As of 8 July, responsible entities of critical infrastructure assets are now required to report cyber security incidents to the Australian Cyber Security Centre (ACSC) under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).
As detailed in our previous article, the SOCI Act has undergone extensive legislative reform over the past 12 months, with its scope expanded to 11 sectors and 23 critical infrastructure classes. It now includes new reporting and notification obligations, as well as increased government response powers. We have previously explored the key things you need to know about the reforms.
Notably, the reforms introduced three positive security obligations for responsible entities and direct interest holders of critical infrastructure assets:
- For responsible entities and direct interest holders to report ownership and operational information to the Register of Critical Infrastructure Assets, managed by the Cyber and Infrastructure Security Centre (reporting requirements).
- For responsible entities to notify the ACSC of cyber security incidents, within 12 hours for ‘significant impact’ incidents, and within 72 hours for all other incidents (notification requirements).
- For responsible entities to establish, maintain and comply with a Critical Infrastructure Risk Management Program.
These obligations set out in the Act are required to be ‘switched on’ for relevant assets under the legislative rules. On 6 April 2022, the Security of Critical Infrastructure (Application) Rules 2022 were enacted, enlivening two of the three positive security obligations, subject to grace periods. For critical infrastructure assets that were deemed assets at the commencement date of the rules, the notification requirements came into effect on 8 July 2022 and the reporting requirements will come into effect by 8 October 2022.
The obligations for the third positive security obligation, to establish a Critical Infrastructure Risk Management Program, will apply when the Risk Management Program Rules are registered.
Cyber security incident reporting requirements
In relation to critical infrastructure assets, the SOCI Act provides that a responsible entity must report:
- ‘critical’ cyber security incidents within 12 hours of becoming aware; and
- other cyber security incidents within 72 hours of becoming aware.
A cyber security incident involves any of the following:
- unauthorised access to or modification of computer data or computer program;
- unauthorised impairment of electronic communications to or from a computer; or
- unauthorised impairment of the availability, reliability, security or operation of computer data, a computer program or a computer.
A critical incident is one with a significant impact on the availability of the asset, meaning an impact which materially disrupts the availability of essential goods or services provided using the asset. ‘Essential goods or services’ are not defined in the Act, however an example may be where a critical incident impacts an electricity asset’s operational technology, which impacts the generation, transmission or distribution of electricity. Other cyber security incidents must be reported if they have a relevant impact on the asset, meaning an impact on the availability, integrity, reliability or confidentiality of the asset.
As an initial step, organisations will need to determine:
- the applicable critical infrastructure asset; and
- whether they are considered a ‘responsible entity’ for that critical infrastructure asset.
This process may not be entirely straightforward. For instance, whether an asset in the data storage and processing sector is deemed to be a critical infrastructure asset turns on the users of the asset and the type of information stored or processed (e.g. whether the asset stores or processes ‘business critical data’ for other responsible entities). Further, the entity considered to be the ‘responsible entity’ for a critical infrastructure asset will depend on the asset itself. The responsible entity may be the owner of the asset, the entity responsible for its operation and management, or another entity prescribed by legislative rules.
Among other things, an entity will be required to report to ACSC specific details about the incident including how it was discovered, the type of incident and what type of technology or data the incident affects. These reporting requirements apply to the following critical infrastructure sectors and asset classes under the rules (with several specific exemptions set out in the rules):
- critical broadcasting assets
- critical domain name systems
- critical data storage or processing assets
- critical banking assets
- critical superannuation assets
- critical insurance assets
- critical financial market infrastructure assets
- critical food and grocery assets
- critical hospitals
- critical education assets
- critical freight infrastructure assets
- critical freight services assets
- critical public transport assets
- critical liquid fuel assets
- critical energy market operator assets
- critical aviation assets that are any of the following: a designated airport, an Australian prescribed air service operating screened air services that depart from a designated airport, or a regulated air cargo agent that is also a cargo terminal operator at a designated airport
- critical ports
- critical electricity assets
- critical gas assets
- critical water assets
Rather than ‘switch on’ the reporting obligations for the telecommunications sector, the obligations have been mirrored as a licence condition for carriers and service rule for Carriage Service Providers (CSPs) under the Telecommunications (Carrier License Conditions – Security Information) Declaration 2022 and the Telecommunications (Carriage Service Provider – Security Information) Determination 2022. As of 7 July 2022, carriers and CSPs also need to report critical and other cyber security incidents to the Australian Signals Directorate within the 12 hour and 72 hour timeframes.
Organisations operating in the critical infrastructure classes listed above should, if they have not already done so, gather asset information to identify whether they are captured as the responsible entity of a critical infrastructure asset.
The unpredictable and fast-paced nature of cyber security incidents, combined with the short reporting timeframes in the Act, means that responsible entities must have a plan for reporting a cyber incident before it occurs. Penalties for non-compliance are currently $11,100. However, the Cyber and Infrastructure Security Centre (CISC) has confirmed that the first 12 months from 8 July 2022 will be considered a learning and familiarisation phase, where they will work with entities to understand the reporting thresholds. Enforcement action will focus on egregious non-compliance, such as the failure to report critical incidents, rather than the timeliness or detail of reporting.
In addition to developing cyber security incident notification procedures, organisations should also engage with their supply chain. For instance, responsible entities are required to notify their data storage or processing providers if the service relates to the responsible entity’s ‘business critical data’. Further, responsible entities should review, and potentially seek to uplift, contracts with managed service providers to ensure reporting timeframes are aligned with the new notification and reporting obligations under the SOCI Act.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.