Mandatory reporting obligations now live for certain critical infrastructure assets
Recent amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) require organisations that control "critical infrastructure assets" to comply with broad, new, cyber risk management obligations.
While the amendments to the SOCI Act were passed over two tranches in 2021 and April 2022, a number of these obligations were not immediately “switched on” having regard to the Security of Critical Infrastructure (Application) Rules 2022 (Cth) (Application Rules) which provided certain “grace periods”.
However, organisations must now be aware that from 8 July 2022 onwards, the Application Rules have now “switched on” the mandatory cyber incident reporting obligations for certain critical asset classes, including (without limitation) critical insurance assets, critical food and grocery assets, critical freight services assets, critical gas assets and critical electricity assets.
This obligation requires that:
- if an entity becomes aware of a cyber security incident that has had, or is having, a significant impact on the availability of the asset, it must report this event to the Australian Cyber Security Centre (ACSC) within 12 hours; and
- if an entity becomes aware that a cyber security incident has had, or is having, a relevant impact on the availability of the asset, it must report this event to the ACSC within 72 hours.
A “significant impact” is defined as an impact which has materially disrupted the availability of essential goods or services provided by the asset while a “relevant impact” is any other impact on the availability, integrity, reliability or confidentiality of the asset.
Non-compliance can result in a maximum penalty of 50 penalty units (currently $11,100).
This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.
Author: Lachlan Chuong
Position: Associate
Practice: Disputes
Cyber Alliance Group
DMAW Lawyers has partnered with Comunet & Digital Trace Australia to form a comprehensive, industry leading cyber security service group, the Cyber Alliance Group.
Head to the Cyber Alliance Group website to find out more about our full service, cyber security offering and how we can assist your business.