From 30 May 2025, Australian legal services businesses will be legally required to report ransomware payments within 72 hours of making or becoming aware of the payment.
This obligation is part of the Cyber Security Act 2024 and is detailed in the Cyber Security (Ransomware Payment Reporting) Rules 2025.
These rules apply to any business:
✔ With annual turnover above $3 million, or
✔ Responsible for critical infrastructure under federal law
Our reporting template helps legal services businesses prepare early, stay compliant, and respond confidently — with alignment to the Essential Eight, and the Cyber Security Act 2024.
Built to align with the Cyber Security (Ransomware Payment Reporting) Rules 2025, the template provides a structured framework for recording all required reporting elements.
The template also includes a submission checklist to ensure the report is complete before submitting via the ASD ransomware reporting portal.
✔ Your Business name, ABN, and address
✔ A primary contact person and reporting role
✔ When the ransomware attack occurred
✔ When the business discovered the incident
✔ The impact on operations and customer-facing services
✔ Amount requested and paid
✔ Method of payment (e.g. cryptocurrency, bank transfer)
✔ Reference information and payment proof
✔ Channels used (email, secure portal, app)
✔ Description of contact, threats, or negotiations
✔ Supporting documents (e.g. screenshots)
✔ Steps taken by the business (e.g. system isolation, recovery)
✔ Law enforcement or ASD notifications
✔ Additional observations or follow-up actions
This resource is ideal for all Australian legal services businesses, including:
✔ Boutique and mid-tier law firms
✔ Legal compliance and risk teams
✔ Practice managers and operations leads
✔ IT and cyber professionals supporting legal systems
Whether responding to an incident or preparing your response plan, this template supports timely, structured reporting.
The 72-hour reporting window becomes mandatory from 30 May 2025. Failure to comply may result in:
✔ Regulatory scrutiny under the Cyber Security Act 2024
✔ Loss of client trust and reputational risk
To comply with the Cyber Security Act 2024, legal service businesses must be prepared to report ransomware payments within 72 hours — starting 30 May 2025. Submit your details and we’ll send you a free reporting template by email to help you:
Find clear answers to common questions about ransomware payment reporting, including the 72-hour deadline and what legal service businesses need to include in their reports.
Still have questions?
Speak to our team about DefenderSuite and your reporting obligations.
From 30 May 2025, Australian businesses must report ransomware payments within 72 hours of making or becoming aware of the payment.
Any business with an annual turnover above $3 million, or that manages critical infrastructure, is subject to the reporting rules.
Reports must detail when the attack occurred and was discovered, the impact on the business or customers, the amount paid and method used, communication with the attacker, and any vulnerabilities exploited.
Via the official Australian Signals Directorate portal: cyber.gov.au/report-and-recover/report
DefenderSuite offers managed cybersecurity and compliance solutions tailored for legal services — including:
✔ Cyber Security Act 2024 compliance
✔ Essential Eight hardening
✔ Ransomware prevention and incident response
