New obligations to report cyber incidents - critical infrastructure
New obligations to report cyber incidents - critical infrastructure

With the increasing prevalence of malicious cyberattacks, new regulations have been introduced to ensure that the government has knowledge of cyber incidences affecting specific entities in the following industries:

  • electricity
  • communications
  • data storage or processing
  • financial services
  • water
  • healthcare and medical
  • higher education and research
  • food and grocery comment transport
  • space technology

By implementing a mandatory reporting regime, the government seeks to strengthen the security and resilience of critical infrastructure, by empowering the relevant authorities to more immediately address critical cyber incidents - and to develop responses and protections to minimise the risk of future incidents occurring.

These new requirements apply to owners and operators of critical infrastructure assets. If you are unsure of whether your business falls within that category, the Department of Home Affairs has published a list of the assets captured under the relevant legislation.

The Cyber and Infrastructure Security Centre has provided helpful factsheets on the mandatory cyber incident response requirements which commences on Thursday 7 July 2022.

Those facts sheets can be accessed here:

Readers will recall that Holman Webb has reported on recent legal action, in which the failure to take adequate steps to prevent cyber intrusions resulted in material fines being issued to a business:

Ignore Cyber Protection – Pay the Price: Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496

Readers will also recall that all businesses, no matter their size, and irrespective of whether they are caught by this mandatory reporting requirement must, in Holman Webb’s view, ensure that they have adequate policies and procedures in place - supported by training and testing to educate staff in relation to risks.

In addition, any business that does not consider and implement the preventative measures set out in the Essential 8 (see Cyber Security: The Essential Eight Strategies to Protect Your Business) is running a material risk of making itself an easy target, and thereafter suffering the commercial and reputational loss that flows from a data breach, ransomware attack or a fraudulent invoicing scam (amongst many other cyber scams and malicious attacks).

If you require any assistance in relation to the implementation of policies, or advice on legal and employment aspects of cyber security – please do not hesitate to get in contact with Holman Webb’s Technology Law Group today.


Recent Posts