Australia’s Ransomware Reporting Laws Are Now Enforced — What Perth Businesses Must Do

Since 1 January 2026, Australia’s mandatory ransomware payment reporting regime has moved into full enforcement. The education-first grace period is over. If your business turns over more than $3 million a year and you pay a ransom, or someone pays one on your behalf, you now have 72 hours to report it to the Australian Signals Directorate or face civil penalties. Most Perth businesses we speak to have no idea this law exists.

That is a problem. Not because the fine itself is catastrophic ($19,800), but because the law signals a much larger shift in how the Australian Government expects businesses to handle cyber security. If you are not already thinking about ransomware as a board-level risk, this is your wake-up call.

What the Cyber Security Act 2024 actually requires

Part 3 of the Cyber Security Act 2024 created Australia’s first mandatory ransomware payment reporting obligation. It applies to any business operating in Australia with an annual turnover above $3 million, as well as entities responsible for critical infrastructure assets regardless of turnover.

Here is what “reporting” means in practice. If your organisation makes a ransomware or cyber extortion payment, monetary or non-monetary, you must submit a report to the ASD via cyber.gov.au within 72 hours. “Payment” is defined broadly. It includes cryptocurrency, goods, services, or anything of value given to the attacker. If your cyber insurer or IT provider pays on your behalf, that still triggers the obligation.

The report must include your business details (including ABN), details of the incident, the impact on your operations, what was demanded, what was paid, and any communications with the threat actor. This is not a tick-box exercise. It requires detailed, accurate information under time pressure while your business is likely in crisis mode.

Why this matters even if you never plan to pay

We advise every client against paying ransoms. The Australian Cyber Security Centre shares that position. There is no guarantee your data will be restored, and payment funds further criminal activity. But the reporting obligation is only one part of the picture.

The real message from Canberra is clear: cyber security is no longer optional infrastructure for Australian businesses. The ransomware reporting regime sits alongside the Notifiable Data Breach scheme, the Security of Critical Infrastructure Act, and significantly increased penalties under the Privacy Act (up to $50 million for serious breaches). The regulatory walls are closing in, and businesses without a credible cyber security posture are increasingly exposed to both attackers and regulators.

For Perth SMBs, this is personal. The ACSC’s latest annual threat report found that the average cost of cybercrime for small businesses rose 14% to $56,600, while medium businesses saw a 55% jump to $97,000. Across Australia, a cybercrime is reported every six minutes. These are not hypothetical risks. They are hitting businesses like yours right now.

The three things most Perth businesses get wrong

“We are too small to be a target.” This is the single most dangerous assumption in cyber security. Research consistently shows that 43% of cyber attacks target small businesses, not because attackers are after your data specifically, but because your defences are weaker than a large enterprise. Automated attacks sweep the internet constantly. They do not check your revenue before striking.

“Our IT provider handles security.” Having a managed IT provider is a good start. But not all IT support includes meaningful cyber security. If your provider cannot articulate what controls they have in place (endpoint detection and response, access management, vulnerability patching, backup isolation) that is a gap you need to close.

“We will deal with it if it happens.” Ransomware does not give you time to improvise. The 72-hour reporting window starts ticking immediately. Without an incident response plan, tested backups, and clear escalation procedures, the first 72 hours after an attack will be chaos. That is when businesses make their worst decisions, including paying ransoms they did not need to pay.

How the reporting regime connects to frameworks like SMB1001 and Essential Eight

If your business follows a recognised cyber security framework, you are already ahead. The SMB1001 framework, designed specifically for Australian small and medium businesses, provides a structured path from basic security hygiene through to advanced controls. The 2026 update to SMB1001 added mandatory email authentication controls that directly address business email compromise, one of the most common attack vectors leading to ransomware. Similarly, the Essential Eight from the ASD gives you eight specific strategies that mitigate the vast majority of cyber threats.

Here is the connection most people miss: businesses that implement these frameworks are far less likely to find themselves in a position where ransomware succeeds. Multi-factor authentication alone blocks up to 90% of credential-based attacks. Application whitelisting stops unknown malware from executing. Regular, isolated backups mean you can recover without paying a cent.

We see these frameworks as the foundation, not the ceiling. For businesses wanting stronger protection, the Further Five controls add layers like network segmentation, penetration testing, and advanced threat detection that make a ransomware attack significantly harder to execute.

What about cyber insurance?

Cyber insurance is part of the picture, but it is not a substitute for actual security controls. Insurers know this. Over the past two years, Australian cyber insurance providers have dramatically tightened their requirements. Many now mandate multi-factor authentication, staff security training, endpoint detection and response, and tested backup procedures before they will even issue a policy. It is worth noting that Microsoft is bundling stronger security features into standard M365 licences from July 2026, but those features still need to be configured correctly to count.

If your business pays a ransom and your insurer reimburses you, or pays the attacker directly, the reporting obligation still applies. And if your insurer discovers that your security controls were inadequate, they may deny the claim altogether. Insurance works best as a backstop for well-defended businesses, not as a safety net for those who have not invested in prevention.

What you should do now

Review your incident response plan. If you do not have one, create one. If you do, update it to include the mandatory ransomware reporting requirement. Make sure at least two people in your organisation know the process, including where to submit the ASD report and what information is needed. Run a tabletop exercise so the plan does not live in a drawer.

Audit your current security posture against a framework. Whether it is SMB1001 Bronze+, Essential Eight Maturity Level One, or a combination, measure where you stand today. Identify the gaps that would allow ransomware to succeed: unpatched systems, weak authentication, backups connected to your production network. Fix the highest-risk items first.

Talk to your IT provider about ransomware readiness. Ask them directly: what happens if we get hit with ransomware tomorrow? If the answer is vague, or if they cannot show you tested backup recovery, isolated backup storage, and a documented response process, it is time to have a serious conversation. Contact Epic IT for a free security gap analysis. We will give you a clear picture of where you stand and what needs to change.