Ransomware Payment Reporting Rules
The Cyber Security Act 2024 (“The Act”) has established a ransomware and cyber extortion payment obligation on reporting entities (annual turnover exceeding $3 million). Under the legislation, starting 30th May 2025, Australian businesses are now legally required to report any ransomware payments. There is no grace period for compliance.
Why Cyber Insurance is Essential
Payment of ransoms brings increased regulatory risk and scrutiny, meaning cyber insurance is now an essential tool in guiding businesses through their legal requirements:
1) The Act provides that a civil penalty of 60 penalty units, presently $19,800, may apply where a reporting business entity does not make a mandatory ransomware payment report when they are obligated to do so;
2) Ransom payments may trigger breaches of sanction laws, which can be a serious criminal offence, punishable by potential fines for entities of the greater of 10,000 penalty units ($3.13 million as of 1st July 2023) or three time the value of the illegal transaction.
On 23rd January 2024, the Australian government imposed autonomous sanctions against Aleksandr Ermakov, a Russian national implicated in the October 2022 Medibank Private data breach.
In May 2024, Australia imposed a targeted financial sanction on Russian citizen Dmitry Yuryevich Khoroshev for his senior leadership role in the LockBit Ransomware Group. This sanction makes it a criminal offence to provide assets to Dmitry Yuryevich Khoroshev, or to use or deal with his assets.
In October 2024, Australia imposed sanctions on three Russian nationals linked to the Evil Corp cybercrime group.
In February 2025, additional cyber sanctions were imposed in response to the 2022 cyberattack against Medibank Private. The Government imposed these cyber sanctions on the Russian entity, ZServers, and five Russian cybercriminals who provided the network infrastructure and services used to host and release the data stolen from Medibank.
These examples of “cyber incident” sanctions may have significant implications for businesses falling victim to a ransomware attack and their consideration of facilitating a ransom payment. Cyber insurance policies provide Insureds with access to the leading cyber and privacy lawyers in Australia. As a benefit under the policy, an Insured facing ransom payment and reporting considerations receives legal advice in respect of the potential to breach sanction laws;
3) As well as providing expert cyber legal advice, the best cyber insurance policies also access specialist ransomware negotiators that act for and negotiate on behalf of the Insured. Their role is to understand the intricacies of the attack and negotiate terms that can minimise damage and recover data. Often, it is not necessary to pay a ransom, but regardless, this expertise provides the Insured with the best possible outcome given the situation.
