From 30 May 2025, Australian financial services businesses will be legally required to report ransomware payments within 72 hours of making or becoming aware of the payment.
This obligation is part of the Cyber Security Act 2024 and is detailed in the Cyber Security (Ransomware Payment Reporting) Rules 2025.
These rules apply to any business:
✔ With annual turnover above $3 million, or
✔ Responsible for critical infrastructure under federal law
Our reporting template helps financial services businesses prepare early, stay compliant, and respond confidently — with alignment to CPS 234, the Essential Eight, and the Cyber Security Act 2024.
Built to align with the Cyber Security (Ransomware Payment Reporting) Rules 2025, the template provides a structured framework for recording all required reporting elements.
The template also includes a submission checklist to ensure the report is complete before submitting via the ASD ransomware reporting portal.
✔ Your Business name, ABN, and address
✔ A primary contact person and reporting role
✔ When the ransomware attack occurred
✔ When the business discovered the incident
✔ The impact on operations and customer-facing services
✔ Amount requested and paid
✔ Method of payment (e.g. cryptocurrency, bank transfer)
✔ Reference information and payment proof
✔ Channels used (email, secure portal, app)
✔ Description of contact, threats, or negotiations
✔ Supporting documents (e.g. screenshots)
✔ Steps taken by the business (e.g. system isolation, recovery)
✔ Law enforcement or ASD notifications
✔ Additional observations or follow-up actions
This resource is ideal for all Australian financial services businesses, including:
✔ Financial planners and advisers
✔ Credit providers and mortgage brokers
✔ Wealth management firms
✔ Fintech platforms
✔ APRA-regulated businesses under CPS 234
Whether responding to an incident or preparing your response plan, this template supports timely, structured reporting.
The 72-hour reporting window becomes mandatory from 30 May 2025. Failure to comply may result in:
✔ Regulatory scrutiny under the Cyber Security Act 2024
✔ APRA audit findings under CPS 234
✔ Loss of client trust and reputational risk
To comply with the Cyber Security Act 2024, businesses must be prepared to report ransomware payments within 72 hours — starting 30 May 2025. Submit your details and we’ll send you a free reporting template by email to help you:
Find clear answers to common questions about ransomware payment reporting, including CPS 234 compliance, the 72-hour deadline, and what financial firms need to include in their reports.
Still have questions?
Speak to our team about DefenderSuite and your reporting obligations.
From 30 May 2025, Australian businesses must report ransomware payments within 72 hours of making or becoming aware of the payment.
Any business with an annual turnover above $3 million, or that manages critical infrastructure, is subject to the reporting rules.
Reports must detail when the attack occurred and was discovered, the impact on the business or customers, the amount paid and method used, communication with the attacker, and any vulnerabilities exploited.
Via the official Australian Signals Directorate portal: cyber.gov.au/report-and-recover/report
Yes — this template helps meet the reporting and evidence requirements expected under CPS 234 and supports broader Essential Eight maturity goals.
DefenderSuite offers managed cybersecurity and compliance solutions tailored for financial services — including:
✔ Cyber Security Act 2024 readiness
✔ CPS 234 alignment & Essential Eight hardening
✔ Ransomware prevention and incident response
