MSPs have been urged to review incident response readiness with clients, in light of Australia’s new ransomware reporting rules that commenced today.
Companies with a turnover of $3 million or more in the last financial year must now report to the government within 72 hours of making a ransomware payment or when the company becomes aware a payment has been made on its behalf.
The requirements also applies to entities responsible for critical infrastructure assets.
This is a requirement of the Cyber Security (Ransomware Payment Reporting) Rules 2025, which came into effect on May 30, 2025, and falls under Part 3 of the Cyber Security Act 2024.
The legislation covers monetary and non-monetary benefits given to or exchanged with an extorting entity, including gifts, services or other benefits.
Prior to the introduction of the legislation, there were no reporting obligations on Australian businesses that included the provision of information relating to the payment of a ransom.
Australians could previously choose to voluntarily report cyber incidents to the Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre. But “like many cybercrime and cybersecurity incidents, ransomware and cyber extortion attacks are underreported”, according to the impact analysis of the Mandatory Ransomware Payment Reporting – Cyber Security Bill 2024.
Sarah McAvoy, managing director and founder of CyberUnlocked, which provides compliance services to MSPs and their customers, sees the legislation as an opportunity for MSPs and other technology partners to discuss incident response readiness with clients.
She said MSPs should be prepared to report ransomware payments within 72 hours and understand their responsibility during a clients’ ransomware situation.
They should also help clients determine if they qualify as reporting entities, noting that government and not-for-profit organisations are exempt.
McAvoy also advised MSPs to “ensure clients understand the risks of paying a ransom, including double and triple extortion, and there is no guarantee of recovery,” she told techpartner.news.
She encouraged technology partners to ensure operational readiness by internally preparing and updating standard operating procedures.
Her other advice included updating cyber incident response plans to include reporting obligations and timelines, and making legal preparations to understand privileges, reporting protections and obligations under the Autonomous Sanctions Law.
McAvoy also advised technology partners to be familiar with the government’s cybercrime, incident and vulnerability reporting page.
“Deciding whether you would pay a ransom isn’t a crisis decision; it’s a preparedness decision"
“Waiting until an incident is in progress is too late," she said.
The ransomware payment reporting obligation is being implemented in two stages. The first education phase runs from today until 31 December 2025. The Department of Home Affairs will aim to socialise the ASD’s reporting form with regulated entities, manage any challenges and identify key compliance barriers.
During this phase, the Department stated it will “pursue regulatory action only in cases of egregious non-compliance against businesses that report on incidents, so as to not take capacity away from impacted entities during the initial incident response phase.”
The Department will engage with Australian entities, industry groups, peak bodies, and other stakeholders through town hall meetings, providing practical resources, including frequently asked questions, factsheets and user guides for incident reporting.
Phase two, which will come into effect from 1 January 2026, will see the Department move to a more active regulatory focus.
A 2024 study by ESET found that 87 per cent of Australian SMBs surveyed might consider paying cybercriminals in the event of ransomware extortion.
The ASD’s Annual Cyber Threat Report 2023–24 revealed that 11 percent of all incidents ASD responded to included ransomware, a 3% increase from the year prior.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
