The Australian Government has officially passed the Cyber Security Act 2024, and it brings a massive shake-up for businesses across the country. The biggest talking point? A brand new, mandatory 72-hour ransomware reporting rule.
If your business gets hit by ransomware and you decide to pay the extortionists to get your data back, you now have a legal obligation to tell the government about it. Here is a plain-English, zero-jargon breakdown of what the new law means for your business and whether you fall under its crosshairs.
Who Actually Has to Report?
Not every single small business is caught up in this legislation. The government is focused on organisations that hold significant amounts of data or provide essential services. You must comply with the 72-hour rule if you are:
- A business operating in Australia with an annual turnover exceeding $3 million.
- An entity responsible for critical infrastructure assets (like healthcare, energy, or transport providers).
If your small business sits under that $3 million threshold, you are currently exempt, but you should still be treating your cyber security just as seriously. Ransomware does not care about your revenue.
The Rule: 72 Hours from Payment
The clock does not start ticking the moment you get hacked. The obligation is triggered specifically by the payment.
If you make a ransomware or cyber extortion payment (or someone else makes it on your behalf), you must report the incident to the Australian Signals Directorate (ASD) via an online portal within exactly 72 hours.
Crucially, this includes both monetary payments and non-monetary benefits. If you hand over cryptocurrency, digital assets, or anything of value to get your systems decrypted, the government needs to know.
What Happens if You Don't Report?
Ignoring the rule will cost you. Failing to comply with the mandatory reporting timeframe can result in a civil penalty of up to 60 penalty units, which currently equates to nearly $19,800.
The "Limited Use" Safety Net
One of the major fears businesses have about reporting cyber incidents is that regulators will turn around and fine them for having poor security in the first place.
The good news? The Cyber Security Act 2024 includes strict "limited use" provisions. This means the information you report to the ASD generally cannot be used against you by government agencies for civil or regulatory enforcement actions. The goal of the legislation is to help the government identify threat actors and develop better policies, not to punish victims.
You are actively encouraged to step forward without fear of the Privacy Commissioner knocking down your door the next day.
Stop Reacting and Start Preparing
The new reporting rule highlights a harsh reality: the Australian government expects businesses to take ransomware seriously. But the cheapest and least stressful way to deal with a ransomware payment is to never have to make one in the first place.
Preparation starts with knowing what to do in the first 10 minutes of a cyber attack — having that playbook ready before an incident makes the 72-hour reporting window far more manageable. You should also review your vendor supply chain risk, since third-party providers are a common ransomware entry point.
If you are not sure whether your current IT setup has the fundamental controls needed to keep ransomware out of your network, it is time to take a proper look under the hood.
We have responded to countless sophisticated ransomware attacks and know exactly how threat actors break in. Want to find your vulnerabilities before they do? Our compliance-focused security assessments give you a clear, jargon-free roadmap to securing your business.
To understand where your business stands, we offer a free initial consultation — get in touch.