From May 30, 2025, Australia’s new Ransomware Payment Reporting Rules come into play. This means businesses will be legally required to report ransomware payments within strict timeframes.
This is part of a broader effort to enhance transparency and strengthen national cybersecurity, alongside the establishment of a Cyber Incident Review Board.
This mandatory reporting will help the government better understand the scale and nature of ransomware attacks, so it can allocate resources, disrupt cybercrime networks, and support affected businesses more effectively.
But for CEOs, the reality is anything but simple. Ransomware attacks often unfold at lightning speed, leaving organisations in a complex quandary, while being up against the clock. Here are five urgent questions CEOs should be asking before the rules kick in, and what they need to know to get ahead of them.
Am I legally required to report every ransomware attack?
Not every attack, but any ransom payment must be reported. From May 30, 2025, businesses are required to notify the government within 72 hours if they pay a ransom following a cyberattack. That includes the amount, method of payment (such as cryptocurrency), and any identifying details about who received it. Even if you don’t pay, depending on your sector, you may still need to report the incident under existing cyber incident obligations.
Should I ever pay a ransom?
This remains one of the most confronting questions a CEO can face. In the heat of an attack, when your systems are frozen and your data is on the line, paying can feel like the only viable option. Failure to comply with the demands can result in a huge loss of data, worse still is the chance this stolen, often highly private, data is leaked publicly on the net.
But it’s a dangerous gamble. There’s no guarantee your files will be restored in full, or at all. Even when decryption tools are provided, they’re often faulty or incomplete leaving businesses to rebuild their systems regardless.
It’s worth remembering though that refusing to pay can send a powerful message to attackers that extortion doesn’t work. In fact, collective resistance can help reduce future attacks and reduce ransomware’s profitability long-term. But it only works if your data is backed up and can be restored quickly.
What should I do during a ransom attack?
Speed and clarity matter when you’re under attack. If you’re fumbling for legal contacts or wondering who’s authorised to speak to regulators, you’ve already lost time you can’t afford.
Every business should know exactly who is responsible for ransomware reporting. Your legal and cybersecurity teams should already be aligned on the process. Communication plans, internally and externally, should be templated and ready to go. Cyber insurance policies, backup protocols, and escalation contacts should be easily accessible. Preparedness can’t be retrofitted mid-crisis. It has to be in place before you ever need it.
Reporting, especially if a ransom is paid, should also be part of your real-time response. Providing accurate information quickly doesn’t just help you meet your obligations, it helps the government allocate resources to shut down ransomware networks and prevent future incidents.
Will reporting expose me, or protect me?
Some CEOs worry that reporting will damage their reputation or reveal operational weaknesses. But in reality, transparency increasingly signals strength. Failing to report, particularly when it’s legally required,can lead to penalties, reputational blowback, and even loss of insurance coverage.
Reporting also enables access to government support, enhances sector-wide threat awareness, and signals to stakeholders that you’re acting with integrity and responsibility. In a landscape where cyberattacks are a matter of when, not if, owning your response is part of protecting your brand.
What should we do right now, before May 30?
If you haven’t already started to prepare, now is the time.
Review the new ransomware reporting requirements with your executive and legal teams. Make sure you’ve clearly identified who is responsible for reporting and what the internal escalation path looks like. Reassess your backup systems, not just whether they exist, but how fast and effectively they can be restored in the event of a breach.
Most importantly, make this a leadership conversation, not just an IT one. The companies best positioned to respond to ransomware are those where executives take an active role in cybersecurity strategy, rather than waiting and reacting.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
