TL;DR:
- Reporting a cyber incident in Australia requires timely use of official channels like ReportCyber and notifying relevant authorities. Mandatory reporting obligations apply mainly to businesses above certain turnover thresholds, especially for ransomware payments, while voluntary reporting is protected by the Limited Use obligation to encourage openness. Early and detailed reporting improves national cyber defenses and ensures effective incident response, with different channels for data breaches, online abuse, or immediate danger.
Reporting a cyber incident in Australia means notifying the right authorities through official channels like ReportCyber, the national portal that triages cybercrime reports and routes them to relevant law enforcement agencies. The Cyber Security Act 2024 has added mandatory reporting obligations on top of existing voluntary ones, particularly for ransomware payments. Whether you are dealing with online fraud, a data breach, or a ransomware attack, knowing exactly where to report and what to include can mean the difference between a contained incident and a prolonged disaster. If a cyber incident creates an immediate risk of harm, call 000 first. Everything else follows from there.
Who must report cyber incidents under Australian law?
Not every business faces the same reporting obligations. The distinction between mandatory and voluntary reporting is where most Australian SMBs get confused, and that confusion has real consequences.
The Cyber Security Act 2024 introduces mandatory ransomware and extortion payment reporting for businesses that exceed set annual turnover thresholds. The Act’s goal is to map the true scale of ransomware payments in Australia, which has been largely invisible to government until now. Mandatory reporting will disrupt the ransomware business model by giving authorities data they have never had before.
Here is how the reporting obligations break down:
- Mandatory reporters are businesses above the turnover threshold that pay a ransom or extortion demand. They must report the payment to the Australian Signals Directorate (ASD) within a defined timeframe.
- Voluntary reporters are any business or individual who wants to report a cyber incident but is not legally required to do so. This covers the vast majority of Australian SMBs.
- Critical infrastructure operators face additional obligations under the Security of Critical Infrastructure Act, separate from the Cyber Security Act 2024.
- Entities subject to the Privacy Act 1988 must report eligible data breaches to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme.
Voluntary reporting to the ASD is protected by a Limited Use obligation. This means information you share voluntarily cannot be used against your organisation in regulatory or enforcement actions. That protection exists specifically to encourage businesses to report early and openly. We tell every client: the Limited Use clause removes the biggest reason most businesses stay quiet.
How to report a cyber incident in Australia: step by step
Before you report anything, gather what you know. Authorities need specifics, not summaries.
What to collect before you report:
- The date and time you first noticed the incident
- A description of what happened and which systems are affected
- Whether any data was accessed, copied, or destroyed
- Whether a ransom demand was received and the amount
- Any screenshots, logs, or error messages you can preserve without altering evidence
Step 1: Report to ReportCyber
ReportCyber is the starting point for most cybercrime reports in Australia. It handles identity theft, online fraud, ransomware, business email compromise, and more. The portal triages your report and sends it to the relevant state or federal law enforcement agency. You do not need to know which agency handles your type of incident. ReportCyber works that out for you.
Step 2: Report to the Australian Signals Directorate
For significant incidents affecting business operations, report directly to ASD via cyber.gov.au. Early voluntary reporting to ASD means you may receive direct technical assistance. ASD uses incident reports to build national threat intelligence and update security advice across the economy. The sooner you report, the more useful that intelligence becomes.
Step 3: Notify your bank if money is involved
If the incident involves financial loss or fraudulent transactions, contact your bank immediately. Early coordination with your financial institution limits monetary damage and supports recovery. Do not wait until you have filed a police report.
Step 4: Report online abuse separately
Online abuse and harmful content have a distinct reporting pathway. The eSafety Commissioner handles reports of cyberbullying, image-based abuse, and harmful online content. This is separate from ReportCyber and handles a different category of harm.
