New Cybersecurity Act Legislation: What Businesses Must Do To Prepare For Ransomware Reporting

The Cyber Security Act 2024 has shifted from theory to enforceable law, and for businesses operating in critical sectors across Australia, the final countdown is now in motion. ****

As of 30 May 2025, ransomware incident reporting is no longer optional. If your organisation is subject to the Act and fails to comply with these obligations, you risk penalties, audits, and potential downstream consequences for contracts, insurance, and your reputation.

This blog consolidates what you need to know, what you should already have in place, and what happens once enforcement begins.

‍

What Is the May 30 Ransomware Deadline?

The Act has introduced a phased rollout of cybersecurity obligations. One of the key measures taking effect on 30 May 2025 is mandatory ransomware reporting for regulated entities. This includes businesses operating in or supporting:

• Critical infrastructure sectors (energy, healthcare, water, telecommunications, etc.)
• Designated regulated industries (including finance, ICT, logistics, and others named in the legislation)
• Businesses with an annual turnover of $3 million

Businesses that do not meet these criteria, such as small businesses below the turnover threshold, commonwealth bodies or state bodies, are exempt from this obligation.

If a ransomware incident occurs, including unauthorised encryption of systems or the payment of a ransom or other benefit, businesses must report the incident through the ASD’s Cyber.gov.au portal, either immediately or within 72 hours, depending on the scenario.

For a deep dive into what the law requires and how to comply, refer to the following guide: Ransomware Reporting in Australia: What Businesses Must Do Under the New Law

‍

Key Actions Businesses Should Already Have Completed

As the deadline nears, businesses should now be in the final stages of readiness. If you're still in catch-up mode, prioritise the following:

1. Confirm Your Regulatory Status

Determine whether your business is directly regulated, indirectly obligated, or part of a critical supply chain. Uncertainty here is a risk; assume inclusion until proven otherwise. To assess your obligations, review the Cyber Security (Ransomware Payment Reporting) Rules 2025, published by the Department of Home Affairs. These outline which businesses are required to report ransomware payments and under what conditions.

‍

2. Ransomware-Ready Incident Response Plan

Ensure your Incident Response plan includes:

• Specific procedures for ransomware scenarios
• Role assignments for response, communication, and reporting
• Escalation paths and legal/insurance contacts

Download your free ransomware reporting template to ensure your business is prepared ahead of the 30 May 2025 compliance deadline.

‍

3. Monitoring and Detection Capabilities

To comply with ransomware reporting requirements, your business must be able to rapidly detect threats, assess their impact, and log verifiable evidence of what occurred.

Effective monitoring and detection involve a layered approach, which may include services such as:

• Security Alert Response – Real-time monitoring and escalation for critical threat alerts
• Dark Web Monitoring – Identifies exposed credentials and compromised data being circulated online
• Exploit Mitigation Service (EMS) – Detects and blocks attempts to exploit known vulnerabilities
• Identity Threat Protection (ITP) – Monitors for abnormal access behaviours and identity misuse
• Adaptive Threat Response (ATR) – Dynamically adjusts defensive controls in response to evolving threats

These capabilities, delivered through DefenderSuite, help your business identify ransomware activity early, capture essential forensic evidence, and respond within mandated timeframes.

Learn how DefenderSuite keeps your business secure and compliant.

‍

4. Training and Testing

Even the best security systems can fail if your team isn’t prepared to act. Would your team recognise a phishing email, suspicious login prompt, or a fake file download? Training ensures your employees recognise threats and respond correctly under pressure.

Employee training and security should go beyond basic awareness. It can include phishing simulations, secure password management using a centralised vault, and controls like privilege escalation prevention to limit unnecessary access — all of which strengthen your defence layer.

Protect Your Business with DefenderElites fully comprehensive User Training & Privilege Management services.

‍

5. Pre-Built Reporting Processes

Automate what you can. Have the following:

• Reporting templates ready (see our free download below)
• A workflow for preparing and submitting to ASD
• Pre-approved messaging for internal/external stakeholders

Learn More about the Immediate Recommendations Under the New Bill and how you can prepare your team. The ASD has also compiled a ransomware reporting factsheet to help guide the process.

‍

6. Legal and Insurance Alignment

Review contracts and cyber insurance policies. Non-compliance with regulatory obligations may void coverage or constitute a breach of contract.

If you are not sure where to start, the ASD has compiled a factsheet to help guide the process.

‍

‍

What Happens After the 30 May Deadline?

Once the 30 May deadline passes, the focus shifts from preparation to enforcement. Businesses will be expected to demonstrate compliance with ransomware reporting obligations, and failure to do so may carry financial, contractual, and reputational consequences.

‍

1. Penalties and Civil Enforcement

Failure to report a ransomware incident, or reporting outside the required timeframe, can result in civil penalties of up to 60 penalty units (approximately $18,780 AUD, based on current rates). These penalties may escalate in cases of repeated or deliberate non-compliance.

Importantly, the Australian Signals Directorate (ASD) and the Department of Home Affairs have indicated an education-first approach to enforcement. In particular, small and medium enterprises can expect the focus to be on guidance, engagement, and warnings before penalties are applied.

‍

2. Audits and Regulatory Oversight

Regulated entities may be subject to audits and asked to demonstrate how they are meeting reporting obligations. This may include documentation of internal policies, reporting procedures, and incident logs. Both proactive audits and reactive investigations are expected.

‍

3. Public Disclosure and Sector Reputation

While individual reports remain confidential, anonymised incident data may be published to inform government strategy and sector risk. Clients, insurers, and board members may also seek assurance that your business is aligned with the Act.

‍

4. Increased Insurance Scrutiny

Cyber insurance providers are likely to examine whether policyholders have complied with regulatory obligations when assessing claims. A failure to report a ransomware incident in accordance with the Act may impact eligibility, payout decisions, or future coverage terms.

For a complete ransomware response process, read: Ransomware Attack? Here’s What Every Australian Business Must Do Within 72 Hours

‍

‍

We’re Here to Help

At Superior IT, we specialise in helping Australian businesses navigate the complexities of cybersecurity compliance. From ransomware protection to regulatory reporting, our team works with you to implement solutions that reduce risk, improve resilience, and ensure alignment with the Cyber Security Act 2024 and other industry-specific requirements.

Whether you need support understanding the new 72-hour ransomware reporting obligations, building a compliant incident response plan, or meeting ongoing audit and data protection standards—we’re here to help.

Call Us: 1300 93 77 49

Email Us: info@superiorit.com.au

Explore DefenderSuite: Visit Our Website