Ransomware Payments (No. 2)

# Ransomware Payments Bill 2021 ## What it does If your organisation gets hit by a ransomware attack and you pay the criminals to unlock your data, you'll now have to report that payment to the Australian Cyber Security Centre (part of the Australian Signals Directorate). The bill creates a legal requirement to notify authorities whenever a ransom is paid in Australia or by Australian entities overseas. ## Why it matters Right now, most ransomware victims pay in silence—which means authorities have no idea how much money is flowing to criminal groups or where attacks are happening. Better reporting helps the government track cybercrime patterns, identify vulnerable sectors, and work with international partners to shut down criminal operations. It also gives your organisation a clearer picture of what you're legally required to do if you're targeted. ## Key details - **Who reports:** Any person or organisation (including businesses, charities, hospitals) that makes a ransomware payment - **Penalties:** Breaching the reporting requirement triggers civil penalties (exact amounts to be determined in regulations) - **Timing:** The law comes into effect on a date to be set by the government, but will automatically commence 6 months after receiving Royal Assent if no date is fixed before then - **Scope:** Applies to payments made in Australia and by Australian entities anywhere in the world