Part 3 of the Cyber Security Act 2024 (Cth) came into effect in May 2025 and brought a long-discussed shift to mandatory ransomware reporting in Australia. Businesses with annual turnover above $3 million, plus entities responsible for critical infrastructure, must now report any ransomware or cyber-extortion payment to the Australian Signals Directorate within 72 hours.

This is not optional. The 72-hour window starts when the payment is made or the demand received, depending on the scenario. The information required is non-trivial: amount, recipient (where known), nature of the incident, impact assessment. Most SMBs neither have an incident-response playbook that contemplates this nor a relationship with a forensic provider that can produce the right paperwork at 2 a.m.

The sensible response is to write the runbook now, not after the incident. Document who decides, who reports, who communicates, what evidence to preserve. Practice it. Hope to never use it.

What it means for your businessIf your turnover is over $3M and you don't have a written ransomware-payment runbook, write one this quarter. Seventy-two hours is not enough time to invent a process during an incident.
Source & referenceNorton Rose Fulbright — Australian Privacy Alert: Parliament passes major privacy law reform ↑