Australia has implemented a first-of-its kind requirement for companies to report ransomware payments. In-House Perspective assesses this development and the approaches taken by other jurisdictions towards ransomware.

Businesses covered under the new Australian legislation that make a payment in response to a cybersecurity incident or become aware of such a transaction being made on their behalf now must report this information. It must be sent to intelligence body the Australian Signals Directorate (ASD) as a requirement under the country’s Cyber Security Act 2024.

Two types of businesses are required to disclose ransomware payments: those companies deemed to be responsible for critical infrastructure assets as defined by the Security of Critical Infrastructure Act 2018, and those that ‘carry on business’ in Australia and have an annual turnover of AUD 3m or more. The latter don’t necessarily have to be Australian-based or owned. Rather, if they have any business operations that occur in Australia and have an annual turnover of AUD 3m or more, they may be required to report a ransomware payment. As a result, the law applies to a range of multinational companies that have a footprint or business dealings in the country.

Under the legislation, business must submit a report on the ASD government website within 72 hours of either making a ransomware payment or becoming aware of one. Core to this disclosure, the report must include details of how much was asked for and what was paid, as well as the type and severity of the cyber incident for the entity and its customers. It’ll need to include the details of any third party that made the payment, the type of malware used, what vulnerabilities in the organisation were exploited and any communications with those seeking the ransom payment. Significantly, ‘payment’ isn’t limited to cash – it can include gifts, services or other benefits. Additionally, companies have a duty to report if the incident has happened, is occurring presently or is about to take place.

While the law doesn’t make ransomware payments illegal, a failure to report them can result in up to 60 penalty units – a standardised measure used in Australia to calculate the monetary value of fines for various offences. The amount is currently set at AUD 19,800 for this offence. However, Australia’s Department of Home Affairs has indicated that it’ll take an ‘education first’ approach for the first six months – up until 31 December 2025 – and only pursue regulatory action in cases of egregious non-compliance. However, from the beginning of 2026, the department will pursue more active enforcement.

Except in limited circumstances, any information contained with a ransomware payment report is not admissible for criminal or civil proceedings, nor does the obligation to report affect legal privilege. But legal action could be taken under other legislation. For example, the breach of data could result in punitive action from the data protection authority, the Office of the Australian Information Commissioner (OAIC), while paying a ransom to a designated person or organisation – such as a prescribed terrorist group – could breach the country’s sanctions rules.

Other countries may soon follow Australia’s lead in this area. In April 2024 the US Department for Homeland Security proposed new reporting requirements for ‘covered entities’ under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), while in July the UK’s Home Office put forward measures that would see mandatory reporting of ransomware payments come into effect for businesses, and a complete ban on public sector bodies and critical infrastructure operators from making them.

Some jurisdictions, meanwhile, have imposed reporting duties for at least some business sectors. For example, from 1 January 2025, Switzerland’s Information Security Act and Cybersecurity Ordinance has required operators of critical infrastructure to disclose if a ransom payment has been requested, irrespective of whether such payment will eventually be considered or made, though businesses are generally exempt – except in cases of payments being made to sanctioned entities or organised crime.

Enhancing Australia’s resilience

It’s not difficult to see why the Australian government decided to act. According to the most recent Australian Cyber Network State of The Industry report, in 2024 the country ranked seventh globally for ransomware attacks, accounting for two per cent of global incidents. In 2024 alone 69 per cent of Australian businesses experienced a ransomware attack, up from 56 per cent in 2023, and 84 per cent of those affected opted to pay the ransom, often under duress. The average payment reached AUD 1.35m, up from AUD 1.03m in 2023.

Veronica Scott, a partner and cyber law practitioner in the Melbourne office of law firm Pinsent Masons, says one purpose of Australia’s notifiable data breach scheme and cyber incident reporting is to give regulators and government the intelligence to understand where these events are happening and where the risks are, and to provide guidance to organisations about the controls and measures they should implement to address those risks. She adds that regulators are now more likely to actively pursue organisations that don’t invest in having the right cyber security measures in place.

Katarina Klaric, Co-Chair of the IBA Technology Disputes Subcommittee, believes that with the significant increase in ransomware and cybersecurity extortion incidents having an impact on the Australian economy, it’s critical that government and industry works together to effectively respond and to develop defences. She adds that mandatory reporting will assist the Australian government with intelligence gathering as well as enhancing resilience and defences, as well as enable it to provide support and advice to businesses on how to better protect their systems and networks.

