Australia's Cyber Security Act 2024: What Mandatory Ransomware Reporting Means for Your Business

On 29 November 2024, Australia's Cyber Security Act 2024 received Royal Assent, marking the country's first standalone cybersecurity legislation. This is not a minor regulatory update -- it represents a fundamental shift in how Australia expects businesses to prepare for, respond to, and report on cyber incidents. The centrepiece obligation, mandatory ransomware payment reporting, came into effect on 30 May 2025, and civil penalties for non-compliance begin from 1 June 2026.

For Australian businesses with annual turnover exceeding $3 million, this legislation introduces new legal obligations that demand immediate attention. Combined with a dramatic escalation in cyber attacks targeting Australian organisations in early 2026, the message is unambiguous: cybersecurity is no longer solely an IT concern. It is a board-level governance issue with legal, financial, and reputational consequences.

What the Cyber Security Act 2024 Covers

The Act introduces several interconnected measures designed to strengthen Australia's overall cyber resilience:

Part 2: Security Standards for Smart Devices

Effective 4 March 2026, manufacturers and suppliers of consumer-grade smart devices sold in Australia must comply with mandatory security standards. These require unique passwords for each device (no universal defaults), published vulnerability disclosure policies, and transparency about the minimum period for which security updates will be provided. The standards align with the international ETSI EN 303 645 standard and are enforced by the Department of Home Affairs.

While this provision primarily targets manufacturers, it has implications for businesses that deploy IoT devices -- smart building systems, connected medical devices, industrial sensors. Procurement teams should verify that devices purchased from March 2026 onward carry the required statement of compliance.

Part 3: Mandatory Ransomware Payment Reporting

This is the provision with the most immediate impact on Australian businesses. Under Part 3, a reporting business entity -- defined as an entity carrying on business in Australia with annual turnover exceeding $3 million in the previous financial year -- must report any ransomware or cyber extortion payment within 72 hours of making that payment (or becoming aware that a payment was made on its behalf).

The $3 million threshold aligns with the Privacy Act 1988, which exempts small businesses below this turnover from notifiable data breach requirements. In practical terms, this captures the vast majority of mid-market and enterprise organisations.

The reporting obligation requires the entity to provide details of the cyber security incident, the amount and method of payment, the threat actor's demands, and any information about the threat actor that is reasonably available. Reports are submitted to the Australian Signals Directorate (ASD) via the designated reporting mechanism.

Limited Use Obligation

A critical -- and welcome -- feature of the Act is the limited use obligation on reported information. Information provided under the mandatory reporting scheme cannot be used as evidence against the reporting entity in criminal or civil proceedings (other than proceedings for non-compliance with the reporting obligation itself). This is designed to encourage transparent reporting without fear that disclosure will be weaponised against the business.

However, this protection does not extend to information that was independently obtained by regulators or law enforcement through other means. Organisations should still engage legal counsel before making a report.

Part 4: Cyber Incident Review Board

The Act establishes the Cyber Incident Review Board (CIRB) as an independent advisory body empowered to conduct no-fault, post-incident reviews of significant cyber security incidents. Modelled on similar bodies in the aviation and transport sectors, the CIRB will analyse major incidents to identify systemic vulnerabilities and recommend improvements -- without assigning blame to affected organisations.

The Cyber Security (Cyber Incident Review Board) Rules 2025 set the framework for the Board's operations. The Minister for Home Affairs will appoint a Chair and up to six Standing Members, supported by an Expert Panel. As of April 2026, appointments have not yet been finalised, meaning the Board is not yet operational -- but organisations should expect reviews of significant incidents to commence later in 2026.

Recent Australian Breaches: Why This Matters Now

The urgency of the Cyber Security Act is underscored by a series of significant cyber incidents affecting Australian organisations in early 2026:

Victorian Department of Education Breach (January 2026)

On 14 January 2026, the Victorian Department of Education disclosed that unauthorised third parties had accessed a database containing student information from all 1,700 Victorian government schools. The compromised data included student names, email addresses, encrypted passwords, and school and year level information. The Department identified the breach entry point, reset all student passwords, and prioritised credential reissue for VCE students. This incident highlighted the vulnerability of education sector systems and the cascading impact when a central system is compromised.

Epworth HealthCare Incident (February 2026)

In late January 2026, a threat group calling itself 0APT claimed to have exfiltrated 920GB of data from Epworth HealthCare, Victoria's largest not-for-profit private hospital group. The group listed Epworth on its darknet leak site and demanded ransom payment by 6 February. Epworth HealthCare, supported by independent cybersecurity specialists, found no verified evidence of system compromise or data exfiltration. Security researchers subsequently assessed 0APT as a likely fabricated operation using false claims for extortion -- a new tactic where threat actors create the illusion of a breach without actually compromising systems.

