Australia: Cyber Security (Ransomware Payment Reporting) Rules entered into force

On 30 May 2025, the Cyber Security (Ransomware Payment Reporting) Rules entered into force. The rules establish reporting obligations for entities impacted by ransomware payments under the Cyber Security Act 2024. They apply to reporting business entities, including critical infrastructure operators and businesses meeting a turnover threshold of USD 3 million. Affected entities are required to provide detailed reports within 72 hours. These reports must include information on the cybersecurity incident, extortion demands, payment details, and communications with the extorting entity. The rules prescribe the content and format of the ransomware payment reports to assist in incident response and mitigation.