It is now mandatory for all entities who hold critical infrastructure assets to report serious cyber security and ransomware incidents to the Australian Signals Directorate ("ASD").

A "critical infrastructure asset" now includes any critical:

  • banking asset,
  • superannuation asset,
  • insurance asset; and
  • financial market infrastructure asset.

Affected firms should familiarise themselves with the obligations, the extent to which the obligations apply to their business and how these obligations can be activated.

What does it mean to you?

Mandatory ransomware incident reporting obligation

The SLACI Act introduces new obligations on entities responsible for "critical infrastructure assets" to report cyber security incidents affecting their assets to the Australian Signals Directorate ("ASD"). There are two types of reporting:

  1. when a cyber security incident has "significant impact" on a critical infrastructure asset:

An entity must notify ASD within twelve (12) hours if:

  • the entity is the responsible entity for a critical infrastructure asset; OR
  • the entity becomes aware that a cyber security incident has occurred or is occurring and the incident has had, or is having a significant impact (whether direct or indirect) on the availability of the asset.

A "significant impact" is one where both the critical infrastructure asset is used in connection with the provision of essential goods or services and the incident has materially disrupted the availability of those essential goods or services.

A critical cyber security incident can both be reported verbally or in writing. However, if a report is made verbally, a responsible entity must make a written record and provide the written record to cyber.gov.au/report within eighty-four (84) hours of making that verbal report.

  1. when a cyber security incident does not have a "significant impact" but is likely to have a "relevant impact" on a critical infrastructure asset:

The responsible entity is required to report the incident within seventy-two (72) hours of becoming aware of the relevant impact. Where the report is given orally, the entity must provide a written report of the incident within a further 48 hours after the oral report was given. "Relevant impact" is defined broadly and it includes incidents which create an impact on integrity, reliability or confidentiality of the assets.

The obligations commence on the later of:

  • three (3) months after the commencement of the Security of Critical Infrastructure (Application) Rules 2021 (Cth) (8 July 2022); or
  • three (3) months after the asset became a critical infrastructure asset.

Failing to comply with the reporting obligations may result in a penalty of $11,100 (50 penalty units) per breach, or $55,500 (250 penalty units) if the entity is a corporation.

Register of Critical Infrastructure Assets

The obligation is applicable to critical financial market infrastructure assets that are a payment system.

The obligation requires reporting entities, either direct interest holders or responsible entities of relevant critical infrastructure assets, to provide interest, control and operational information (i.e. the asset's location, a description of the area the asset services, basic information about entities responsible for the operation of the asset and the arrangements in place with each operator) to the Cyber and Infrastructure Security Centre which manages the register.

This obligation commences on the later of:

  • six (6) months after the commencement of the Security of Critical Infrastructure (Application) Rules 2021 (Cth) (8 October 2022); or
  • six (6) months after the asset becomes a critical infrastructure asset.

Government Assistance measure

When a cybersecurity incident is affecting a defined critical infrastructure asset, the Government has three key powers to exercise:

  • require the disclosure of information;
  • order an entity to act in a specified way; and
  • authorise the ASD to step in or take direct action where necessary.

Obligation to notify data service providers

A responsible entity must take reasonable steps to inform a service provider as soon as practicable if the service provider is processing or storing business critical data for the responsible entity on a commercial basis. The service provider should be made aware that:

  • they're providing data services to the responsible entity on a commercial basis; and
  • such services relate to business critical data.

Next steps

The next step for a business is to ascertain whether it has any critical assets and if so, what these are. Creating and maintaining a critical asset register is an important part of this process.

When creating a critical asset register, a business should consider:

If you require assistance in relation to understanding your obligations as an ACL or AFSL holder, please contact us.

Background Information:

The Security Legislation Amendment (Critical infrastructure) Act 2021 ("the SLACI Act") was enacted in December 2021 as the first one of a two-part process of amending the Security of Critical Infrastructure Act 2018 (Cth) ("the SOCI Act"). It expands the definition of "Critical Infrastructure Sector" to include a number of new sectors within the legislative framework. One of the sectors it includes is the financial services and markets sector.

The legislation also notes that "an asset that relates to a critical infrastructure sector" is also a "critical infrastructure sector asset".

In March 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) ("the SLACIP Act") was passed.

Further reading

Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth)

Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth)

Security of Critical Infrastructure Act 2018 (Cth)

Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021;

Ransomware Action Plan

Australian Cyber Security Centre (ACSC)

Locked Out: Tackling Australia's ransomware threat