Aussie organisations now subject to 12-hour cyber incident reporting window

Many Australian organisations are now subject to a 12-hour incident reporting time frame after it becomes aware of a critical cyber incident now that amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) have come into play.

The amendments took effect on 8 July under the newly introduced Critical Infrastructure Bill; the new requirements apply to cyber attacks that impact any “critical infrastructure assets”.

Previously the SOCI Act categorised “critical asset classes” across four different sectors such as gas, electricity, water and ports. Now, the legislation has expanded to 11 new sectors that include asset classes that fall under data storage or processing, education, food and grocery, financial services and transport. In total, the new amendment has identified 22 critical asset classes.

According to ACSC data, cyber attacks have been reported at an average of once every eight minutes. About 25 per cent of a collective 67,500 reports were linked to Australia’s critical infrastructure and essential services, during the financial year 2020–2021.

Based on the Department of Home Affairs’ Critical Infrastructure Resilience Strategy, the amendments to the SOCI Act aim to support and enable “Australia’s critical infrastructure assets to continue to operate in an all-hazards environment”.

The Australian government has made national cyber security a top priority after its $9.9 billion commitment towards cyber security and the growing trend in cyber crime and cyber warfare.

For small businesses that are less equipped to properly identify and secure assets in comparison to big companies, the new SOCI Act amendments could have a serious, major impact. Businesses are facing fines starting from $11,100 for failure to notify the Australian Cyber Security Centre (ACSC) within 12 hours of becoming aware that they have been hit by a cyber incident such as ransomware or unauthorised access to an asset.

While the legal changes can appear problematic for many small-business owners nationwide, the SOCI Act amendments are primarily centred on awareness of an incident, according to the Department of Home Affairs reporting manual.