To print this article, all you need is to be registered or login on Mondaq.com.
It is now mandatory for all entities who hold critical
infrastructure assets to report serious cyber security and
ransomware incidents to the Australian Signals Directorate
A “critical infrastructure asset” now includes any
- banking asset,
- superannuation asset,
- insurance asset; and
- financial market infrastructure asset.
Affected firms should familiarise themselves with the
obligations, the extent to which the obligations apply to their
business and how these obligations can be activated.
What does it mean to you?
Mandatory ransomware incident reporting obligation
The SLACI Act introduces new obligations on entities responsible
for “critical infrastructure assets” to report cyber
security incidents affecting their assets to the Australian Signals
Directorate (“ASD“). There are two types
- when a cyber security incident has “significant
impact” on a critical infrastructure asset:
An entity must notify ASD within twelve (12) hours if:
- the entity is the responsible entity for a critical
infrastructure asset; OR
- the entity becomes aware that a cyber security incident has
occurred or is occurring and the incident has had, or is having a
significant impact (whether direct or indirect) on the availability
of the asset.
A “significant impact” is one where both the critical
infrastructure asset is used in connection with the provision of
essential goods or services and the incident has materially
disrupted the availability of those essential goods or
A critical cyber security incident can both be reported verbally
or in writing. However, if a report is made verbally, a responsible
entity must make a written record and provide the written record to
cyber.gov.au/report within eighty-four (84)
hours of making that verbal report.
- when a cyber security incident does not have a
“significant impact” but is likely to have a
“relevant impact” on a critical infrastructure
The responsible entity is required to report the incident within
seventy-two (72) hours of becoming aware of the relevant impact.
Where the report is given orally, the entity must provide a written
report of the incident within a further 48 hours after the oral
report was given. “Relevant impact” is defined broadly
and it includes incidents which create an impact on integrity,
reliability or confidentiality of the assets.
The obligations commence on the later of:
- three (3) months after the commencement of the Security of
Critical Infrastructure (Application) Rules 2021 (Cth) (8 July
- three (3) months after the asset became a critical
Failing to comply with the reporting obligations may result in a
penalty of $11,100 (50 penalty units) per breach, or $55,500 (250
penalty units) if the entity is a corporation.
Register of Critical Infrastructure Assets
The obligation is applicable to critical financial market
infrastructure assets that are a payment system.
The obligation requires reporting entities, either direct
interest holders or responsible entities of relevant critical
infrastructure assets, to provide interest, control and operational
information (i.e. the asset’s location, a description of the
area the asset services, basic information about entities
responsible for the operation of the asset and the arrangements in
place with each operator) to the Cyber and Infrastructure Security
Centre which manages the register.
This obligation commences on the later of:
- six (6) months after the commencement of the Security of
Critical Infrastructure (Application) Rules 2021 (Cth) (8 October
- six (6) months after the asset becomes a critical
Government Assistance measure
When a cybersecurity incident is affecting a defined critical
infrastructure asset, the Government has three key powers to
- require the disclosure of information;
- order an entity to act in a specified way; and
- authorise the ASD to step in or take direct action where
Obligation to notify data service providers
A responsible entity must take reasonable steps to inform a
service provider as soon as practicable if the service provider is
processing or storing business critical data for the responsible
entity on a commercial basis. The service provider should be made
- they’re providing data services to the responsible entity
on a commercial basis; and
- such services relate to business critical data.
The next step for a business is to ascertain whether it has any
critical assets and if so, what these are. Creating and maintaining
a critical asset register is an important part of this process.
When creating a critical asset register, a business should
If you require assistance in relation to understanding your
obligations as an ACL or AFSL holder, please contact us.
The Security Legislation Amendment (Critical
infrastructure) Act 2021 (“the SLACI
Act“) was enacted in December 2021 as the first one
of a two-part process of amending the Security of Critical Infrastructure Act
2018 (Cth) (“the SOCI Act“). It
expands the definition of “Critical Infrastructure
Sector” to include a number of new sectors within the
legislative framework. One of the sectors it includes is the
financial services and markets sector.
The legislation also notes that “an asset that relates to a
critical infrastructure sector” is also a “critical
infrastructure sector asset”.
In March 2022, the Security Legislation Amendment (Critical
Infrastructure Protection) Act 2022 (Cth)
(“the SLACIP Act”) was passed.
POPULAR ARTICLES ON: Technology from Australia