AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
2.2 Critical Infrastructure Cybersecurity Requirements The SOCI Act imposes requirements on owners and operators of assets across various fields. The exact requirements vary depending on the particular asset/industry; however, may include a requirement to: • register with the Register of Critical Infrastruc - ture Assets; • provide ownership and operational informa - tion; • notify the government of certain cyber-inci - dents; • implement and comply with a critical infra - structure risk management programme (CIRMP); and • if they have “business critical data” pro - cessed or stored by a third party on a com - mercial basis, they must take reasonable steps to notify that third party. Further still, the SOCI Act and associated rules impose enhanced cybersecurity obligations on assets designated as “systems of national sig - nificance” (SoNS). These must be assets that are already considered a “critical infrastructure asset”, but also that they are of “national sig - nificance”. These designations are private and confidential so as to avoid publicising their sig - nificance to malicious actors. Reports indicate that over 200 systems have been designated to date. A responsible entity for a SoNS may be required to: • fulfil statutory response planning obligations; • undertake a cybersecurity exercise (see 3.6 Threat-Led Penetration Testing ); • undertake a vulnerability assessment (see 3.6 Threat-Led Penetration Testing ); and
• where the system is a computer or needs a computer to operate the system, undertake periodic reports, provide event-based reports or install software that transmits system infor- mation to the ASD. It is also worth noting that the SOCI Act also includes: • an information gathering power for the Secre - tary of the DoHA to monitor compliance; and • a directions power for the Home Affairs Minis - ter to direct regulated entities to do or not do a specified thing that is reasonably necessary to protect critical infrastructure from national security risks. 2.3 Incident Response and Notification Obligations Mandatory Incident Reporting Obligations SOCI Act As mentioned above, the SOCI Act and associ - ated rules impose reporting obligations on vari - ous entities. Responsible entities must report cybersecu - rity incidents that have a significant or relevant impact on their asset. In other words, a “respon - sible entity” must make a report when it becomes aware of the following. • A “cyber security incident” that “has had, or is having, a significant impact (whether direct or indirect) on the availability of the asset” – such a “significant impact” is defined as being where “the incident has materially dis - rupted the availability of [the] essential goods or service” in connection with which the asset is used to provide. The report must be made “as soon as practicable, and in any event within 12 hours, after the entity becomes aware”. If the initial report is oral, then a writ -
17
CHAMBERS.COM
Powered by FlippingBook