All Things Newz
Law \ Legal

Critical infrastructure cyber notification obligations: when do you need to comply? – Security

As of 8 July, responsible entities of critical
infrastructure assets are now required to report cyber security
incidents to the Australian Cyber Security Centre (ACSC) under the
Security of Critical Infrastructure Act 2018 (Cth) (SOCI

As detailed in our previous article, the SOCI Act has undergone
extensive legislative reform over the past 12 months, with its
scope expanded to 11 sectors and 23 critical infrastructure
classes. It now includes new reporting and notification
obligations, as well as increased government response powers. We
have previously explored the key things you need to know about the

Notably, the reforms introduced three positive security
obligations for responsible entities and direct interest holders of
critical infrastructure assets:

  1. For responsible entities and direct interest holders to report
    ownership and operational information to the Register of Critical
    Infrastructure Assets, managed by the Cyber and Infrastructure
    Security Centre (reporting

  2. For responsible entities to notify the ACSC of cyber security
    incidents, within 12 hours for ‘significant impact’
    incidents, and within 72 hours for all other incidents
    (notification requirements).

  3. For responsible entities to establish, maintain and comply with
    a Critical Infrastructure Risk Management Program.

These obligations set out in the Act are required to be
‘switched on’ for relevant assets under the legislative
rules. On 6 April 2022, the Security of Critical Infrastructure
(Application) Rules 2022
were enacted, enlivening two of the
three positive security obligations, subject to grace periods. For
critical infrastructure assets that were deemed assets at the
commencement date of the rules, the notification requirements came
into effect on 8 July 2022 and the reporting
requirements will come into effect by 8 October

The obligations for the third positive security obligation, to
establish a Critical Infrastructure Risk Management Program, will
apply when the Risk Management Program Rules are registered.

Cyber security incident reporting requirements

In relation to critical infrastructure assets, the SOCI Act
provides that a responsible entity must report:

  • ‘critical’ cyber security incidents within 12
    hours of becoming aware
    ; and

  • other cyber security incidents within 72 hours of
    becoming aware

A cyber security incident involves any of the following:

  • unauthorised access to or modification of computer data or
    computer program;

  • unauthorised impairment of electronic communications to or from
    a computer; or

  • unauthorised impairment of the availability, reliability,
    security or operation of computer data, a computer program or a

A critical incident is one with a
significant impact on the availability of the
asset, meaning an impact which materially disrupts the availability
of essential goods or services provided using the asset.
‘Essential goods or services’ are not defined in the Act,
however an example may be where a critical incident impacts an
electricity asset’s operational technology, which impacts the
generation, transmission or distribution of electricity. Other
cyber security incidents must be reported if they have a
relevant impact on the asset, meaning an impact on
the availability, integrity, reliability or confidentiality of the

As an initial step, organisations will need to determine:

  • the applicable critical infrastructure asset; and

  • whether they are considered a ‘responsible entity’ for
    that critical infrastructure asset.

This process may not be entirely straightforward. For instance,
whether an asset in the data storage and processing sector is
deemed to be a critical infrastructure asset turns on the users of
the asset and the type of information stored or processed (e.g.
whether the asset stores or processes ‘business critical
data’ for other responsible entities). Further, the entity
considered to be the ‘responsible entity’ for a critical
infrastructure asset will depend on the asset itself. The
responsible entity may be the owner of the asset, the entity
responsible for its operation and management, or another entity
prescribed by legislative rules.

Among other things, an entity will be required to report to ACSC
specific details about the incident including how it was
discovered, the type of incident and what type of technology or
data the incident affects. These reporting requirements apply to
the following critical infrastructure sectors and asset classes
under the rules (with several specific exemptions set out in the

  • critical broadcasting assets

  • critical domain name systems

  • critical data storage or processing assets

  • critical banking assets

  • critical superannuation assets

  • critical insurance assets

  • critical financial market infrastructure assets

  • critical food and grocery assets

  • critical hospitals

  • critical education assets

  • critical freight infrastructure assets

  • critical freight services assets

  • critical public transport assets

  • critical liquid fuel assets

  • critical energy market operator assets

  • critical aviation assets that are any of the following: a
    designated airport, an Australian prescribed air service operating
    screened air services that depart from a designated airport, or a
    regulated air cargo agent that is also a cargo terminal operator at
    a designated airport

  • critical ports

  • critical electricity assets

  • critical gas assets

  • critical water assets

Rather than ‘switch on’ the reporting obligations for
the telecommunications sector, the obligations have been mirrored
as a licence condition for carriers and service rule for Carriage
Service Providers (CSPs) under the
Telecommunications (Carrier License Conditions – Security
Information) Declaration 2022
and the Telecommunications
(Carriage Service Provider – Security Information) Determination
As of 7 July 2022, carriers and CSPs
also need to report critical and other cyber security incidents to
the Australian Signals Directorate within the 12 hour and 72 hour

Key takeaways

Organisations operating in the critical infrastructure classes
listed above should, if they have not already done so, gather asset
information to identify whether they are captured as the
responsible entity of a critical infrastructure asset.

The unpredictable and fast-paced nature of cyber security
incidents, combined with the short reporting timeframes in the Act,
means that responsible entities must have a plan for reporting a
cyber incident before it occurs. Penalties for non-compliance are
currently $11,100. However, the Cyber and Infrastructure Security
Centre (CISC) has confirmed that the first 12
months from 8 July 2022 will be considered a learning and
familiarisation phase, where they will work with entities to
understand the reporting thresholds. Enforcement action will focus
on egregious non-compliance, such as the failure to report critical
incidents, rather than the timeliness or detail of reporting.

In addition to developing cyber security incident notification
procedures, organisations should also engage with their supply
chain. For instance, responsible entities are required to notify
their data storage or processing providers if the service relates
to the responsible entity’s ‘business critical data’.
Further, responsible entities should review, and potentially seek
to uplift, contracts with managed service providers to ensure
reporting timeframes are aligned with the new notification and
reporting obligations under the SOCI Act.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Lawyers Weekly Law firm of the year

Employer of Choice for Gender Equality

Source link

Related posts

Tax Court In Brief | Thompson v. Commissioner | Conservation Easements: Donor Improvement Carve-Outs And Supervisory Approval For Valuation Penalties – Tax Authorities

La Caducidad En Los Procedimientos Administrativos De Determinación De Responsabilidades Iniciados Por La Contraloría General Del Estado – Constitutional & Administrative Law

FCA Clarifies Its Position On ‘Significant SYSC Firm’ Dilemma – Financial Services