Do Son 
Australia is ushering in a new chapter in its battle against cybercrime: under recently enacted legislation, major corporations are now required to formally notify the government when ransom payments are made to ransomware operators. This obligation is enshrined in the Cyber Security Bill 2024, which came into effect on May 30.
The new regulations apply to all businesses with an annual turnover exceeding 3 million Australian dollars—approximately 1.92 million USD or 150 million rubles. These entities are granted a 72-hour window to report any ransom payment to the Australian Signals Directorate (ASD). While the act of paying a ransom is not explicitly prohibited, the government has made it clear that such actions are officially discouraged.
According to ASD’s annual report, only 121 such incidents were investigated last year, despite a significantly higher number of actual attacks. Authorities hope the new reporting mandate will help bridge this discrepancy.
Following the law’s enactment, companies will be granted a six-month transitional period for compliance—during which only egregious violations will be penalized. Starting in 2026, the reporting requirement will be fully enforced. Non-compliance may result in fines of up to 19,800 Australian dollars (roughly 1 million rubles), with potential for higher penalties in the future.
Organizations will now be expected to provide not only their business identification numbers but also detailed accounts of each incident: the timing of the attack, whether data was stolen or encrypted, vulnerabilities exploited, estimated losses, and the ransom amount and currency.
Australian authorities explain that gathering such data will offer clearer insights into which ransomware families most frequently target local businesses and the overall scale of the threat. This statistical analysis is expected to shape future legislative strategies.
The threshold for mandatory reporting has been set deliberately high—government estimates suggest that fewer than 7% of Australian companies will fall within the law’s scope. However, these enterprises are typically custodians of vast troves of personal data and represent prime targets for cybercriminals.
Similar legislative efforts are underway globally. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) is finalizing its own rules on ransom payment disclosures. Meanwhile, the United Kingdom is preparing to take even bolder steps: proposing an outright ban on ransom payments by the public sector, mandating disclosures from large private firms, and introducing a regulatory mechanism requiring victims to obtain government approval prior to paying ransom demands.
Donate