The Australian Government has now made cyber security incident reporting mandatory for select critical infrastructure sectors, effective from the 8th of April 2022. While a three-month grace period is in place, all assets are strongly encouraged to voluntarily report incidents to the Australian Cyber Security Centre (ACSC) from here out. We recommend partners take the opportunity to remind any Australian clients in critical infrastructures of this.
Although the definition of critical infrastructure assets is quite broad, the full list is covered in the Security of Critical Infrastructure 2018 Act. With 16 total industries listed, critical infrastructure assets range from energy businesses to financial services, telco’s, freight, public transport, and food and grocery businesses.
Under the mandate, any critical cyber security incidents that will have a ‘significant impact’ on the availability of assets are required to be reported to the ACSC within 12 hours of the business becoming aware of the issue. If a business opts to inform the ACSC of the incident verbally, they are then required to submit written notice within 84 hours.
For those that are unclear, a significant impact is one where “the incident has materially disrupted the availability of the essential goods or services delivered by a critical infrastructure asset”. Further clarification can be found in the Cyber Security Incident Reporting guide here.
For cyber security incidents that will have a ‘relevant impact’ on the on the “availability, integrity, reliability or confidentiality” of the asset, businesses are still required to notify the ACSC within 72 hours of becoming aware.
If your client has fallen victim to a cyber security incident which will impact their asset, please direct them to:
- Call 1300Cyber1 (1300 292 371),
- Submit a report online here,
- Or, call 000 immediately if there is a threat to life or risk of harm.
Although Australian critical infrastructures were regularly targeted by cybercriminals throughout the pandemic, concerns are growing even further in the face of increasing global tensions. Last month, the ACSC called for businesses to step up their cyber preparedness as cybercrime rates continue to rise across the country.
Internationally, nations are also readying themselves, with the Cybersecurity & Infrastructure Security Agency (CISA) in the U.S. recommending businesses take a “Shields Up” approach and “adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets”.
The Shields Up initiative offers valuable information and recommendations on how to prepare businesses for cyber incidents which may be worthwhile sharing with your clients.
CISA's advice can be found here, and includes:
- Guidance for all organisations,
- Recommendations for corporate leaders and CEOs,
- Ransomware response,
- Steps to protect yourself and your family, and
- A selection of other resources.
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.