Why this matters for your practice
Ransomware payment reporting is a newer obligation that catches practices off guard because it is separate from the data breach rules everyone knows about. Under the Cyber Security Act 2024, if a covered business makes a payment in response to a ransomware or cyber extortion demand, it must report that payment to the government within 72 hours. A serious ransomware attack on a practice can therefore trigger two distinct obligations at once: the notifiable data breach assessment and, if a payment is made, this report.
For a practice that holds sensitive health data, ransomware is a realistic threat, so understanding the reporting duty in advance matters.
What the obligation requires
- It applies to reporting business entities above a turnover threshold (in the order of $3 million in annual turnover).
- If such an entity makes, or is aware that a payment has been made, in response to a ransomware or cyber extortion incident affecting it, it must report.
- The report must be made within 72 hours of the payment or of becoming aware of it.
- The report goes to the designated Commonwealth body and includes details of the incident and the payment.
How it differs from the NDB scheme
| Ransomware payment report | Notifiable data breach | |
|---|---|---|
| Trigger | Making a ransomware payment | A breach likely to cause serious harm |
| Law | Cyber Security Act 2024 | Privacy Act 1988 |
| Timeframe | 72 hours | Assess within 30 days, then notify |
| Who is notified | Government | OAIC and affected individuals |
A single incident can trigger both.
What practices should do
- Decide your position on paying ahead of time, as part of your incident response plan.
- Build the 72-hour reporting step into that plan so it is not missed in a crisis.
- Strengthen prevention (for example the Essential Eight) so a payment decision never has to arise.
Common mistakes
- Confusing it with the NDB scheme, and notifying the wrong body or missing one obligation.
- No incident response plan, so the 72-hour clock is missed.
- Assuming small practices are exempt without checking the turnover threshold.
Frequently Asked Questions
What is ransomware payment reporting?
It is the obligation under the Cyber Security Act 2024 for certain businesses to report a ransomware or cyber extortion payment to the government within 72 hours of making it or becoming aware it was made. It applies to entities above a turnover threshold.
How is ransomware payment reporting different from a data breach notification?
They are separate obligations under different laws. The ransomware report goes to the government within 72 hours of a payment under the Cyber Security Act 2024, while a notifiable data breach is assessed and notified to the OAIC and affected individuals under the Privacy Act. One incident can trigger both.
Does ransomware payment reporting apply to small practices?
It applies to reporting business entities above a turnover threshold, in the order of $3 million in annual turnover. A practice should check whether it meets the threshold, and in any case should plan for ransomware because the data breach obligations can apply regardless of size.
Related terms
Go deeper
Last reviewed