26 July 2022

New cyber incident reporting rules may catch some industries unaware

Insights Resources

Expanded rules to the Security of Critical Infrastructure Act (the SOCI Act) may catch many businesses unaware. The Act came into effect on 8 April 2022 with a grace period of three months, ending on 8 July 2022.

The expanded rules include the mandatory reporting of cyber security incidents to the Australian Cyber Security Centre (ACSC) by regulated entities under Part 2b of the SOCI Act. Within these organisations, if you become aware that a critical cyber security incident has occurred or is occurring, AND the incident has had, or is having, a significant impact on the availability of your asset, you must notify ACSC within 12 hours after you become aware of the incident. If you become aware that a cyber security incident has occurred or is occurring, AND the incident has had, is having, or is likely to have, a relevant impact on your asset, you must notify ACSC within 72 hours after you become aware of the incident.

Cyber incident

In the information provided by the Cyber and Infrastructure Security Centre, the SOCI Act now applies to 11 critical infrastructure sectors:

  • electricity
  • communications
  • data storage or processing
  • financial services and markets
  • water
  • health care and medical
  • higher education and research
  • food and grocery
  • transport
  • space technology
  • defence industry

The SOCI Act has three essential security obligations that can be activated at different times for particular sectors. Certain entities will be required to:

  • Provide operational and ownership information to the Register of Critical Infrastructure Assets
  • Report all cyber incidents which may impact the delivery of the essential services those assets provide to the Australian Cyber Security Centre
  • To adopt, maintain and comply with a written risk management program. That program will need to identify and mitigate ‘material risks’ to your critical infrastructure asset. (Note: This obligation is not yet enforceable but it will be in the near future)

Cyber crimes


The importance of data and cyber security has never been as crucial as it is now. With statistics of over 67,500 cybercrimes reported to ACSC during the 2020-21 financial year, up 13% from the prior year, these numbers are expected to increase again when the 2021-22 report is released. The time to act is now! Make sure to implement an Incident Response Plan today and test this regularly as it’s no longer a case of if but when.

Super-charge the legal function with intelligent automation

Introducing Lawcadia’s powerful automation engine, Lawcadia Intelligence™. Highly configurable, no-code automation and logic-based workflows, with a unique plug-in architecture to support new functionality and ease of systems integrations.
Discover the power of possibilities.

Similar articles we think you’ll enjoy.

04 December 2023
7 LegalTech Trends To Watch In 2024
Insights Resources
27 November 2023
In-House Legal: The Importance Of Crafting A Compelling Business Case
Insights Resources
21 November 2023
Becoming A Data-Driven Legal Department
Insights Resources

Transform your legal operations with the award-winning, two-sided intelligent platform built for in-house legal teams and their law firms with legal intake & triage, matter management, workflow automation, spend management, collaboration and customisable reporting.