Getting Ready for the Cyber Security Act

On 29 November 2024, the Cyber Security Act 2024 received Royal Assent and became Law. The Cyber Security Act includes measures to introduce a mandatory ransomware and cyber extortion reporting obligation for certain businesses to report ransom payments.

The Ransomware Payment Reporting Rules will commence from 30 May 2025. Under the Cyber Security Act, the turnover threshold for an entity to report ransomware payments is AUD $3 million.

If captured, A&A recommends that Businesses update their relevant information security policy to include obligations to make a report within 72 hours of making the ransomware payment (or becoming aware that the ransomware payment has been made) and have sufficient procedure to ensure the report can be made in time.