Step 5: Call 000 for immediate danger
If the incident involves a direct threat to life, child exploitation material, or violence, call 000 rather than using any online form.
| Incident type | Primary reporting channel |
|---|---|
| Ransomware, fraud, identity theft | ReportCyber (cyber.gov.au) |
| Significant business disruption | ASD via cyber.gov.au |
| Financial loss or theft | Your bank, then ReportCyber |
| Eligible data breach | OAIC Notifiable Data Breaches portal |
| Online abuse or harmful content | eSafety Commissioner |
| Immediate risk of harm | 000 |
Pro Tip: Report to ASD even if you are not legally required to. Voluntary reports are protected, and ASD may offer direct technical support that your internal team cannot provide alone.
What mistakes do Australian businesses make when reporting?
Honestly, the most common mistake is waiting too long. We see this constantly with SMB clients. A staff member notices something odd on a Monday morning, mentions it to their manager, and by Wednesday the business is still “investigating” before anyone has notified senior leadership or authorities. By then, the attacker has had 48 hours of uncontested access.
Delaying notification reduces response effectiveness and increases damage. That is not an opinion. It is the consistent finding from incident post-mortems. Report to your CISO or senior management before you have confirmed the full scope of the incident. Waiting for certainty is the wrong instinct.
The second mistake is incomplete reporting. Businesses submit vague descriptions like “we think we were hacked” without timestamps, affected system names, or any indication of data exposure. Authorities cannot act on that. Law enforcement and ASD need specifics to triage and respond.
Here is what good reporting looks like versus what we typically see:
- Do: Report as soon as you detect anomalous activity, even if you are not certain it is malicious
- Do: Include system names, IP addresses, timestamps, and any ransom notes verbatim
- Do: Preserve logs and screenshots before attempting remediation
- Do not: Wipe or rebuild systems before authorities have had a chance to advise on evidence preservation
- Do not: Pay a ransom without first notifying ASD, especially if you are a mandatory reporter under the Cyber Security Act 2024
- Do not: Assume your cyber insurance provider will handle reporting obligations on your behalf
The third mistake is misunderstanding the mandatory versus voluntary line. Many business owners assume they have no reporting obligations because they are a small business. That may be true for mandatory ransomware reporting under the Cyber Security Act 2024, but it is not true for data breaches under the Privacy Act 1988. If your business holds personal information and that data is compromised, you likely have an obligation to notify the OAIC regardless of your turnover.
Pro Tip: Build a one-page incident reporting checklist before an attack happens. Include the ReportCyber URL, ASD contact details, your bank’s fraud line, and your cyber insurer’s claims number. Stick it on the wall in your server room.
Why reporting cyber incidents strengthens Australia’s defences
Every report you submit contributes to something larger than your own recovery. The Australian Cyber Security Centre uses incident data to build national threat intelligence, identify emerging attack patterns, and produce updated security advice for Australian businesses. A ransomware variant that hits a Brisbane accounting firm this week may be heading for a Sydney law firm next week. Your report helps stop that.
The Cyber Incident Review Board, established under the Cyber Security Act 2024, conducts no-fault reviews of significant cyber incidents. No-fault means the review focuses on lessons, not blame. That approach encourages organisations to share openly, which produces better outcomes for the whole economy.
“Reporting incidents as soon as they are discovered is essential for senior management oversight and helps maintain an accurate national threat picture.” — cyber.gov.au
The national benefits of proper Australian cyber security reporting include:
- Faster threat detection across sectors when attack patterns are identified early
- Updated security advisories from ASD based on real incident data, not theoretical risks
- Better-resourced law enforcement with accurate data on cybercrime volumes and methods
- Disruption of ransomware networks as mandatory payment reporting removes the anonymity attackers rely on
- Improved cyber resilience across industries as lessons from the Cyber Incident Review Board are shared publicly
Reporting is not just a compliance checkbox. It is the mechanism by which Australia’s collective cyber defences actually improve. A business that reports promptly and accurately is contributing to a system that protects every other business in the country.
