New amendments to the Security of Critical Infrastructure Act 2018 (Cth) include a new mandatory cybersecurity reporting requirement for certain critical infrastructure assets that commenced on 8 July 2022.
A cybersecurity incident refers to one or more acts, events or circumstances involving:
- unauthorised access to or modification of computer data or computer program, or
- unauthorised impairment of electronic communications to or from a computer, or
- unauthorised impairment of the availability, reliability, security or operation of computer data, a computer program or a computer.
If a cybersecurity incident occurs and has had a significant impact on a critical infrastructure asset, the owner of the asset must notify the Australian Cyber Security Centre (ACSC) of the incident. Notification must be made within 12 hours after becoming aware of the incident.
A significant impact is one where the critical infrastructure asset is used in connection with the provision of essential goods and services and the incident has materially disrupted the availability of the goods or services. For example, a critical cybersecurity incident might impact an electricity asset and the distribution of electricity.
Alternatively, the cybersecurity incident may have a relevant impact. A relevant impact is an impact on the availability, integrity, reliability, or confidentiality of the critical infrastructure asset. For example, a cybersecurity incident may impact a bank’s network and expose data but may not impact the provision of banking services. In such situations, owners of the asset must notify ACSC within 72 hours of becoming aware of the incident.
To file a report for either impact, the owner of the asset should use the ACSC’s guide on reporting cybersecurity incidents.
The introduction of the mandatory cybersecurity reporting regime is designed to strengthen the security of Australia’s key infrastructure and encourage the development of responses and protections to minimise future cybersecurity risk and harm.
We have significant expertise advising clients on cyber security obligations and services. For further information, please email firstname.lastname@example.org
#cybersecurity #cyberlaw #regulatoryadvice