Between July to December 2024 the OAIC received 595 data breach notifications under the Privacy Act’s mandatory Notifiable Data Breach Scheme. Some 61 per cent of the notifications involved malicious or criminal attacks. And although another 22 per cent involved ransomware, the scheme didn’t require organisations to report them. For Klaric, who’s also Director and Principal of Stephens Lawyers & Consultants, a Melbourne-based boutique law firm, this is a clear sign that ‘the voluntary scheme for reporting of ransomware payments was not working. This meant that government did not have up to date data and intelligence to respond to incidents and support impacted industry’.

Assessing mandatory reporting’s effectiveness

However, commentators outside Australia have mixed views on whether such reporting requirements will have much success in either deterring ransomware attacks or improving cybersecurity resilience in organisations. Lasse Konrad, a partner in data protection and litigation at German law firm Härting, believes that reporting ransomware attacks to regulators can be useful as it can raise awareness for other companies and prompt them to review their cybersecurity efforts, particularly if attackers are focusing on specific industry sectors. He’s less certain about the benefits of companies being forced to disclose how much they paid. ‘I’m not sure any organisation’s cybersecurity resilience will improve by telling a regulator how much they were forced to pay to either prevent or mitigate an attack. Once you’ve been hit, ransomware payments are often negotiated – they’re not standardised. Hackers will simply take as much as they can get,’ he says.

Konrad also highlights the predicament of whether companies will face legal or regulatory action for any breach they disclose. In Germany, for example, there was already a legal duty on companies to report ransomware attacks to the regulator before the EU General Data Protection Regulation (GDPR) came into force. However, this now means that organisations risk being fined under the GDPR for failing to take appropriate measures to prevent the data breach they have just reported. As a result, he says, companies are probably debating whether to disclose a ransomware breach if the data stolen is publicly accessible elsewhere – such as a phone directory – or if the risk of financial harm is very low or non-existent.

Roland Mathys, Senior Vice-Chair of the IBA Technology Law Committee, says he too is ‘generally rather sceptical’ about Australia’s new reporting duty. ‘I cannot easily identify the purpose or added value of such a duty,’ he says. ‘In my view, it mainly serves to deter companies from making ransomware payments as they may fear reporting.’

Mathys, who’s a partner at Swiss law firm Schellenberg Wittmer, adds that he doesn’t expect any material improvement of cybersecurity as a result of the reporting duty, either. ‘Cybersecurity will predominantly be improved by fostering cyber resilience, mainly by taking appropriate preventive (pre-incident) measures,’ he says. Mathys adds that he would generally advise companies to report only if obliged to do so – and to keep it as short as possible. ‘In my experience, reporting absorbs significant internal and external resources at a very critical point of time where other actions should take priority, such as containment and mitigation of the cyberattack’s impact,’ he says.

Where the law obliges companies to report, Martin Schirmbacher, Member of the IBA Technology Law Committee Advisory Board, advises them to comply, but also adds not to ‘volunteer a single line more than the statute demands’. He highlights that the Australian law requires companies to lodge a report within 72 hours and to provide only the data elements listed. ‘Anything beyond that risks exposing privileged material or commercial secrets, so until the regulator issues binding templates, companies that fall under the law should take a “minimum viable disclosure” approach,’ he says.

Furthermore, Mathys says he has ‘hardly ever come across any benefit of voluntary or comprehensive reporting’ and adds that ‘it also remains obscure to me how such reports will be processed or used by authorities to benefit the reporting entity or the industry in general’. Voluntary or extensive reporting, he says, may increase the risk of such attacks becoming public knowledge or may result in investigations against the reporting company, such as for a failure to meet appropriate data security standards.

Mathys believes that preventive – pre-incident – measures are ‘an absolute key element for a robust cybersecurity framework’. This includes measures that can mitigate legal issues, such as having a robust breach reporting policy and cyber insurance coverage. However, he says that preventive legal measures ‘are still massively underestimated by businesses, if not ignored altogether’. He adds that it’s also vital to include measures aimed at increasing enterprise-wide awareness, especially since the human factor is still the greatest source of weakness with regards to cybersecurity.

He also says it’s important to have a ‘resilient’ cybersecurity framework that addresses technical, organisational and legal measures. Many actions meant to mitigate incidents or remediate damage should be taken from a legal point of view, both pre- and post-incident, he says, adding that ‘in-house lawyers – supported by external experts – play a key role in this setup’.

But while he adds that ‘incident reporting in general, and ransomware incident reporting in particular, seem less important to me from an outcome and benefit perspective,’ Mathys says that ‘given that very short deadlines of 24 to 72 hours usually apply to such reporting duties, in-house lawyers will have no choice than to address these reporting obligations as a matter of high priority’.

