Since the mandatory reporting of information security incidents came into effect in April 2022, there has been a marked increase in the number of cyber incident reports provided by critical infrastructure providers to the government’s Cyber and Infrastructure Security Centre (CISC). A total of 47 mandatory cyber incidents have been reported between April 1 2022, and December 31 2022, shedding light on the vulnerabilities faced by critical infrastructure providers. Whilst details are not known about which industries have been affected by cyber security incidents, the Security of Critical Infrastructure Act 2018 (the SOCI Act) identifies 11 industries as critical infrastructure sectors including electricity, communications data storage or processing, financial services and markets, water, health care and medical, higher education and research, food and grocery, transport, space technology, and the defence industry.
Under the SOCI Act, critical infrastructure providers must report a cyber security incident to the Australian Cyber Security Centre (ACSC) within 12 hours (if it is a “significant impact”) or 72 hours (if it is a “relevant” impact) of becoming aware of the incident. The ACSC then passes it on to the CISC. The incident must have had, or is having, either a “significant” impact or a “relevant impact” on the critical infrastructure asset. A significant impact is one in which the incident has disrupted the use of the goods or services provided by the critical infrastructure provider. On the other hand, a relevant impact is one in which an organisation’s IT system may be impacted in a way which risks exposure of information about the organisation’s assets but doesn’t impact the use of the organisation’s services.
To further support Australia’s cyber security efforts, a risk management program under the SOCI Act will need to be implemented by the owner or operator of a critical infrastructure asset. The significance of this is that Australia will have a set of foundational security obligations that critical infrastructure providers will need to adhere to. The government has also been working with critical infrastructure operators deemed to be of “national significance” to establish incident response planning obligations for such operators.
Please contact us if you need any assistance with your obligations under the SOCI Act.