Australia has taken a bold and unprecedented step in the fight against cybercrime. As of May 30, 2025, organisations that choose to pay a ransom following a cyberattack must report that payment to the federal government within 72 hours. This includes naming any third-party negotiators, the amount paid, and the nature of communications with the criminals. Failure to comply could result in fines of nearly $19,000.
For Australian businesses and their directors, this is a game-changer.
This is as a pivotal moment that demands both strategic reassessment and urgent action. It’s no longer enough to have a general “cyber incident response plan” in place. Now, that plan must include clear reporting protocols, legal oversight, and a deep understanding of how your insurance policy responds under this new legal landscape.
Why the New Law Matters
Unlike some jurisdictions that have made ransom payments outright illegal, Australia’s approach strikes a middle ground: you can pay, but you must report. This creates a high-stakes balancing act for boards and executives.
The implications for directors are significant. The decision to pay a ransom is already fraught with risk—legal, ethical, operational. Now, there’s also the added pressure of public and government scrutiny. As insurers, we know this adds a new layer of personal liability concern for decision-makers.
Benjamin Di Marco from Willis hits the nail on the head: the law increases complexity and demands early-stage, well-documented decision-making. You can no longer afford to “decide on the fly” in the middle of a crisis.
What This Means for Your Insurance Strategy
The new reporting obligations bring with them ripple effects across the insurance ecosystem:
-
Policy Review is Critical: Businesses must revisit their cyber insurance policies to understand how they address ransomware payments, not just the direct costs, but the consequential risks such as breaching sanctions, terrorism financing laws, or money laundering regulations.
-
Claim Viability: Insurers will likely scrutinise ransom-related claims more closely. The existence of a clear internal process, legal review, and prompt reporting will become important factors in determining claim eligibility.
-
Communication Must Be Tighter: Both internal and external communication protocols need to be reviewed. Who decides to pay? Who informs stakeholders? Who reports to the government? These roles must be assigned and rehearsed in advance.
For Businesses Without Cyber Insurance: The Stakes Are Even Higher
If your business doesn’t currently have cyber insurance, now is the time to seriously reconsider.
Without insurance, any ransomware attack, and now, the reporting obligations that follow, can quickly become financially devastating. You could face:
-
Out-of-pocket costs for ransom payments, legal advice, IT forensics, PR support, and customer notifications
-
Fines for failing to report a payment in time (up to $18,780 per incident)
-
Personal liability exposure for directors if due process isn’t followed
-
Operational downtime without access to expert recovery and support services
Cyber insurance doesn’t just cover costs, it gives you access to crisis response teams, legal guidance, and technical expertise at a moment when your business needs it most.
Even if your business hasn’t been targeted yet, cybercrime is now a question of “when,” not “if.” This law makes it clear: no business is too small to be impacted, and no business can afford to go it alone.
Rethink Your Incident Response Playbook
This legislation signals that “business as usual” won’t cut it anymore. We strongly advise clients to:
-
Update incident response plans to include mandatory reporting procedures.
-
Run regular cyber simulations or tabletop exercises that include ransom reporting scenarios.
-
Reassess data back-up protocols and recovery plans, because the best defence against ransom payment is the ability to avoid paying at all.
Looking Ahead: Resilience Over Reaction
At Phoenix, we’ve long believed that strong cyber resilience is the best policy. This law reinforces that belief. With more visibility into criminal behaviour and reporting obligations, the pressure is on businesses to be better prepared, not just better protected.
According to underwriting agency Coalition, 44% of ransomware victims still chose to pay in 2024. But with strong backups and a well-rehearsed response, many organisations are finding safer and smarter ways to recover.
How We Can Help
Our team at Phoenix Insurance Brokers is already helping clients:
-
Review cyber policy inclusions and exclusions
-
Understand regulatory obligations under the new law
-
Develop insurance-aligned incident response strategies
-
Navigate Director liability risks in the cyber space
-
Secure tailored cyber insurance policies for previously uninsured businesses
If you’re currently uninsured, this is your wake-up call. Reach out to us today for a no-obligation discussion about how cyber insurance could protect your business, your team, and your peace of mind.
Contact us today to ensure your cyber response strategy and insurance coverage are fully aligned with Australia’s new ransomware reporting regime.
Reference Article: Insurance News: World First Ransom Reporting Laws Mean A Rewrite of the Playbook
