, and any communications with the attackers.
Failure to comply may result in a civil penalty of AUD $19,800. Organisations that receive a ransom demand but do not pay are not required to report. For the remainder of 2025, the government will focus on an “education-first” approach to help organisations adapt and comply with the new regulations.
While other countries have started to adopt reporting requirements, Australia’s legislation stands out as one of the first comprehensive mandates to take effect.
Active Insurance & digital resilience
Ransomware is one of the most complex and rapidly evolving challenges in today’s digital world. Australia’s national infrastructure remains vulnerable to cyber threats, yet private business owners and operators make the majority of security decisions. Each entity independently determines how much to invest in cybersecurity and the level of risk it is willing to accept.
Unfortunately, these choices do not always align with the broader public interest, and attacks can have far-reaching societal consequences. Meanwhile, cybercrime continues to grow more lucrative. Ransomware-as-a-service models, advances in artificial intelligence, and the widespread use of cryptocurrency have all made it easier for cyber criminals to launch and profit from attacks.
Coalition helps policyholders worldwide improve their resilience and transfer their financial risk. Active Cyber Insurance demonstrates that when insurers and policyholders collaborate, they can greatly reduce the risk of victimisation. When strong preventive measures are in place, policyholders reduce the need to confront the difficult decision of whether to pay a ransom.
Australia’s national infrastructure remains vulnerable to cyber threats, yet private business owners and operators make the majority of security decisions.
Real-world experience highlights the power of this approach. Consider the Citrix Bleed vulnerability (CVE-2023-4966). When Citrix announced the flaw on 10 October 2023, Coalition’s security team quickly identified the risk to widely used, internet-exposed devices, especially in medium and large enterprises. That same day, we notified affected policyholders and, when needed, offered hands-on technical support to help them secure their systems.
Within a week, threat actors started exploiting the vulnerability. A month later, ransomware gangs launched widespread attacks, which prompted the US Cybersecurity and Infrastructure Security Agency to publish its own advisory. Because Coalition acted quickly to help policyholders address the vulnerability, most avoided serious disruptions and did not have to decide whether to pay a ransom.
We believe this model sets a new standard for cyber risk management: Our data shows that Coalition policyholders experience significantly fewer claims (73%) than the industry average. Even with robust prevention, though, no defence is perfect. Reporting remains crucial, providing actionable data to strengthen defences and helping security professionals identify new and emerging threats before they become widespread.
Benefits of targeted, mandatory reporting
Organisations systematically under-report ransomware attacks, leaving the public and policymakers without a reliable view of incident frequency, extortion amounts, or criminal tactics. Policymakers need accurate, incident-level data to develop effective countermeasures and track the evolving tactics, techniques, and procedures (TTPs) of threat actors. Mandatory, targeted reports help close these knowledge gaps and enable better-informed policymaking.
Without mandatory reporting, public estimates of ransomware attacks and payment rates vary widely because researchers often rely on small surveys or self-reported data. For instance, a 2024 McGrathNicol ransomware report found that 69% of Australian survey respondents experienced a ransomware attack over the previous five years, and 84% of them paid the ransom. In contrast, direct incident data from cyber response firms present a very different picture.
Coveware data found that only 44% of Australian victims paid ransoms from 2019 to 2024, with the proportion declining year over year. These discrepancies underscore how hard it is to obtain a meaningful picture of the problem. By requiring incident reporting, the new rules can fill this gap and provide a far more accurate understanding of ransomware’s true impact.
In summary, reporting is valuable for several reasons:
For policymakers: Comprehensive, incident-driven data gives government leaders the ability to allocate resources and craft effective policy responses that match real threat levels, not just survey estimates.
For businesses: Nationwide data allows organisations to benchmark their defences and response strategies against actual attack trends, not hypothetical risks, so they can invest in targeted solutions.
For victims: Reliable, up-to-date incident data provides guidance and support during crises and can help make recovery less disruptive and more coordinated.
Without mandatory reporting, public estimates of ransomware attacks and payment rates vary widely because researchers often rely on small surveys or self-reported data.
Future considerations for the Australian government
As organisations report under the new law, the Australian government will be able to identify areas for improvement. With that in mind, we offer these observations.
We encourage the Australian government to periodically reassess and adjust the turnover threshold to ensure reporting requirements remain focused on Australia’s largest businesses. The reporting threshold is an elegant attempt to limit the reporting burden on small businesses while simultaneously ensuring the government collects meaningful insights into ransomware, extortion activity, and related payments. We understand that fewer than 7% of registered businesses currently meet the turnover threshold, but that will change over time.
The 72-hour reporting window may be overly ambitious. While other countries have proposed or adopted a 72-hour reporting timeframe, our experience with incident recovery suggests that meeting this deadline may be challenging for some. The immediate hours and days following a ransomware event are critical. Incident response and recovery efforts often take weeks or months, and a strict 72-hour deadline could divert attention from essential remediation. We recognise that the Cyber Security Act 2024 establishes a 72-hour timeline, making immediate changes unlikely; however, we offer this observation for future consideration as laws and policies evolve.
Future considerations for Australian enterprises
Despite larger breaches capturing headlines, such as those involving Optus, Medibank, and, more recently, Qantas, small and midsize enterprises still face cyber threats. Threat actors still view Australia’s strong economy, growing national wealth, and evolving business environment as target-rich for various types of digital crime, including ransomware.
We recommend that all organisations implement appropriate controls for their size, scale, and impact to prevent becoming a victim. Businesses should implement incident response plans, inclusive of establishing relationships with organisations that can help minimise the impacts of cybercrime. We also recommend they consider transferring risk to a cyber insurance provider, given the prevalence of cyber threats and the damaging impacts they can have.
