Strength and Resilience: Responding to cyber incidents impacting critical infrastructure
Following recent amendments to the Security of Critical Infrastructure (SOCI) Act 2018 (Cth) (‘the SOCI Act’), entities must comply with new obligations when responding to cyber incidents impacting critical infrastructure. Specifically:
- Responsible entities for most critical infrastructure assets (CI assets) are now obliged to report certain types of cyber incidents – this obligation is in addition to cyber incident reporting obligations under other regimes such as the Privacy Act 1988 (Cth); and
- In rare or emergency circumstances, government may ‘step in’ to support and direct an entity’s response to ‘serious’ cyber incidents – government assistant measures provide a framework for the Minister for Home Affairs to authorise information gathering directions, action directions or intervention requests.
Purpose of the amendments
Recent amendments to the SOCI Act and subordinate legislation have sought to build sustainable resilience into the services that are critical to the lives of Australians and the health of the economy at large. Flexible legislative instruments (‘rules’) and directions powers facilitate a phased approach to implementation, allowing the most urgent changes to commence while consultation continues on measures addressing risk and resilience.
Responsible entities for captured CI assets must now ensure their cybersecurity incident response processes include a mandatory reporting process to the Australian Cyber Security Centre (ACSC) for certain types of cyber incidents. The captured critical infrastructure sectors and asset classes are specified in the rules,1 but other sectors and asset classes are encouraged to make voluntary reports. Responsible entities for the purposes of the mandatory notification obligation will generally be the entity licenced to own and operate the asset, but entities should consult specific definitions in the SOCI Act and the rules to confirm whether they are impacted.2
This new obligation is in addition to other cyber incident reporting obligations, including eligible data breach notification obligations under the Privacy Act 1988 (Cth), and material information security incident reporting obligations under the Australian Prudential Regulation Authority’s Prudential Standard CPS 234.
Mandatory reporting is intended to inform government understanding of the threat to critical infrastructure and enhance its ability to respond to serious threats. This includes, in certain rare or emergency circumstances and subject to a Ministerial authorisation, an obligation for entities to comply with directions from Home Affairs or the Australian Signals Directorate as part of the government assistance measures. The objective of these measures is for the government to assist in the defence of impacted CI assets, but they will only be exercised as a matter of last resort.
Responsible entities must make a report to the ACSC orally or in writing using the approved form (linked here):
- within 12 hours of becoming aware of a critical cyber security incident that is having or has had a significant impact on the availability of any CI asset. If a report was made orally, then a written report must be made within 84 hours of that oral report; or
- within 72 hours of becoming aware of any other cyber security incident that has occurred, is occurring or is imminent where the incident will have a relevant impact on the availability, integrity or reliability of a CI asset, or the confidentiality of information about or stored in the CI asset. If a report was made orally then a written report must be made within 48 hours of that oral report.
The timeframe for each mandatory reporting obligation starts when the responsible entity becomes aware of a cyber security incident.
Responsible entitles must be able to identify and categorise cyber security incidents to meet the mandatory reporting obligations. While it is prudent to make precautionary reports to the ASCS if in doubt, the threshold for reporting a critical cyber security incident is likely to be high and increase over time. The critical cyber incident obligation is also focused on the availability of the CI asset; incidents not materially impacting the CI asset are less likely to be captured. The scope of the reporting obligation for other cyber security incidents is broader, but will generally not extend to scam calls, emails and social engineering incidents that do not lead to further infiltration of computer data or programs.3
While a key objective of mandatory reporting is cultural change, and the Cyber and Infrastructure Security Centre charged with administering the SOCI Act has indicated an intention to promote voluntary compliance in the first instance,4 egregious failures to report serious cyber incidents may result in civil penalties of 50 penalty units for each contravention (currently up to $55,500 AUD for corporations).
Other new obligations
The amendments to the SOCI Act also introduced several additional obligations. Impacted entities must:
- By 8th October 2022, provide either operational information as the responsible entity for that asset, or interest and control information as the direct interest holder, to the Secretary of Home Affairs;
- Subject to a future ‘on switch’, implement a risk management program with a particular focus on cyber, physical, personnel and supply chain risks; and
- Subject to the Minister’s designation of an asset as a System of National Significance, comply with enhanced cyber security obligations that include response exercises and vulnerability assessments.
How we can help
KPMG has a wide capability in incident response, business continuity, disaster recovery, and resilience planning in the critical infrastructure space. We have extensive experience helping CI assets design risk based security programmes, providing deep technical advice on design/implementation for security controls and providing assurance over key control operation.
Our team includes cyber lawyers and dedicated strategic and technical cyber experts who have been engaged by Home Affairs since 2021 to co-design the rules and frameworks.
For more information on your obligations, managing a compliance uplift plan, and finding improvement opportunities to strengthen your resilience, view our capabilities at Critical infrastructure reforms – KPMG Australia (home.kpmg).