From 30 May 2025, Australian education providers will be legally required to report ransomware payments within 72 hours of making or becoming aware of the payment.
This obligation is part of the Cyber Security Act 2024 and is detailed in the Cyber Security (Ransomware Payment Reporting) Rules 2025.
These rules apply to any business:
✔ With annual turnover above $3 million, or
✔ Responsible for critical infrastructure under federal law
Our reporting template helps education providers prepare early, stay compliant, and respond confidently — with alignment to CPS 234, the Essential Eight, and the Cyber Security Act 2024.
Built to align with the Cyber Security (Ransomware Payment Reporting) Rules 2025, the template provides a structured framework for recording all required reporting elements.
The template also includes a submission checklist to ensure the report is complete before submitting via the ASD ransomware reporting portal.
✔ Your Business name, ABN, and address
✔ A primary contact person and reporting role
✔ When the ransomware attack occurred
✔ When the business discovered the incident
✔ The impact on operations and customer-facing services
✔ Amount requested and paid
✔ Method of payment (e.g. cryptocurrency, bank transfer)
✔ Reference information and payment proof
✔ Channels used (email, secure portal, app)
✔ Description of contact, threats, or negotiations
✔ Supporting documents (e.g. screenshots)
✔ Steps taken by the business (e.g. system isolation, recovery)
✔ Law enforcement or ASD notifications
✔ Additional observations or follow-up actions
This resource is ideal for all Australian education providers, including:
✔ Primary and secondary schools
✔ Independent or Catholic education institutions
✔ Registered Training Organisations (RTOs)
✔ Early learning centres
✔ Vocational and tertiary education teams
Whether responding to an incident or preparing your response plan, this template supports timely, structured reporting.
The 72-hour reporting window becomes mandatory from 30 May 2025. Failure to comply may result in:
✔ Regulatory scrutiny under the Cyber Security Act 2024
✔ Loss of client trust and reputational risk
To comply with the Cyber Security Act 2024, education providers must be prepared to report ransomware payments within 72 hours — starting 30 May 2025. Submit your details and we’ll send you a free reporting template by email to help you:
Find clear answers to common questions about ransomware payment reporting, including the 72-hour deadline and what education providers need to include in their reports.
Still have questions?
Speak to our team about DefenderSuite and your reporting obligations.
From 30 May 2025, Australian businesses must report ransomware payments within 72 hours of making or becoming aware of the payment.
Any business with an annual turnover above $3 million, or that manages critical infrastructure, is subject to the reporting rules.
Reports must detail when the attack occurred and was discovered, the impact on the business or customers, the amount paid and method used, communication with the attacker, and any vulnerabilities exploited.
Via the official Australian Signals Directorate portal: cyber.gov.au/report-and-recover/report
DefenderSuite offers managed cybersecurity and compliance solutions tailored for education providers — including:
✔ Cyber Security Act 2024 readiness
✔ Essential Eight hardening
✔ Ransomware prevention and incident response
