Australia: Cyber Security (Ransomware Payment Reporting) Rules 2025 were registered

On 3 March 2025, the authorised version of the Cyber Security (Ransomware Payment Reporting) Rules 2025 were registered. The rules establish reporting obligations for entities impacted by ransomware payments under the Cyber Security Act 2024. They apply to reporting business entities, including critical infrastructure operators and businesses meeting a turnover threshold of USD 3 million. Affected entities are required to provide detailed reports within 72 hours. These reports must include information on the cyber security incident, extortion demands, payment details, and communications with the extorting entity. The Rules prescribe the content and format of the ransomware payment reports to assist in incident response and mitigation.