New Cyber Security Laws for Reporting of Ransomware Payments in Real Estate

Agency Start UpPrivacy and Security
Written By Kristen Porter

O*NO! I You Paid a Ransom… and Now You’re Breaking the Law? 

Imagine this: your business is humming along, and suddenly - bam! - you’re locked out of everything. Files encrypted. Emails frozen. A scary message flashes: “Your files have been taken. Pay $50,000 in crypto to get them back.” 

You panic. You pay. And you think it’s over. 

But starting 30 May 2025, it’s not over. 

Thanks to Australia’s new Cyber Security (Ransomware Payment Reporting) Rules 2025, certain businesses are now legally required to report ransomware payments to the government—within just 72 hours. 

If you don't? You could face fines of nearly $20,000. 

The new rules are part of a national push to improve cybersecurity transparency and help Australia fight back against rising cybercrime. But as with any new regulation, many business owners—especially in real estate—have no idea they even exist. 

Let’s break down what the new ransomware laws mean, who they apply to, and how your agency or business can stay compliant without adding stress to your already full plate. 

What’s Changed: Ransomware Reporting is Now Law

Under the new rules, if your business pays a ransom to regain access to systems, files, or data following a cyberattack, you must notify the Australian Signals Directorate (ASD) within 72 hours of the payment. 

This applies even if the payment was made by someone else on your behalf, such as a cyber insurance provider, IT contractor, or legal representative. 

You’ll need to provide:

  • Your business’s name, ABN, and contact details 

  • The date and time of the attack and the payment 

  • How much was demanded and paid (and in what currency—usually crypto) 

  • How the payment was made (wallet addresses, transaction IDs, etc.) 

  • Any communications you had with the attacker 

  • Whether law enforcement was notified 

  • The impact of the incident on the business’ infrastructure or clients;  

  • Vulnerabilities that may have been exploited 

The idea is simple: the government wants a clearer picture of the scale and nature of ransomware threats in Australia. The more intelligence they have, the more they can do to disrupt attackers, support victims, and reduce risks for everyone. 

But to do that, they need real-time data—which means your compliance matters. 

Who Needs to Report (and Who Doesn’t)

The reporting requirement doesn’t apply to every business—but many real estate agencies will fall within its scope. 

You’re caught by the law if you meet either of these: 

  • Your business has an annual turnover of more than $3 million (in most recent financial year); or 

  • You’re the responsible entity for critical infrastructure assets, as defined under the Security of Critical Infrastructure Act. 

While sole traders and micro-businesses may be exempt, many real estate agencies (especially growing multi-office firms) will need to comply. 

Still unsure if you qualify? Book a quick 10-min call with our team to double-check—we can help you understand your obligations. 

What Happens If You Don’t Report in Time?

Failing to report a ransomware payment when required could land your business in hot water. 

Specifically, you could face penalties of up to 60 penalty units, which equals $19,800 (at current rates). And if you’re a company, the fines could be even higher. 

While the government has said their initial focus will be on education over enforcement, that doesn't mean you can ignore the law. 

Here’s what non-compliance could cost you: 

  • Financial penalties 

  • Damage to your business reputation 

  • Breach of your cyber insurance policy (some insurers require legal compliance to remain covered) 

  • Loss of trust with clients and stakeholders 

  • Potential liability if your failure to report contributes to broader harm 

So even though no one’s watching over your shoulder when a ransomware attack hits, know this: your legal obligation doesn’t go away with the stress. 

Why This Law Matters (Even If You’ve Never Been Attacked) 

You might be thinking, “Well, this doesn’t apply to me—I’ve never had a cyberattack.” 

That’s like saying you don’t need car insurance because you’ve never crashed. 

The truth is: cybercrime is one of the fastest-growing threats to Australian businesses—and real estate agencies are prime targets. Why? You handle client trust accounts, ID documents, and large financial transactions—all catnip for hackers. 

Even if you’ve never paid a ransom (and hopefully never will), it’s critical to know what the law requires before you’re in crisis mode. 

Here’s why: 

  • You don’t want to scramble to understand your obligations when you’re already under pressure 

  • You may delegate the wrong tasks or make poor decisions without a clear plan 

  • You may breach your duty to clients or regulators (e.g., failing to notify clients whose data was compromised) 

Put simply: prepare now, not later. 

How to Prepare Your Business (Without the Overwhelm) 

Let’s be honest—most agency owners don’t have time to read every new law that comes out, let alone build a compliance plan from scratch. 

Here’s how to get your business ransomware-ready without overcomplicating things: 

Review Your Cyber Incident Response Plan 

If you don’t have one, now’s the time to create one. It should include: 

  • Who’s responsible for incident response (internally and externally) 

  • What steps to take immediately after a ransomware attack 

  • Who needs to be notified (ASD, clients, insurers) 

  • Where and how to report (use the ASD’s official ransomware portal) 

Educate Your Team 

Make sure your leadership team and IT providers are aware of the new laws. Include a short session on it in your next team meeting. 

Let staff know: 

  • That paying a ransom is a legal grey zone (not illegal, but not encouraged) 

  • That reporting ransom payments is now legally required 

  • That they should escalate cyber incidents immediately 

Work With Trusted Experts 

Cyber incidents are not a DIY job. Surround yourself with advisors who understand the intersection of law, tech, and risk. 

This includes: 

  • A tech-savvy lawyer 

  • A good IT provider with incident response experience 

  • A cyber insurance broker who knows what policies really cover 

Test Your Reporting Process 

Run a mock scenario. Simulate a ransomware attack and practice submitting a notification (you can even use a template—like the one provided by Superior IT). 

Better to stumble in a simulation than when the pressure is real. 

Key Takeaways

  • New Law in Force from 30 May 2025 
    If your business pays a ransom after a cyberattack, you must report it to the ASD within 72 hours. 

  • Applies to Many Real Estate Agencies 
    If you have turnover over $3 million a year. 

  • Non-Compliance Can Cost You 
    Fines of up to $19,800, plus reputational damage and insurance issues. 

  • You Can Prepare Now 
    Review your response plan, train your team, and test your reporting process. 

  • Don’t Do It Alone 
    Work with legal and tech experts to build confidence and compliance into your cyber risk strategy. 

Next Steps

If you're unsure whether the new ransomware reporting laws apply to you, or what to do if they do, let's talk. 

We’re offering a free 10-minute consultation for agency owners, firm directors, and business leaders who want to stay compliant and protect their business. 

We’ll help you: Understand your legal obligations, review your current risk exposure, and set up a simple response and reporting process.

Boring legal stuff: This article is general information only and cannot be regarded as legal, financial or accounting advice as it does not take into account your personal circumstances. For tailored advice, please contact us. PS - congratulations if you have read this far, you must love legal disclaimers or are a sucker for punishment.

Kristen Porter
Next

Legal Update Alert: A New Tax for Short-Term Rentals in the ACT?