Regardless of whether the Epworth incident involved actual data theft, it demonstrated a critical point: the reputational and operational disruption from even an alleged breach is significant. Organisations need incident response plans that address not just technical recovery but also public communication, regulatory notification, and stakeholder management.

Essential 8: From Best Practice to Expected Baseline

While the Essential 8 framework published by the Australian Cyber Security Centre (ACSC) is not technically mandated by the Cyber Security Act 2024, the practical reality is shifting. Government procurement increasingly requires Essential 8 compliance. Cyber insurance providers are factoring Essential 8 maturity into underwriting decisions. And the ACSC's updated Cyber Security Priorities for Boards of Directors 2025-26 explicitly calls out the Essential 8 as the expected baseline for any organisation serious about cyber resilience.

For organisations that have not yet begun their Essential 8 journey, the framework's eight strategies remain the most effective starting point:

• Application Control -- Prevent unauthorised software from executing
• Patch Applications -- Apply critical patches within 48 hours
• Configure Microsoft Office Macro Settings -- Block macros from the internet
• User Application Hardening -- Disable unnecessary features in browsers and Office
• Restrict Administrative Privileges -- Enforce least-privilege access
• Patch Operating Systems -- Keep operating systems current and patched
• Multi-Factor Authentication -- Require MFA for all users, especially privileged accounts
• Regular Backups -- Maintain tested, disconnected backups of critical data

For a detailed implementation guide, see our comprehensive Essential 8 Compliance Guide for Australian Businesses.

What Your Business Needs to Do Now

With penalty enforcement commencing 1 June 2026, Australian businesses should be taking concrete steps to ensure compliance and strengthen their cyber resilience:

1. Update Your Incident Response Plan

If your incident response plan does not account for the Cyber Security Act's 72-hour ransomware payment reporting obligation, it needs updating. Ensure the plan includes clear decision-making authority for ransomware payments, the reporting process and designated personnel responsible for submission, legal counsel engagement procedures, communication templates for stakeholders, regulators, and media, and documentation requirements for compliance evidence.

2. Conduct Ransomware Tabletop Exercises

A plan that has never been tested is a plan that will fail under pressure. Conduct tabletop exercises that simulate ransomware scenarios specific to your industry. Include technical staff, executive leadership, legal counsel, and communications teams. Test the full lifecycle: detection, containment, decision-making on payment, reporting obligations, recovery, and post-incident review.

3. Assess Essential 8 Maturity

Conduct a formal Essential 8 assessment against your target maturity level. Most Australian businesses should aim for Maturity Level 2 as a minimum. Identify gaps, prioritise remediation by risk, and establish a timeline for achieving compliance.

4. Review Cyber Insurance Coverage

The Cyber Security Act's mandatory reporting requirements may interact with your cyber insurance policy. Review coverage to ensure ransomware payments, incident response costs, and regulatory penalties are addressed. Discuss the Act's implications with your broker and insurer.

5. Engage Your Board

Cybersecurity governance is a board responsibility. Present the Cyber Security Act's implications to your board, including potential penalties, reporting obligations, and the organisation's current preparedness. The ACSC's Cyber Security Priorities for Boards of Directors 2025-26 provides an excellent framework for this conversation.

How Precision IT Helps with Compliance Readiness

As an ISO 27001 certified managed services provider and Microsoft Solutions Partner, Precision IT helps Australian businesses navigate the Cyber Security Act and broader cybersecurity compliance with confidence. Our services include:

• Cyber Security Act readiness assessments -- Evaluate your current incident response capabilities against the Act's requirements and identify gaps
• Essential 8 implementation -- Phased deployment of all eight mitigation strategies, from gap analysis through to ongoing compliance maintenance
• Ransomware tabletop exercises -- Facilitated exercises that test your organisation's response to realistic ransomware scenarios, including the 72-hour reporting obligation
• Managed detection and response -- 24/7 threat monitoring through our Australian-based Security Operations Centre, using Microsoft Sentinel, Defender, and Huntress MDR
• Incident response retainer -- Pre-agreed response arrangements ensuring expert support is available within minutes, not hours, when an incident occurs
• Board advisory -- Executive briefings and board-ready reporting on cybersecurity posture, compliance status, and risk exposure

We work exclusively with Australian businesses, ensuring our advice accounts for the specific requirements of Australian legislation, the local threat landscape, and timezone-aligned support when incidents occur.

Do not wait for a breach to test your readiness. Explore our cybersecurity services, read our guide to choosing an MSSP, or contact our team today to discuss your compliance readiness. With penalty enforcement commencing 1 June 2026, every week of delay increases your risk exposure.