Key Takeaways

• Australia’s new ransomware rules mean certain organisations must report incidents within 72 hours, even if no ransom is paid.

• Disclosure is now mandatory for critical infrastructure sectors and likely to expand beyond them.

• Silence is no longer a strategy. The way you respond carries legal, reputational and insurance consequences.

• Materiality is subjective. Companies need to predefine what counts as a reportable impact before a crisis hits.

• Boards can’t sit back. Cyber is now a governance issue, not just a technical one. Response plans must involve legal, comms, and executive leadership.

The Rules Have Changed

In Australia, you no longer need to pay a ransom to land in regulatory trouble. Just being hit is enough.

Under amendments to the Security of Critical Infrastructure Act 2018 (SOCI) that came into effect on 17th April, certain organisations now have a legal obligation to report ransomware attacks. Even if no money changes hands. Even if you manage to contain the damage.

If you’re in one of the 11 sectors classed as “critical infrastructure” — including energy, healthcare, transport, and financial services — and your systems are locked, your data is stolen, or your operations are disrupted, you may need to notify the Cyber and Infrastructure Security Centre (CISC) within 72 hours. You’ll also be required to keep records of the incident and your response for a full year.

This is a significant shift. Until now, ransomware attacks often played out behind closed doors. Regulators and the public only found out when services stopped or data was dumped online. These new rules close that gap.

Why This Matters, and What It Signals

These changes aren’t just about tightening compliance. They reflect a broader shift in how governments — and society — are starting to think about cyber risk.

Around the world, we’re seeing regulators move away from “please report if you can” to “you must report or face consequences.” The US is introducing mandatory disclosure laws under CIRCIA. The EU is doing the same under NIS2. Australia is now following suit — starting with critical infrastructure, but unlikely to stop there.

At a policy level, the message is clear: cyber attacks aren't just a private business problem. When essential services are hit, the impact is public. The government wants visibility early, not after the fact.

From a business perspective, this tells us something else. Ransomware is no longer just a technical issue or an operational headache. It’s a national security concern. That’s why it’s now subject to the same kind of rules we see in financial reporting or environmental risk. You don’t get to keep it quiet just because it’s uncomfortable.

The End of Private Cyber Crises

There was a time when ransomware attacks could be handled quietly. Pay the ransom. Don’t pay the ransom. Restore from backups. Put out a vague statement (or none at all). The goal was to move on as quickly and discreetly as possible.

That’s no longer a safe option.

These new rules change the default setting from discretion to disclosure. If your systems are locked up or your data is compromised, someone outside your business may now have to be told, whether you like it or not.

This isn’t just a compliance shift. It’s a cultural one. Silence and spin are no longer viable crisis strategies. The act of being hit, regardless of how well you recover, now carries legal and reputational weight.

It also raises a harder question: how will companies decide whether an incident is reportable? The new rules refer to “material impact,” but that’s not always easy to define, especially in the middle of a crisis. Was an hour of downtime critical? Did a suspicious data transfer count as exfiltration? These grey areas leave room for interpretation, and with it, risk. That’s why materiality thresholds — whether based on regulatory exposure, customer disruption, or financial impact — need to be agreed ahead of time, not debated under pressure.

And regulators aren’t likely to be generous if they think a company has chosen to under-report, delay, or downplay an incident. If anything, the window for plausible deniability is getting smaller.

What This Means for Boards and Business Leaders

This isn’t just a technical update buried in compliance documents. It reshapes how organisations need to think about ransomware — and who’s responsible when it hits.

1. Response is reputation

Once an incident crosses the threshold for mandatory reporting, the way you respond becomes part of the public record. The speed, clarity, and coordination of that response matter as much as the underlying fix. If regulators or the media find out before your own stakeholders do, you've lost control of the story.

Even well-contained breaches can cause damage if the response is slow, confused or secretive.

2. Insurance doesn't cover avoidance

Cyber policies often include conditions around timely notification. In some cases, failure to report an incident to authorities can void coverage entirely. It also raises flags at renewal time. Underwriters are increasingly factoring in governance behaviours when pricing risk. That includes how openly you deal with incidents.

If you're managing cyber exposure behind closed doors, you're likely also limiting the support available when it matters most.

3. Materiality is a judgement call

The rules refer to “material impact” without offering much precision. That leaves it to internal teams to assess whether a disruption qualifies. For time-poor executives in the middle of a crisis, that’s a risk in itself.

Misjudge it and you may be in breach. Over-report and you may invite scrutiny that wasn’t required. The process needs to be discussed well before anything goes wrong.

4. The right people need to be in the room

Cyber incidents aren’t just technical failures. They can trigger legal obligations, stakeholder panic, and brand damage. That means legal, comms, risk and operational leadership need to be aligned — ahead of time. If your incident response playbook still routes everything through the IT team, it’s outdated.

Board directors should know what the response plan looks like and how fast key decisions can be made when the pressure is on.

This Is Just the Beginning

For now, the rules apply to critical infrastructure sectors. But the direction is clear. Governments want earlier visibility into attacks, especially those with national or economic impact.

Australia’s 2023 Cyber Security Strategy made this shift explicit. The aim is to move from reactive enforcement to active coordination. That starts with critical sectors, but many expect mandatory reporting requirements to extend into other parts of the economy.

The safest assumption is that ransomware incidents will soon carry formal reporting obligations for a wider set of organisations. Waiting for regulation to apply to you directly is a risky strategy.

Case in Point: DP World Australia, November 2023

When DP World Australia was hit by a ransomware attack in November 2023, it caused major disruption to container terminals across the country. Port operations were suspended for several days. Freight was delayed. Supply chains were strained.

At the time, the nature of the attack wasn’t confirmed publicly. It wasn’t until March 2024 — during a Senate inquiry — that the company acknowledged ransomware was involved.

If the new rules had been in place, the breach would likely have triggered mandatory reporting to the CISC within 72 hours. The level of operational disruption, and the national significance of DP World’s role in the logistics network, would meet the threshold.

This example shows how disclosure timelines are changing. It also reinforces the message that regulators expect organisations to be proactive, not defensive.

Final Take: Disclosure Is the New Risk Surface

Every organisation focuses on preventing attacks. Fewer are prepared for what comes next. The decisions made in the hours and days after a breach are fast becoming just as important as the breach itself.

Mandatory reporting isn’t just a compliance challenge. It forces leadership teams to make faster, higher-stakes calls under pressure. Who gets informed? What do you say? How do you avoid compounding the damage?

This rule change is a signal. Cyber security isn’t just about defence. It’s about accountability. And increasingly, that accountability sits in the open.