Business Insight

Mandatory cyber incident reporting now live for Australias critical infrastructure

19 July 2022

What you need to know

From 8 July 2022, most Australian critical infrastructure assets are required to comply with a mandatory cyber incident reporting regime.
Cyber incidents must be reported within 12 or 72 hours of becoming aware, depending on whether a material disruption to essential goods or services occurs.
Reports can be made through the Australian Cyber Security Centre's "report a cyber security incident" form, or by telephone with a follow-up written report.
The next 12 months is a learning and familiarity phase, with a focus on education, support and working with entities to understand and develop guidance for the reporting thresholds as they apply to each sector.

What you need to do

Report cyber incidents – Get familiar with the thresholds for reporting, and have policies and processes in place to make it happen. The Cyber and Infrastructure Security Centre has said that for the next 12 months, enforcement will focus on failure to report (not the timeliness of reporting or level of detail).
Update incident response plans – Delegate responsibility for reporting and make sure it is clear what to report (and what not to), to whom, how and when. Confirm your response plan outlines your other existing reporting obligations to other regulators. Minimise the risk of confusion or errors under pressure and have all the necessary information on hand, assuming you may not be able to access your IT systems at the time.
Test and evaluate – Tabletop simulations, audits or reviews, and live exercises can help refine incident response plans and ensure they perform under pressure. Don't assume that ticking the box "report to ACSC" in your playbook will test what you actually need it to.
Consider becoming an Australian Cyber Security Centre (ACSC) Partnership Program and the Cyber and Infrastructure Security Centre (CISC) Trusted Information Sharing Network – for visibility of cyber threats, best practices and to help shape guidance and policy for your sector.
Get ready for more – Critical infrastructure, data and cyber security are key priorities for the Australian Government. We expect a continued push to uplift capabilities – including mandatory risk management program requirements for critical infrastructure assets and action on ransomware.
Reminder – compliance with asset registration for critical infrastructure needs to be completed by 8 October, 2022.

This is not a drill

The grace period for mandatory reporting of cyber incidents under the Security of Critical Infrastructure Act 2018 (SOCI Act) ended on 7 July 2022. For most critical infrastructure assets, this means that from 8 July 2022, 12 and 72 hour timeframes for reporting incidents apply.

Understanding the new rules and how to effectively operationalise them will help those responsible for critical infrastructure, and those in their supply chains, effectively combat cyber risks.

"Critical infrastructure" is a broad concept, capturing 11 sectors. The new reporting regime applies to most of these assets, with the exception of defence, certain aviation and maritime assets, and certain Queensland sugar mills. Telecommunications assets are covered by similar obligations under a new service provider determination and carrier licence conditions.

Mandatory cyber incident reporting for critical infrastructure

Incident reporting at a glance
Critical – "significant" impact	Asset relates to essential goods and services, and incident (directly or indirectly) materially disrupts availability of essential goods and services	Has occurred or is occurring	Report as soon as practicable, and within 12 hours of becoming aware	(If initial report is oral, written report within 84 hours)
Other - "relevant" impact	Impact (directly or indirectly) on the availability, integrity, reliability of asset, or confidentiality of critical infrastructure computer data, information about the asset or information stored in the asset	Has occurred, is occurring or is imminent	Report as practicable, and within 72 hours of becoming aware	(If initial report is oral, written report within 48 hours)

Because the clock starts ticking based on awareness, notifying the Australian Cyber Security Centre (ACSC) should be one of the first steps in an incident response plan.

This is a new and untested regime that needs to deal with a broad range of sectors, attack vectors and circumstances. The next 12 months will be considered a learning and familiarisation phase – a perfect opportunity to fine tune incident response plans, help push best practices and build cyber resilience.

