The Cyber Security Act 2024 (The Act) is law aimed at enhancing Australia’s cyber security framework. It is part of the broader Cyber Security Legislative Package, which implements a number of initiatives from Australia’s 2023-2030 Cyber Security Strategy.
The Cyber Security Act 2024 (The Act) is law aimed at enhancing Australia’s cyber security framework. It is part of the broader Cyber Security Legislative Package, which implements a number of initiatives from Australia’s 2023-2030 Cyber Security Strategy.
As part of its design and formation, the Act was informed by an extensive consultation process, including the release of the Cyber Security Legislative Reforms Consultation Paper in December 2023 and targeted consultation on an Exposure Draft package in September 2024.
The purpose of the Act is to address key areas to bring Australia in line with international best practices relating to cyber security. Some of the measures implemented in the Act are:
The Act received Royal Assent on 29 November 2024 and as a result, is now law. The Department of Home Affairs is currently conducting public consultation to develop subordinate legislation required to give effect to some of the measures under the Act. This consultation process will run until 14 February 2025.
Under the Act, there will be mandatory ransomware and cyber extortion reporting obligation for certain businesses. This will require them to report ransom payments. This portion of the Act is currently not operational and is in the process of being implemented. In this respect, the Department of Home Affairs is currently conducting public consultation to develop the subordinate legislation required to give effect to this measure. It is expected that this consultation process will finalise in this month.
The draft rules for the mandatory ransomware payment reporting have also been released and are available for review. These rules outline the requirements for businesses to report ransom payments. The obligation applies to private sector entities that carry on business in Australia and meet an annual turnover threshold to be set (which is expected to be $3 million).
The key points of the draft rules include:
The draft rules outline several key requirements for businesses and the key points include.
A previous study[1] have looked at the prevalence of ransomware, the impact of ransom payments, and the effectiveness of law enforcement interventions. The findings indicated that law enforcement interventions, such as arrests, sanctions, and takedowns of leak pages, resulted in nearly half of ransomware groups ceasing their activities. This suggests that mandatory reporting can provide valuable data to law enforcement, enabling them to take targeted actions against ransomware groups.
Additionally, a policy report by the Australian Strategic Policy Institute[2] (ASPI) argues that the current policy vacuum makes Australia an attractive market for ransomware attacks. The report recommends the adoption of a mandatory reporting regime to increase transparency when attacks occur and to provide the government with better visibility of ransomware incidents. This information can help in developing strategies to combat cyber extortion and improve overall cyber security resilience.
In addition to the points set out above, the logic behind mandatory reporting of ransomware payments is based on several key points:
The implementation of mandatory ransomware payment reporting is expected to enhance Australia’s cyber security framework in several ways:
Overall, mandatory ransomware payment reporting is considered to be a crucial step towards building a more resilient and secure cyber environment. It provides valuable insights, enhances law enforcement capabilities, and promotes a culture of transparency and accountability in the fight against cybercrime.
Leave us a message and we will get back to you to book a meeting:
![]() |
Thank you for Signing Up |
Are you looking to submit a report? Please click here.