Recent amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) require organisations that control "critical infrastructure assets" to comply with broad, new, cyber risk management obligations.
While the amendments to the SOCI Act were passed over two tranches in 2021 and April 2022, a number of these obligations were not immediately “switched on” having regard to the Security of Critical Infrastructure (Application) Rules 2022 (Cth) (Application Rules) which provided certain “grace periods”.
However, organisations must now be aware that from 8 July 2022 onwards, the Application Rules have now “switched on” the mandatory cyber incident reporting obligations for certain critical asset classes, including (without limitation) critical insurance assets, critical food and grocery assets, critical freight services assets, critical gas assets and critical electricity assets.
This obligation requires that:
A “significant impact” is defined as an impact which has materially disrupted the availability of essential goods or services provided by the asset while a “relevant impact” is any other impact on the availability, integrity, reliability or confidentiality of the asset.
Non-compliance can result in a maximum penalty of 50 penalty units (currently $11,100).
This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.
Lachlan Chuong, Associate in our Disputes team
Phone: +61 8 8210 2281
Head to the Cyber Alliance Group website to find out more about our full service, cyber security offering and how we can assist your business.