Imagine this: your systems are locked, your team is scrambling, and a ransom demand lands in your inbox. Would your business know what to do and who to notify?
As of 30 May 2025, new legislation under the Cyber Security Act 2024 requires certain Australian businesses to report ransomware payments to the Australian Signals Directorate (ASD) within 72 hours. If your business earns over $3 million annually or operates in critical infrastructure, these rules now apply to you.
Even if your business isn’t there yet, this change signals what’s coming. It’s a shift in expectations, one that prioritises preparedness, fast response, and good governance.
What’s changed and what needs to be reported
If your business is impacted by ransomware and makes a payment, whether in money, crypto, goods, services, or agreements, you must now report that action within 72 hours.
This report must include details about the nature of the attack, which systems were affected, how your business was impacted, what was paid, and any communication with the attacker. You’ll also be expected to outline any known vulnerabilities that were exploited.
These requirements are designed to strengthen national visibility and improve how businesses, and government, respond to future threats. But the real challenge is speed. In the midst of a crisis, 72 hours can pass in a blur.
Why this matters?
Many small and midsized businesses may not yet be mandated to report ransomware payments, but with growth comes responsibility. Building the right systems now ensures you’re ready when those obligations do apply and protects your business long before then.
Ransomware isn’t just a threat for large organisations. In fact, smaller businesses are often the preferred target: fewer defences, smaller teams, and less structure. What cybercriminals count on is exactly what these laws aim to fix, the assumption that smaller businesses won’t be ready.
Preparing now shows that you take your operations, your customers, and your future seriously. And it puts you ahead of growing expectations from insurers, enterprise buyers, and government partners who increasingly want to see proof of cyber maturity.
Where SMB1001 CyberCert Gold Fits In
This is where CyberCert Gold, part of the SMB1001 framework, makes a practical difference.
It’s designed specifically for Australian SMBs, providing structure, support, and a clear path to resilience. Rather than leaving it to chance, CyberCert Gold helps you prepare long before an incident occurs.
The Gold standard guides businesses through:
- Building an incident response plan that’s tailored to your size and operations
- Defining who’s responsible for reporting, recovery and communications
- Setting up secure backups and recovery processes
- Training staff to respond confidently and report threats early
- Collecting and storing the evidence needed for legal and insurance reporting
Unlike more complex frameworks, CyberCert Gold is built for real-world businesses. It’s about practical protection that grows with you.
Having this kind of structured readiness in place not only helps you meet obligations like the 72-hour rule, it also supports faster recovery, lowers potential costs, and gives everyone on your team a clear plan to follow.
What You Can Do Today
If you’re not sure how your business would respond to a ransomware incident, or whether you’d be able to meet the 72-hour reporting deadline, now is the time to take a closer look.
You don’t have to figure it out on your own.
We [company name] can help assess your current risk exposure, review any existing incident response plans, and highlight where there may be gaps. From there, you can build a practical roadmap that fits your size, budget and future growth goals.
Whether that means strengthening your backup systems, clarifying roles in the event of a cyberattack, or working toward CyberCert Gold certification, the most important step is taking action before a crisis hits.
Because when it comes to ransomware, your best defence is preparation — not reaction.
Final Thought
Cybersecurity is no longer something only large enterprises have to worry about. The rules are changing, and so are the expectations.
This new reporting legislation is just one example of how governments, insurers and customers are raising the bar. But it’s also an opportunity, a chance for your business to lead with confidence, show accountability, and put protections in place that grow with you.
You don’t need to become a cyber expert. You just need the right support, the right systems, and a partner who can guide you through it.
CyberCert Gold helps businesses like yours build a foundation of trust and resilience, so you can focus on what you do best, knowing you’re protected, prepared and positioned for the future.