Services
Industries
About
Insights
Support
Contact
Book a Free ReviewCall 1300 053 948
HomeInsights / news › Australia's 72-hour ransomware reporting rule
Ransomware

Australia's ransomware payment reporting rules now have teeth: what the 72-hour clock means for your business

Insights · Key IT · By Elias Koziris, Owner & Technician ·

Pay a ransom in Australia and you have 72 hours to report it. From Jan 2026 enforcement applies. What Melbourne businesses must know and do now.

Australia now puts a legal clock on ransom payments — and from January 2026 missing it costs real money, so every Melbourne business needs a plan before the day it matters.

Pay a ransom in Australia now and the law gives you 72 hours to tell the government — miss it and the fine starts at nearly twenty thousand dollars. That is the practical upshot of the ransomware payment reporting obligation under the Cyber Security Act 2024, which commenced on 30 May 2025. For the first stretch the government took an education-first approach, but from January 2026 the focus shifts to enforcement. If you have not thought about what your business would do in the 72 hours after a ransom is paid, now is the time.

What the new rule actually says

The obligation is narrower and more specific than the headlines suggest, so it is worth being precise. Based on Department of Home Affairs guidance, here is the shape of it at the time of writing:

It is triggered by payment, not by the attack.

The reporting duty kicks in when a ransom or extortion payment is made — by you, or by someone acting on your behalf, such as an insurer, a lawyer or an incident-response firm. The breach itself is reported separately.

The clock is 72 hours.

You have 72 hours from making the payment, or from becoming aware that a payment was made on your behalf, to lodge the report with the designated channel.

It applies above a turnover threshold.

The legal obligation falls on businesses with annual turnover above AUD $3 million. Many micro-businesses are technically out of scope — but, as below, that is not a reason to skip a plan.

The penalty is now enforceable.

Civil penalties run up to 60 penalty units — roughly $19,800 at the time of writing — for failing to report. The education-first period ran to 31 December 2025; the enforcement focus begins from January 2026.

Home Affairs has published guidance on exactly what a report must contain and how to lodge it, and the detail can shift, so treat the official advisory as the source of truth and check it when an incident is live rather than relying on memory.

Why this matters even if you are under the $3M threshold

If your turnover sits below $3 million, the civil penalty does not apply to you today. That is a genuine relief — but it is the wrong thing to focus on. Two reasons. First, thresholds and scope get reviewed; a rule that captures larger businesses in 2026 has a way of widening over time. Second, and more importantly, the reporting obligation is a symptom of the real problem, not the problem itself. The problem is that a ransomware attack has reached the point where someone is seriously considering paying. By then the data is already encrypted, the business is already stopped, and the 72-hour clock is the least of your worries.

The honest takeaway: whether or not the law compels you to report, you want a plan that means you never have to. A reporting obligation is a floor, not a strategy.

The 72 hours start in the worst possible moment

It helps to picture when this clock actually starts. It does not start in a calm boardroom. It starts in the middle of a live incident — systems down, staff locked out, customers calling, and a decision being made under pressure about whether to pay. That is precisely the moment when nobody wants to also be working out who reports what to whom, and within what deadline.

This is the case for having the answers written down before anything happens. A short, practical incident response plan that names who decides, who lodges the report, where the official guidance lives, and how the clock is tracked turns a panicked scramble into a checklist. The businesses that handle this well are the ones who decided in advance, not on the day.

How to stay on the right side of the rule — and avoid the payment altogether

The new obligation rewards two things: being prepared to report quickly, and being unlikely to ever need to. Both come down to the same security fundamentals. Here is where to put your effort:

Get the Essential 8 basics in place.

The ACSC's Essential Eight — patching, application control, MFA, restricted admin rights, backups and the rest — blocks the common paths ransomware uses to get in and spread. We assess and lift your maturity through our Essential 8 work, because most ransomware exploits something the Essential Eight would have closed.

Detect early, before encryption.

Ransomware rarely encrypts the moment it lands; there is usually a window of reconnaissance and lateral movement first. Our in-house 24/7 SOC watches for exactly those signals so an intrusion is caught and isolated before it becomes an encryption event — and a payment decision.

Make backups your real answer to a ransom demand.

Immutable, tested, offline backups are what let a business say no to a ransom and recover instead. Untested backups are not a plan. Our disaster recovery and business continuity service exists so encrypted data is an inconvenience, not a crisis.

Decide who reports — and write it down.

Name the person responsible for lodging the 72-hour report, and make sure your insurer or any third party who might pay on your behalf knows to tell you immediately, because their payment starts your clock.

Where Key IT fits

We are a Melbourne security-first managed IT and cybersecurity partner, based in Greensborough and serving north-east Melbourne and the CBD. Our engineers are security-certified, our SOC runs in-house around the clock, and we have been doing this since 2021 — with no lock-in contract. For ransomware specifically, that means we work to keep you out of the position where a payment is even on the table: hardening identity and email, patching the holes attackers use, watching for intrusions in real time, and keeping recoverable backups. And if the worst does happen, our incident response process includes the regulatory steps — so the 72-hour clock is one we are tracking with you, not something you discover too late.

FAQ

Frequently asked questions

Do I have to report a ransomware payment in Australia?

If your business has annual turnover above AUD $3 million, yes. Under the Cyber Security Act 2024 you must report a ransomware or extortion payment to the Department of Home Affairs within 72 hours of the payment being made — including payments made on your behalf by an insurer or another third party. The obligation commenced on 30 May 2025, with an enforcement focus from January 2026. Businesses under the threshold are not legally compelled, but should still report and, more importantly, have a plan to avoid paying at all.

What is the penalty for not reporting within 72 hours?

At the time of writing, failing to report can attract a civil penalty of up to 60 penalty units — roughly $19,800. An education-first period ran to 31 December 2025; from January 2026 the focus moves to enforcement. Because penalty amounts and guidance can change, confirm the current figure against the Home Affairs advisory when an incident is live.

Does the 72-hour clock start at the attack or the payment?

At the payment. The reporting obligation is triggered when a ransom or extortion payment is made, or when you become aware one was made on your behalf — not when the attack or breach is first detected. The underlying cyber incident may carry separate reporting obligations of its own.

We are a small business under $3 million turnover. Can we ignore this?

You can ignore the legal reporting duty for now, but not the risk behind it. The obligation exists because ransomware is hitting Australian businesses of every size. Whether or not the law applies to you, the goal is to never be in a position where paying a ransom is your only option — which means working backups, MFA, patching and monitoring. We would rather help you avoid the incident than help you report it.

Keep exploring

Related Key IT services

24/7 security operations centreIncident responseEssential 8Disaster recovery & business continuity
Keep reading

More insights

Ransomware

Why backups alone won't stop ransomware

Ransomware gangs delete backups and steal data before encrypting. Here's why backups alone aren't…

Read article →Ransomware

Akira ransomware & SonicWall VPN lesson

The Akira campaign against SonicWall VPNs locked networks in about an hour. What Melbourne…

Read article →Ransomware

What happens in a ransomware attack

A step-by-step look at how a ransomware attack unfolds against a business, and the preparation that…

Read article →

Book your free IT & Cyber Security Review

See exactly where your IT and security stand, and what to fix first. No jargon, no obligation.

Book a Free ReviewCall 1300 053 948