Schirmbacher, who’s a partner at German law firm Härting, says Australia’s new rules are ‘a curious halfway house’ that ‘stop short of banning ransom payments yet impose a paperwork duty on companies on affected companies’. This duty ‘may add a slight speed-bump, but it will not change the brutal [three AM] calculus: when factories are idle and backups have failed, most boards will still authorise payment and simply file the form afterwards,’ he says.

Schirmbacher says the real – and arguably only – upside lies in what he calls the ‘intelligence dividend’. He says that, for the first time, ‘law enforcement may receive structured, near-real-time data on wallet addresses, demand patterns and sectoral hotspots. That might shorten the shelf-life of ransomware crews and give governments an evidence base for tougher measures later. Time will tell whether this really helps’. Until then, mandatory reporting is more of a reputational nudge than deterrent, he says, in that it brings ransom payments out of the shadows but doesn’t remove the economic incentive to pay.

Like others, Schirmbacher is unconvinced that disclosing details around how much ransom was asked for and/or paid will make much difference, while the requirement to notify regulators about the demand may also replicate similar reporting duties the company is subject to. He says that while the EU’s second Network and Information Security Directive (NIS2) requires the reporting of significant security incidents, it doesn’t require disclosure as to whether a ransom was paid, or how much was given over.

The same applies to GDPR breach notifications, he says. The EU’s approach focuses on incident notification and sanctions compliance, not on transparency around payments. Unless the money goes to a sanctioned entity – which would be illegal – companies are still free to pay and keep that information confidential. From his experience working with the German Federal Criminal Police Office (BKA), Schirmbacher says law enforcement is generally interested in technical indicators such as IP addresses and wallet IDs and the amounts of ransom that have been paid. ‘But they rarely insist on full disclosure of payments, and companies retain control over what financial details they share,’ he says.

In-house teams at the intersection

Since in-house legal teams sit at the intersection of regulatory compliance, risk management and crisis communications with regards to cyber, Schirmbacher believes in-house counsel ‘need to be involved early and actively’ to lower liability exposure if ransomware payments are to be reported. Their active participation, he says, also helps to prove appropriate levels of due diligence to regulators and insurers. ‘Against the backdrop of yet another cybersecurity rule, the first job of in-house counsel is basic awareness. Make sure the new notification duty is wired into tabletop exercises, supplier contracts and business-continuity playbooks,’ he says, adding that in-house counsel need to secure board-level oversight that clear key performance indicators and a standing requirement are in place, in order that any ransom decision made carries legal sign-off.

Konrad believes in-house lawyers should be the contact point to coordinate the response to the regulator to meet the disclosure requirements of any ransomware breach and/or payment. He also says they have an important role in raising awareness throughout the organisation about the need to follow cybersecurity protocols, and how the discovery of a data breach or ransom demand should be reported and escalated.

Scott says that organisations affected by Australia’s new requirements should ensure they incorporate Australia’s reporting threshold into their ransomware decision-making workflow. Legal counsel and incident response teams should also coordinate closely, particularly if payment is being considered, to evaluate timing, documentation and downstream reporting. As more jurisdictions consider similar reporting obligations, a globally consistent incident response plan – reflecting country-specific compliance triggers – can help multinational organisations reduce risk and streamline their crisis response, she adds.

Klaric believes that in-house lawyers can play a pivotal role in ensuring compliance, as well as in helping with corporate preparedness since privacy, data protection and cybersecurity laws are complex, as are the reporting obligations. As such, she says, key areas of focus should include employee training and education; privacy and data protection compliance, including risk mitigation; and ensuring the business has adequate insurance to cover privacy breaches and cybersecurity incidents. She also believes in-house counsel can help develop and implement incident response plans – as well as assist in testing them in a simulated environment – and co-ordinate any mandatory reporting response to the regulator.

Schirmbacher is clear about the importance of in-house counsel’s role in any ransomware demand, report or coordinated response. ‘When an attack hits, counsel switch to execution mode: they test whether a payment is even lawful under sanctions or terrorism-financing rules, align incident-response, data protection, sanctions and insurance obligations across all jurisdictions, and coordinate privileged fact-gathering so that forensic findings stay shielded,’ he says. ‘Finally, they draft or vet the mandatory reports and steer external lawyers and [public relations personnel] to ensure every disclosure – whether to regulators, police or the market – tells the same legally defensible story,’ he adds.

While Australia may be the first country to require disclosure about ransom demands and payments from businesses, it’s becoming increasingly clear that other jurisdictions want more corporate disclosure regarding ransomware attacks and how other cybersecurity threats have been identified, mitigated and remedied. This will often involve the attention of multiple regulators, such as data protection authorities, financial watchdogs and cyber-intelligence agencies. Consequently, such reporting will require more input, coordination and leadership from in-house counsel, especially if requirements have an extra-territorial aspect to them.