New cyber incident reporting rules may catch some industries unaware

Expanded rules to the Security of Critical Infrastructure Act (the SOCI Act) may catch many businesses unaware. The Act came into effect on 8 April 2022 with a grace period of three months, ending on 8 July 2022.

The expanded rules include the mandatory reporting of cyber security incidents to the Australian Cyber Security Centre (ACSC) by regulated entities under Part 2b of the SOCI Act. Within these organisations, if you become aware that a critical cyber security incident has occurred or is occurring, AND the incident has had, or is having, a significant impact on the availability of your asset, you must notify ACSC within 12 hours after you become aware of the incident. If you become aware that a cyber security incident has occurred or is occurring, AND the incident has had, is having, or is likely to have, a relevant impact on your asset, you must notify ACSC within 72 hours after you become aware of the incident.

In the information provided by the Cyber and Infrastructure Security Centre, the SOCI Act now applies to 11 critical infrastructure sectors:

• electricity
• communications
• data storage or processing
• financial services and markets
• water
• health care and medical
• higher education and research
• food and grocery
• transport
• space technology
• defence industry

The SOCI Act has three essential security obligations that can be activated at different times for particular sectors. Certain entities will be required to:

• Provide operational and ownership information to the Register of Critical Infrastructure Assets
• Report all cyber incidents which may impact the delivery of the essential services those assets provide to the Australian Cyber Security Centre
• To adopt, maintain and comply with a written risk management program. That program will need to identify and mitigate ‘material risks’ to your critical infrastructure asset. (Note: This obligation is not yet enforceable but it will be in the near future)

Conclusion

The importance of data and cyber security has never been as crucial as it is now. With statistics of over 67,500 cybercrimes reported to ACSC during the 2020-21 financial year, up 13% from the prior year, these numbers are expected to increase again when the 2021-22 report is released. The time to act is now! Make sure to implement an Incident Response Plan today and test this regularly as it’s no longer a case of if but when.