All Things Newz
Law \ Legal

Mandatory reporting of serious cyber security and ransomware incidents for entities – Fin Tech

To print this article, all you need is to be registered or login on

It is now mandatory for all entities who hold critical
infrastructure assets to report serious cyber security and
ransomware incidents to the Australian Signals Directorate

A “critical infrastructure asset” now includes any

  • banking asset,

  • superannuation asset,

  • insurance asset; and

  • financial market infrastructure asset.

Affected firms should familiarise themselves with the
obligations, the extent to which the obligations apply to their
business and how these obligations can be activated.

What does it mean to you?

Mandatory ransomware incident reporting obligation

The SLACI Act introduces new obligations on entities responsible
for “critical infrastructure assets” to report cyber
security incidents affecting their assets to the Australian Signals
Directorate (“ASD“). There are two types
of reporting:

  1. when a cyber security incident has “significant
    impact” on a critical infrastructure asset:

An entity must notify ASD within twelve (12) hours if:

  • the entity is the responsible entity for a critical
    infrastructure asset; OR

  • the entity becomes aware that a cyber security incident has
    occurred or is occurring and the incident has had, or is having a
    significant impact (whether direct or indirect) on the availability
    of the asset.

A “significant impact” is one where both the critical
infrastructure asset is used in connection with the provision of
essential goods or services and the incident has materially
disrupted the availability of those essential goods or

A critical cyber security incident can both be reported verbally
or in writing. However, if a report is made verbally, a responsible
entity must make a written record and provide the written record to within eighty-four (84)
hours of making that verbal report.

  1. when a cyber security incident does not have a
    “significant impact” but is likely to have a
    “relevant impact” on a critical infrastructure

The responsible entity is required to report the incident within
seventy-two (72) hours of becoming aware of the relevant impact.
Where the report is given orally, the entity must provide a written
report of the incident within a further 48 hours after the oral
report was given. “Relevant impact” is defined broadly
and it includes incidents which create an impact on integrity,
reliability or confidentiality of the assets.

The obligations commence on the later of:

  • three (3) months after the commencement of the Security of
    Critical Infrastructure (Application) Rules 2021 (Cth) (8 July
    2022); or

  • three (3) months after the asset became a critical
    infrastructure asset.

Failing to comply with the reporting obligations may result in a
penalty of $11,100 (50 penalty units) per breach, or $55,500 (250
penalty units) if the entity is a corporation.

Register of Critical Infrastructure Assets

The obligation is applicable to critical financial market
infrastructure assets that are a payment system.

The obligation requires reporting entities, either direct
interest holders or responsible entities of relevant critical
infrastructure assets, to provide interest, control and operational
information (i.e. the asset’s location, a description of the
area the asset services, basic information about entities
responsible for the operation of the asset and the arrangements in
place with each operator) to the Cyber and Infrastructure Security
Centre which manages the register.

This obligation commences on the later of:

  • six (6) months after the commencement of the Security of
    Critical Infrastructure (Application) Rules 2021 (Cth) (8 October
    2022); or

  • six (6) months after the asset becomes a critical
    infrastructure asset.

Government Assistance measure

When a cybersecurity incident is affecting a defined critical
infrastructure asset, the Government has three key powers to

  • require the disclosure of information;

  • order an entity to act in a specified way; and

  • authorise the ASD to step in or take direct action where

Obligation to notify data service providers

A responsible entity must take reasonable steps to inform a
service provider as soon as practicable if the service provider is
processing or storing business critical data for the responsible
entity on a commercial basis. The service provider should be made
aware that:

  • they’re providing data services to the responsible entity
    on a commercial basis; and

  • such services relate to business critical data.

Next steps

The next step for a business is to ascertain whether it has any
critical assets and if so, what these are. Creating and maintaining
a critical asset register is an important part of this process.

When creating a critical asset register, a business should

If you require assistance in relation to understanding your
obligations as an ACL or AFSL holder, please contact us.

Background Information:

The Security Legislation Amendment (Critical
infrastructure) Act
(“the SLACI
“) was enacted in December 2021 as the first one
of a two-part process of amending the Security of Critical Infrastructure Act
(“the SOCI Act“). It
expands the definition of “Critical Infrastructure
Sector” to include a number of new sectors within the
legislative framework. One of the sectors it includes is the
financial services and markets sector.

The legislation also notes that “an asset that relates to a
critical infrastructure sector” is also a “critical
infrastructure sector asset”.

In March 2022, the Security Legislation Amendment (Critical
Infrastructure Protection) Act
2022 (Cth)

(“the SLACIP Act”) was passed.

Further reading

Security Legislation Amendment (Critical
Infrastructure) Act 2021

Security Legislation Amendment (Critical
Infrastructure Protection) Act 2022 (Cth)

Security of Critical Infrastructure Act 2018

Security of Critical Infrastructure (Definitions) Rules (LIN
21/039) 2021

Ransomware Action Plan

Cyber Security Centre

Locked Out: Tackling Australia’s ransomware

POPULAR ARTICLES ON: Technology from Australia

The cyber lifecycle

Albrecht Burrows

Cyber & Privacy is an area that is constantly changing. 3 stages discussed: Preparation, Incident Response, & Maintenance.

Source link

Related posts

Massachusetts To Require Disclosure Of Energy Usage From Large Buildings – Renewables

Rehiring Retirees And The Impact To Retirement Plans – Retirement, Superannuation & Pensions

Conducting Investigations In China – Corporate and Company Law