Latest News

New Ransomware Reporting Rules in Australia: Insights from Sarah McAvoy’s TechPartner.News Feature

CyberUnlocked founder Sarah McAvoy was recently featured in an article on techpartner.news, offering timely insights into Australia’s new ransomware reporting requirements. The article, “Waiting until an incident is in progress is too late: MSPs urged to review ransomware response as new reporting rules commence", addresses a critical shift in cyber security expectations.

 

As of May 30, 2025, the Cyber Security (Ransomware Payment Reporting) Rules 2025 are now in effect. These rules require certain entities, those with turnover exceeding $3 million or operating in critical infrastructure, to report ransomware payments within 72 hours. Sarah McAvoy emphasises the importance of planning ahead, stating: "Deciding whether you would pay a ransom isn’t a crisis decision; it’s a preparedness decision."

 

This change is not only about legal compliance, it’s about strengthening cyber resilience. The initial phase, which prioritises education over enforcement, continues through December 31, 2025. Now is the time to clarify reporting obligations, assess whether your organisation qualifies as a reporting entity, and refine your incident response readiness.


We're excited to share that our founder, Sarah McAvoy, was featured in an article on techpartner.news, shedding light on  new ransomware reporting rules in Australia. The article, "Waiting until an incident is in progress is too late”: MSPs urged to review ransomware response as new reporting rules commence, couldn't be more timely. 


As of May 30, 2025, new Cyber Security (Ransomware Payment Reporting) Rules 2025 are in effect, making it mandatory for certain entities (those with a $3 million+ turnover and critical infrastructure) to report ransomware payments within 72 hours. Sarah McAvoy emphasises that preparedness is paramount. As she states, "Deciding whether you would pay a ransom isn’t a crisis decision; it’s a preparedness decision".


This isn't just about compliance, it's about strong cyber security. The current phase, focusing on education rather than penalties, runs until December 31, 2025. It's crucial to understand your reporting obligations, assess your status as a reporting entity, and refine your incident response plans. Don't let an oversight become a crisis. 


Read the full article on techpartner.news here.

More CyberUnlocked Blogs

lock popping up on laptop

Penetration Testing Explained: A Guide for Australian Organisations

by CyberUnlocked 4 September 2025
Protecting your business online is much like securing your home. You may lock the doors and windows, but how can you be certain they will hold if someone tries to force them open? Penetration testing works in a similar way. It allows trusted experts to test your defences before a real attacker has the chance. By asking

CyberUnlocked chair AI Governance Summit 2025

by CyberUnlocked 11 August 2025
CyberUnlocked chaired the AI Governance Summit 2025 in Sydney. The event brought together leaders from government, industry, and critical infrastructure to discuss how Australia can build a safe and trustworthy future with artificial intelligence (AI).
Channel Meets Security Sydney 2025 | Sarah McAvoy

Channel Meets Security Sydney 2025

by Sarah McAvoy 30 May 2025
One of the highlights of the evening was the honest and engaging conversations about what clients really expect from their tech partners when it comes to cyber security. It was great to hear different views and share experiences with others in the field.