Critical Infrastructure operators – Do you comply with Australia’s new cyber incident reporting laws?

14 July 2022

Publications

A significant increase in sophisticated cyber-attacks over the past couple of years has highlighted the vulnerability of Australian industries and critical infrastructure to malicious online threats.

The Australian Government’s response has been to amend the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) with the aim of strengthening cyber-security and resilience to attacks.

Several amendments have already come into force which have broadened the SOCI Act to include further critical infrastructure sectors and assets and given powers to the Government to directly intervene in exceptional circumstances.

The Government is also permitted to declare certain critical infrastructure assets as Systems of National Significance, with entities responsible for these systems subject to enhanced cyber security obligations.

A number of other changes are soon to take effect.  This article is a reminder for those responsible entities managing critical infrastructure assets (or direct interest holders in certain circumstances) about the positive security obligations they are required to comply with and the expiry of the relevant grace periods for each obligation, which are fast approaching.

Mandatory cyber incident reporting 

From 8 July, 2022, where a cyber-security incident has occurred, is occurring or is imminent and has had, is having or is likely to have either a significant or a relevant impact on certain critical infrastructure assets, the responsible entity is required to report the incident to the Australian Signals Directorate (ASD) within 12 or 72 hours (depending on the extent of the impact).

Within the Department of Home Affairs (Department), the Cyber and Infrastructure Security Centre body (CISC) assists responsible entities of critical infrastructure to understand their regulatory requirements and obligations.  The CISC has provided the following list of items that a responsible entity may be asked to provide under its reporting obligations:

  • information about the responsible entity (including the ABN number and name of a contact person);
  • the relevant critical infrastructure sector;
  • the date and time the incident was identified;
  • whether the incident is ongoing;
  • when the responsible entity came across the incident;
  • the type of incident (eg, ransomware attack);
  • which areas of the responsible entity the incident is affecting (eg, customer data);
  • whether the responsible entity has reported the incident to anyone else (eg, to its customers);
  • type of impact the incident is having on the asset (eg, significant or relevant); and
  • any other material information about the incident.

Responsible entities for critical infrastructure assets should ensure they are prepared to report cyber security incidents within the required timeframes.

Given the short timeframes for reporting, responsible entities should familiarise themselves with the CISC factsheets and guidelines and review their processes and tools for responding to such incidents.

Register of Critical Infrastructure Assets

From October 8, 2022, a reporting entity must provide the Secretary of the Department of Home Affairs (Secretary) with certain information in relation to certain critical infrastructure assets and/or the entity.  The Secretary will store this information and maintain a Register of Critical Infrastructure Assets.

A responsible entity is required to provide operational information to the Secretary about its critical infrastructure asset.  The Department has provided that operational information may include the following:

  • the asset’s location;
  • which area of the responsible entity the asset services; and
  • details of the responsible entity (ie, name, address, incorporation etc).

If there are multiple entities that operate a critical infrastructure asset (including entities that operate part of an asset), these entities may also be required to report the above information to the Secretary.

Direct interest holders (being those entities that individually or together with their associated entities hold at least 10 percent in a critical infrastructure asset) are required to report interest and control information about the critical infrastructure asset to the Secretary.  The Department provides that this may include the following information:

  • details of the entity (ie, the entity’s name, ABN etc);
  • a description of the entity’s interest in the asset and its control or influence over the asset; and
  • further information about any other entity that also has control or influence over the asset.

Reporting entities should begin to gather the required information with respect to their critical infrastructure asset/s to provide to the Secretary ahead of 8 October 2022.

Risk management program

A responsible entity for one or more critical infrastructure assets, unless exempted, must identify hazards that pose a material risk and adopt and maintain a critical infrastructure risk management program which is intended to manage, mitigate and minimise the impact of such hazards to those critical infrastructure assets.

The date of commencement of the following obligation will be set out in the Security of Critical Infrastructure (Risk Management Program) Rules 2022.  These rules are currently in draft and are yet to be implemented.

The draft Risk Management Rules contemplate a six month grace period.  It is expected that these rules will also specify what should be contained in a risk management program.  Further detailed guidance is also set to be released by CISC to assist responsible entities comply with their obligations under this requirement.

Entities should review their existing risk management frameworks in light of the anticipated risk management program obligations that will commence once the Risk Management Program Rules come into effect.

Penalties for non-compliance 

Responsible entities (and direct interest holders where applicable) will need to meet and comply with the positive security obligations by the relevant dates.  Non-compliance with these obligations can attract significant penalties, which are as follows:

  • the failure to report a cyber security incident to the ASD within the required time period can result in a maximum penalty of $11,100 for individuals and $55,500 for corporations;
  • non-compliance with the requirement to report certain critical infrastructure asset information and/or entity information to the Secretary can result in a penalty of $11,100 for individuals and $55,500 for corporations; and
  • the failure to adopt and maintain a risk management program can result in a fine of $44,400 for individuals and $222,000 for companies.

Please contact Demetrios Christou or Mark Feetham, partners in our national Intellectual Property, Technology and Regulatory Team, if you require further information or assistance to comply with these amendments.

Authors

Demetrios Christou | Partner | +61 2 8248 3428 | dchristou@tglaw.com.au

Mark Feetham | Partner | +61 2 8248 5847 | mfeetham@tglaw.com.au

Ashlee Broadbent | Lawyer | +61 8 8236 1185 | abroadbent@tglaw.com.au