What should you consider in your incident response plan

Time is of the essence. Escalation protocols in your response plan are critical to enable entities to take rapid action to contain the incident, and now also to report critical incidents to the ACSC. Twelve hours, or even 72 hours, feels much shorter in the heat of battle and it can be easy to neglect mandatory reporting timeframes.
Who is your ACSC liaison? Is it better to have someone from your IT team, legal or regulatory affairs, or your crisis management chief of staff make the report? Do they have company details on hand (such as the ABN of the right entity). Will the same person liaise with law enforcement, the Department of Home Affairs, and other regulators and what guidance do you need to make sure they have?
What if IT or phone systems are compromised? Do not use compromised systems to make incident reports – threat actors can monitor your communications to gain valuable intelligence about your understanding of and response to an incident. If telephone or email systems might be compromised, use alternative contact numbers or email addresses.
What's your approval process? Who can authorise and sign off the details to be reported? While the ACSC incident reporting form doesn't require extensive information on the incident, you will be reporting on what you know and be asked to provide details of the impact of the incident. You may only have limited information in the first 12 hours, and avoiding making too many assumptions, whilst enabling the ACSC to make an assessment, will be an important consideration.
Understand and address disclosure risks. While there are some protections from liability for mandatory reporting under the SOCI Act, review whether reporting cyber incidents (particularly voluntary reports) might breach confidentiality obligations to suppliers, customers and partners, or might impact your ability to rely on other mechanisms such as contractual indemnities. Consider negotiating changes to key contracts.
Know what support you can get and from where. The ACSC incident reporting form is also a means of requesting assistance or advice from Government. It's important to know what kind of assistance and advice that might be, and what other resources you need on call to provide critical support and expertise.
Review critical infrastructure supply chains. Are incident response plans integrated and co-ordinated? Do contracts allow voluntary incident notifications?
Know your regulators and stakeholders. The ACSC is not a one-stop shop – make sure your incident response plan covers all regulators or other stakeholders that need to be notified of a security incident.
Continually assess the dynamic nature of cyber threats across your entire value chain. For example, a cyber attack on a third party might trigger a "relevant" impact notification because of an imminent likelihood of attack; A decision to shut down services in response to a cyber incident can escalate a "relevant impact" to a "significant impact", significantly shortening notification timeframes.
Document actions – securely. Know how you will document the steps taken to identify, respond to, report and recover from an incident. Consider communications and records protocols, particularly if corporate systems might be accessible to threat actors.

Will your incident response plan work in practice?

If you've only done a desktop test of your incident response plan, you haven't tested it. Simulations are designed to "pressure test" your organisation, putting knowledge of plans and protocols into practice, and teasing out the decision dilemmas, operational and resource constraints and communication challenges of a real incident.

A systematic review and testing program of how your organisation will respond, without access to your IT networks or communication platforms, will provide valuable lessons and improve your readiness for an incident.

Updating your business continuity assumptions, plans and priorities in a regular and systemic program of reviews and tests is also an essential good practice, aiding incident recovery.

What about ransomware reporting?

The former government proposed ransomware reporting obligations as part of its Ransomware Action Plan. That proposal reflected similar concepts of "significant" and "relevant" impacts, and adopted the same 12 and 72 hour notification periods. Under that proposal, critical infrastructure entities would not be required to make a duplicate incident report for ransomware, but would be required to make a second "follow up report" of material details of a ransomware incident that may have come to light during the 21 days following an initial report.

We don’t know yet whether the new Australian Government will progress these reforms – but we do expect movement on this front, and we expect that future mandatory ransomware reporting obligations will look to minimise duplicate reporting.

The decision to make pay (or not pay) a ransom demand presents serious legal and ethical dilemmas for company directors – read more here about the position under Australian law.

What's next?

In the world of critical infrastructure:

The CISC will engage with industry sectors to help refine more relevant, sector-specific guidance around the notification regime.
The CISC will also engage with other regulators, including state and territory regulators, to help minimise duplication.
Most entities responsible for critical infrastructure will need to report operational and ownership information for the Register of Critical Infrastructure Assets – the grace period for these obligations ends on 8 October 2022.
Risk management obligations have not yet commenced, but work continues to uplift risk management programs.

The recently elected Australian Government has a lot to consider on the cyber security front:

The Attorney General has said he is keen to bring a discussion on the Privacy Act in the coming months.
The National Data Security Action Plan is expected to be finalised by the end of this year.
We also expect movement on reporting obligations and other reforms relating to ransomware.

Authors: John Macpherson (Director, Risk Advisory); Amanda Ludlow (Partner, Digital Economy Transactions) and Andrew Hilton (Expertise Counsel, Digital Economy Transactions).

_{This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.}

_{The Ashurst Group is global, and comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.}

_{Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provides services under the Ashurst Risk Advisory brand. The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.}

_{For more information about the Ashurst Group and the services offered, please visit www.ashurst.com.}

The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.