Gabi Power 04 August 2022 15:35:41 AEST 15 MIN READ

What Does the Updated ‘Security of Critical Infrastructure Act’ Mean for Your Business?

As of the 8th of July 2022, a 3-month grace period has ended and businesses in specified sectors or critical infrastructure asset classes are now required to report cyber security incidents to the Australian Cyber Security Centre (ACSC) within 12 hours under the Security of Critical Infrastructure Act 2018 (SOCI Act). Non-compliance with the Act will incur up to 50 penalty units, equating to a fine up to $11,100. 

The Security of Critical Infrastructure Act 2018 (SOCI Act) was introduced to “manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia's critical infrastructure”. The Act includes provisions (Part 2B) for ‘Mandatory Cyber Incident Reporting’, which “plays a vital role in developing an aggregated threat picture for the Australian Government to inform proactive and reactive cyber response options – from providing immediate assistance to working with industry to uplift broader security standards.” 

Initially, the Act only extended to 4 sectors: gas, electricity, water, and ports. However, the recent amendments saw an expansion of sectors, and the following critical infrastructure asset classes now have obligations under the SOCI Act for Mandatory Cyber Incident Reporting:  

  • Broadcasting  
  • Domain name system  
  • Data storage or processing  
  • Banking  
  • Superannuation  
  • Insurance  
  • Financial market infrastructure  
  • Food and grocery  
  • Hospital  
  • Education  
  • Freight infrastructure  
  • Freight services  
  • Public transport  
  • Liquid fuel  
  • Energy market operator  
  • Aviation, that is any of the following: 
    • a designated airport 
    • an Australian prescribed air service operating screened air services that depart from a designated airport, or 
    • a regulated air cargo agent that is also a cargo terminal operator at a designated airport 
  • Ports  
  • Electricity  
  • Gas 
  • Water 

What do I need to do? 

Once a business becomes aware of a critical cyber security incident that will have a ‘significant impact’ on its assets, they need to notify the Australian Cyber Security Centre (ACSC) within 12 hours. If a business makes a report verbally within that timeframe, they must then submit a written report online within 84 hours.  

For non-critical cyber incidents, if the business becomes aware of a cybersecurity incident that will likely have a ‘relevant impact’ on its asset, they must notify the ACSC within 72 hours of becoming aware of the incident. If the report is made verbally, a written report must be submitted within 48 hours of verbal notification.   

What is a cyber security incident? 

The Cyber and Infrastructure Security Centre defines cyber incidents as acts, events or circumstances which involve:   

  • Unauthorised access to or modifications of a computer’s data or programs 
  • Unauthorised impairment of electronic communications to or from a computer 
  • Unauthorised impairment of the security, operation, availability, or reliability of a computer, or it’s data and/or programs 

The Act states that “if you detect a cyber security incident at or beyond the exploitation phase of malicious activity – irrespective of any prevention or mitigation action taken – you are required to submit a report.” 

What is the difference between a ‘significant’ impact and a ‘relevant’ impact? 

A significant impact is where “both the critical infrastructure asset is used in connection with the provision of essential goods and services; and the incident has materially disrupted the availability of the essential goods or services”.   

Whereas a relevant impact is an impact on “the availability, integrity, reliability or confidentiality” of a business’s asset, but does not impact the provision of the asset.  

How do I make a report? 

 If your business has fallen victim to a cyber security incident which will impact your asset, please:   

  • Call 1300Cyber1 (1300 292 371), 
  • Submit a report online here, or 
  • Call 000 immediately if there is a threat to life or risk of harm. 

What are the consequences of non-compliance?  

Non-compliance with the mandatory cyber incident reporting has a maximum penalty of 50 penalty units.  

The value of each penalty unit currently sits at $222, making the maximum penalty for non-compliance $11,100.  

What can I do to prevent a cybersecurity incident?  

The best way for businesses to prevent cybersecurity incidents is to boost their security stack. 91% of cyberattacks begin with a phishing email, making email an extremely important vector for businesses to fortify. If you are using Microsoft 365 or Google Workspace, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to enhance your Microsoft 365 security stack.  

MailGuard offers predictive and advanced email security which detects threats up to 48 hours ahead of other vendors. For a few dollars per staff member per month, you can protect your business from cyber incidents.  

Reach out to our team for a confidential discussion by emailing or calling 1300 30 44 30. 

Stay up to date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.