Key takeaways
Properly reporting a cyber incident in Australia requires using the right channels, acting quickly, and understanding your legal obligations under the Cyber Security Act 2024 and the Privacy Act 1988.
| Point | Details |
|---|---|
| Use ReportCyber first | Submit all cybercrime reports through ReportCyber to reach the correct law enforcement agency. |
| Know your mandatory obligations | Businesses above the turnover threshold must report ransomware payments to ASD under the Cyber Security Act 2024. |
| Voluntary reports are protected | The Limited Use obligation means ASD cannot use your voluntary report against you in regulatory actions. |
| Report early, not perfectly | Notify senior management and authorities before you have confirmed the full scope of the incident. |
| Separate channels for different harms | Data breaches go to the OAIC, online abuse goes to the eSafety Commissioner, financial loss goes to your bank. |
What I have learned from watching businesses report incidents badly
I have seen businesses handle cyber incidents well, and I have seen them handle it terribly. The difference is almost never about technical skill. It is about preparation and the willingness to act before you are certain.
The businesses that struggle most are the ones that treat reporting as the last step in incident response rather than one of the first. They spend days trying to understand exactly what happened before they tell anyone outside the IT team. By the time they report to ASD or submit to ReportCyber, the window for meaningful law enforcement action has often closed.
What I find genuinely frustrating is the confusion around the Limited Use protection. Businesses stay quiet because they are afraid that reporting will trigger a regulatory investigation. That fear is understandable, but it is based on a misunderstanding of how voluntary reporting works. The Limited Use clause exists precisely to remove that barrier. ASD wants your data to improve national defences, not to penalise you.
The other thing I would push back on is the idea that incident reporting is purely a compliance exercise. For SMBs especially, getting a report in front of ASD early can mean receiving direct technical guidance you would not otherwise have access to. We have seen that play out with clients who thought they were on their own, then discovered that early reporting opened a line of communication with people who had seen the exact same attack vector before.
If you do not have a cyber incident response plan in place before an attack, you will be making decisions under pressure that should have been made calmly months earlier. That is where most of the damage happens.
— Matt
How IT Start helps Brisbane businesses with cyber incident reporting
IT Start works with Brisbane SMBs every day on exactly this kind of situation. When an incident hits, most business owners do not know which form to fill in, who to call, or what evidence to preserve. IT Start’s cyber security services cover 24/7 monitoring, rapid incident response, and direct support for mandatory reporting compliance under the Cyber Security Act 2024. The team knows the ReportCyber process, the ASD reporting pathway, and the OAIC notification requirements inside out. If you want to know whether your current setup would hold up under a real incident, IT Start offers a free assessment to identify gaps before attackers find them. Reach out and get that conversation started.
FAQ
What is ReportCyber and how does it work?
ReportCyber is Australia’s national online portal for reporting cybercrime, including fraud, identity theft, and ransomware. It triages your report and routes it to the relevant state or federal law enforcement agency automatically.
Is reporting a cyber attack to ASD mandatory for all Australian businesses?
Mandatory reporting to ASD applies specifically to businesses above set annual turnover thresholds that make ransomware or extortion payments under the Cyber Security Act 2024. Most SMBs fall under voluntary reporting, which is protected by the Limited Use obligation.
What is the Limited Use obligation in Australian cyber security reporting?
The Limited Use obligation means information you voluntarily share with ASD cannot be used against your organisation in regulatory or enforcement actions. It is designed to encourage open and early reporting without fear of penalty.
Do I need to report a data breach separately from a cybercrime report?
Yes. Eligible data breaches must be reported to the Office of the Australian Information Commissioner under the Notifiable Data Breaches scheme, separate from any ReportCyber or ASD report. Both obligations can apply to the same incident.
How quickly should I report a cyber incident in Australia?
Report to senior management and ASD as soon as you detect anomalous activity, even before you have confirmed the full scope. Early reporting allows faster impact assessment and better response outcomes.
