Latest News

New Ransomware Reporting Rules in Australia: Insights from Sarah McAvoy’s TechPartner.News Feature

News Parliament Canberra CyberUnlocked Sarah McAvoy

CyberUnlocked founder Sarah McAvoy was recently featured in an article on techpartner.news, offering timely insights into Australia’s new ransomware reporting requirements. The article, “Waiting until an incident is in progress is too late: MSPs urged to review ransomware response as new reporting rules commence", addresses a critical shift in cyber security expectations.

 

As of May 30, 2025, the Cyber Security (Ransomware Payment Reporting) Rules 2025 are now in effect. These rules require certain entities, those with turnover exceeding $3 million or operating in critical infrastructure, to report ransomware payments within 72 hours. Sarah McAvoy emphasises the importance of planning ahead, stating: "Deciding whether you would pay a ransom isn’t a crisis decision; it’s a preparedness decision."

 

This change is not only about legal compliance, it’s about strengthening cyber resilience. The initial phase, which prioritises education over enforcement, continues through December 31, 2025. Now is the time to clarify reporting obligations, assess whether your organisation qualifies as a reporting entity, and refine your incident response readiness.


We're excited to share that our founder, Sarah McAvoy, was featured in an article on techpartner.news, shedding light on  new ransomware reporting rules in Australia. The article, "Waiting until an incident is in progress is too late”: MSPs urged to review ransomware response as new reporting rules commence, couldn't be more timely. 


As of May 30, 2025, new Cyber Security (Ransomware Payment Reporting) Rules 2025 are in effect, making it mandatory for certain entities (those with a $3 million+ turnover and critical infrastructure) to report ransomware payments within 72 hours. Sarah McAvoy emphasises that preparedness is paramount. As she states, "Deciding whether you would pay a ransom isn’t a crisis decision; it’s a preparedness decision".


This isn't just about compliance, it's about strong cyber security. The current phase, focusing on education rather than penalties, runs until December 31, 2025. It's crucial to understand your reporting obligations, assess your status as a reporting entity, and refine your incident response plans. Don't let an oversight become a crisis. 


Read the full article on techpartner.news here.

More CyberUnlocked Blogs

A diagram of a road showing the stages of a cyber security compliance journey.

Cyber Security Compliance: Everyone’s Starting Line is Different

by Sarah McAvoy 23 May 2025
At CyberUnlocked, I often step into the role of a Compliance Coach. It is not just about frameworks and documentation. It is about supporting businesses as they build capability. What many need most is: Encouragement to keep going, even when it gets tough Guidance that fits their maturity, industry and supply chain expectations A sounding board to help balance ambition with business reality
interview with intergy 2

Sarah McAvoy at Intergy Consulting for crucial cyber security posture and mitigate risks of cyber-attack

by CyberUnlocked 25 February 2025
In the second part of our interview with Intergy Consulting, our founder, Sarah McAvoy from CyberUnlocked, explained the most critical cyber security measures that businesses can take today to enhance their security posture and mitigate risks of cyber-attack. Watch the full video to gain expert insights on how to protect your organisation from modern cyber security challenges!
Cover for Genea Cyber Attack

Genea Cyber Attack: Key Lessons and Essential Cyber Security Strategies for Healthcare

by Sarah McAvoy 24 February 2025
The Genea incident serves as a stark reminder of the evolving cyber threats facing the healthcare sector. By adopting comprehensive cyber security strategies and fostering a culture of vigilance, organisations can better protect themselves and their patients from future attacks.