From 30 May 2025, Australian businesses face a significant shift in cyber compliance. Under the Cyber Security Act 2024, companies with an annual turnover exceeding $3 million are now legally required to report any ransomware or cyber extortion payments to the Australian Signals Directorate, ASD, within 72 hours. This represents a world's first law that aims to enforce ransomware payment disclosure to authorities.
The mandatory reporting requirement applies to:
Businesses operating in Australia with an annual turnover above $3 million
Entities responsible for critical infrastructure under the Security of Critical Infrastructure Act
Organisations must report any ransomware or cyber extortion payments made directly or on their behalf, including payments in cryptocurrencies or non-monetary forms. The report should include:
Business and contact information, including ABN
Details of the cyber incident, its impact, and ransomware variant
Information about the ransom demand and payment
Any communications with the threat actor
Failure to comply may result in civil penalties of up to 60 penalty units, currently $19,800.
To allow businesses time to adapt, the government has adopted an education-first approach from 30 May to 31 December 2025. Enforcement during this period will focus on deliberate or egregious non-compliance. From 1 January 2026, full enforcement begins, and penalties will apply for those who fail to report as required.
The new reporting law aims to:
Increase transparency around ransomware trends and threat actors
Disrupt ransomware profitability by discouraging quiet payments
Improve national resilience, encouraging businesses to invest in better defences
Although the law applies only to businesses with revenue above $3 million, ransomware threats remain a universal concern. Many attacks now involve data exfiltration, meaning that even after payment, sensitive information may still appear on the dark web.
To reduce exposure and liability, businesses must update their incident response plans and maintain visibility not only over their internal systems but also across third-party risks.
Ransomware groups often publish or sell stolen data on dark web marketplaces. Early detection of such leaks can be the difference between reputational damage and timely containment.
Dark web monitoring can reveal:
Indicators of Compromise, IOCs, such as file hashes or unusual network behaviour
Credential leaks that may enable attackers to escalate access
Mentions of sensitive company data or employee information for sale
Third-party exposure, where vendors or partners are breached and your data is included
This last point is particularly critical. A business may have strong internal security, but if a third party such as a law firm or payroll provider is compromised, your data could still end up for sale or ransom.
Oko, Rivanorth’s AI-driven threat intelligence and dark web monitoring platform, is designed to help Australian businesses meet these new compliance requirements and proactively manage their exposure.
Real-time alerts when credentials, company data, or mentions appear on ransomware dump sites
Monitoring of third parties, such as law firms, consulting companies and vendors, to identify indirect exposure
Intelligence reports that support 72-hour reporting obligations to the Australian Signals Directorate, ASD
Custom feeds based on your industry, location, and threat profile
Australian-based support for fast response and tailored advice
By integrating Oko, businesses gain visibility not just over their own infrastructure but across their entire supply chain, helping ensure both compliance and early detection.
The introduction of mandatory ransomware payment reporting is a major development in Australia’s cyber security landscape. While it adds compliance obligations, it also presents an opportunity for businesses to become more resilient. With proactive measures, updated response plans, and platforms like Oko in place, organisations can meet their legal duties, minimise risk, and protect themselves from the growing threat of ransomware and third-party compromise.