The Cyber Security Act Is Now in Force. Is Your Business Ready?

Find Out More
The Cyber Security Act Is Now in Force. Is Your Business Ready?
3:16

From 30 May 2025, the rules changed.

Australia’s Cyber Security Act 2024 is now live. If your business suffers a ransomware incident and a payment is made by you or someone acting on your behalf, you are legally required to report it within 72 hours.
If you’re not ready, you're already exposed to legal, financial, and reputational risks.

Thousands of Australian businesses are now subject to this law. If your organisation has an annual turnover above $3 million or operates as critical infrastructure, you are a reporting entity.

If you fail to report a ransomware payment within 72 hours:

  • You may face civil penalties.
  • You may risk a regulatory investigation.

  • You will likely suffer brand damage and scrutiny from insurers.

And make no mistake: attackers are targeting organisations just like yours. Recent attacks on super funds, financial planners, and healthcare providers demonstrate that this is not just something that might happen; it’s happening now.

What’s Required of You

If your business pays a ransom, whether money, services, or even non-monetary gifts, you must report it within 72 hours.

If your annual turnover is $3 million or more, or you're a responsible entity for critical infrastructure, you’re now a “reporting business entity.”

Businesses that fail to comply or report late may face civil penalties.

You will need to report the payment on the Australian Signals Directorate website.

What Must Be Included in Your Report

  • Incident details (when, how, impact)

  • What was paid and how

  • Who made the payment (you or a third party)

  • Communication with the attacker

  • Any vulnerabilities exploited

  • Information that helps the ASD or authorities mitigate the threat

What Most Businesses Are Still Missing

  • A tested, documented Incident Response Plan

  • Cloud visibility across Microsoft 365 and SaaS platforms

  • Breach detection that covers identity misuse and insider threats

  • Alignment with Essential 8 or ISO 27001

  • A clear audit trail for insurers and regulators

How We Help You Fix This

At Emerging IT, we work with Australian businesses to reduce breach risk, meet regulatory expectations, and strengthen their security posture.

Here’s what you can do today:

  1. Lock down Microsoft 365
    Most ransomware starts with stolen credentials or unmonitored logins. Our 365 Cloud Secure solution protects identities, detects misuse, and provides real-time breach containment tools.

  2. Deploy a real Incident Response Plan
    Get our financial-sector-ready IRP template — then we’ll help you tailor, test, and document it for regulators and insurers.
    → [Download the IRP Template]

  3. Run a Cyber Security Defence Review
    We’ll assess your environment against known attack paths and regulatory standards, such as NIST, APRA CPS 234, and the ACSC’s Essential 8, so you can prioritise action, not guesswork.

As of 30 May, every ransomware payment must be reported within 72 hours or face penalties.

If you do not have a tested incident response plan, secure cloud controls, and a way to prove compliance, now is the time to act. Contact Emerging IT today to safeguard your business and ensure you’re ready for the new requirements.

Need to get Essential 8 Compliant Fast? See How The Essential 8 Plan Can Help.  

Ready to get started?

CONTACT US