Latest News

New Ransomware Reporting Rules in Australia: Insights from Sarah McAvoy’s TechPartner.News Feature

CyberUnlocked founder Sarah McAvoy was recently featured in an article on techpartner.news, offering timely insights into Australia’s new ransomware reporting requirements. The article, “Waiting until an incident is in progress is too late: MSPs urged to review ransomware response as new reporting rules commence", addresses a critical shift in cyber security expectations.

 

As of May 30, 2025, the Cyber Security (Ransomware Payment Reporting) Rules 2025 are now in effect. These rules require certain entities, those with turnover exceeding $3 million or operating in critical infrastructure, to report ransomware payments within 72 hours. Sarah McAvoy emphasises the importance of planning ahead, stating: "Deciding whether you would pay a ransom isn’t a crisis decision; it’s a preparedness decision."

 

This change is not only about legal compliance, it’s about strengthening cyber resilience. The initial phase, which prioritises education over enforcement, continues through December 31, 2025. Now is the time to clarify reporting obligations, assess whether your organisation qualifies as a reporting entity, and refine your incident response readiness.


We're excited to share that our founder, Sarah McAvoy, was featured in an article on techpartner.news, shedding light on  new ransomware reporting rules in Australia. The article, "Waiting until an incident is in progress is too late”: MSPs urged to review ransomware response as new reporting rules commence, couldn't be more timely. 


As of May 30, 2025, new Cyber Security (Ransomware Payment Reporting) Rules 2025 are in effect, making it mandatory for certain entities (those with a $3 million+ turnover and critical infrastructure) to report ransomware payments within 72 hours. Sarah McAvoy emphasises that preparedness is paramount. As she states, "Deciding whether you would pay a ransom isn’t a crisis decision; it’s a preparedness decision".


This isn't just about compliance, it's about strong cyber security. The current phase, focusing on education rather than penalties, runs until December 31, 2025. It's crucial to understand your reporting obligations, assess your status as a reporting entity, and refine your incident response plans. Don't let an oversight become a crisis. 


Read the full article on techpartner.news here.

More CyberUnlocked Blogs

Channel Meets Security Sydney 2025 | Sarah McAvoy

Channel Meets Security Sydney 2025

by Sarah McAvoy 30 May 2025
One of the highlights of the evening was the honest and engaging conversations about what clients really expect from their tech partners when it comes to cyber security. It was great to hear different views and share experiences with others in the field.
A diagram of a road showing the stages of a cyber security compliance journey.

Cyber Security Compliance: Everyone’s Starting Line is Different

by Sarah McAvoy 23 May 2025
At CyberUnlocked, I often step into the role of a Compliance Coach. It is not just about frameworks and documentation. It is about supporting businesses as they build capability. What many need most is: Encouragement to keep going, even when it gets tough Guidance that fits their maturity, industry and supply chain expectations A sounding board to help balance ambition with business reality
SMB1001 image

Why SMB1001:2025 Is a Game Changer for SMBs

by Sarah McAvoy 14 May 2025
The newly launched SMB1001:2025 standard is transforming the way small and medium-sized businesses (SMBs) approach cyber security. Developed by Dynamic Standards International, this multi-tiered certification is tailored to the unique needs and resource constraints of SMBs, offering a scalable, affordable framework for