New reporting obligations for payments to ransomware attackers begin today.

Australia is the first country to require that ransoms paid to cybercriminals be reported to the government. Mandatory notification within 72 hours applies to organisations with annual revenue of $3 million or more.

Victims must submit information via the Australian Signals Directorate portal, giving details including use of any third-party negotiator, the value of the demand and any communication with the criminals.

Fines of close to $19,000 could apply for non-reporting. Information must not be used for civil or regulatory action against the reporting entity.

Australia’s first standalone Cyber Security Act was created in October, aimed at plugging gaps in laws relating to cybercrime. The government says it is landmark legislation that brings the nation closer to its goal of becoming a world leader in cybersecurity by 2030.

The Insurance Council of Australia has previously applauded the measures and says cybersecurity requires a “team Australia approach”. It wants data collected under the obligation to be shared with industry, to assist with threat landscape analysis.

Cyber insurance gross written premium in Australia is about $400 million a year.

The government has previously said people are increasingly “paying criminals money and it is happening in the darkness”. It wants to make it easier to gather cyberattack information and to “direct entities to take or refrain from certain actions” during serious incidents.

“Each report received will deepen our understanding of ransomware and cyber extortion attacks, and the circumstances that lead a business to paying a ransom,” it said.

Other reforms include powers to direct organisations to address deficiencies in risk management.

Critical infrastructure operators – in sectors such as energy, transport, communications, health and finance – will be required to strengthen programs used to secure individuals’ private data.

The legislation also introduces minimum cybersecurity standards for all smart devices including watches, televisions, speakers and doorbells. To be sold in Australia, they must include secure default settings, unique passwords, regular security updates and encryption of sensitive data.