AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
ten report must be made within 84 hours after the oral report is given. • A “cyber security incident” that “has had, or is having, or is likely to have, a relevant impact on the asset” – such a “relevant impact” is defined (for critical infrastructure assets) as a (direct or indirect) impact on the availability, integrity, reliability of the asset, or on the confidentiality of information about the asset, information stored on the asse or com - puter data constituting the asse. The report must be made “as soon as practicable, and in any event within 72 hours, after the entity becomes aware. If the initial report is oral, then a written report must be filed within 48 hours of the oral report. A “cyber security incident” is the: • unauthorised access to or modification of computer data or computer program; • unauthorised impairment of electronic com - munications to or from a computer (but does not include “a mere interception of any such communication”); or • unauthorised impairment of the availability, reliability, security or operation of computer data, a computer program or a computer. Either of these reports must be given to the ASD (unless another relevant Commonwealth body is specified in the rules). Failure to make a report at all or in writing, or in the approved form, can each be punished by an AUD16,500 fine. Cyber Security Act Irrespective of whether the cybersecurity inci - dent meets the above significance or relevance thresholds, most critical infrastructure assets (being “a reporting business entity”) have addi - tional reporting obligations under the Cyber Security Act.
In summary, there is an obligation to report to the ASD (or other designated Commonwealth agency) where: • there is a cybersecurity incident that has had, is having, or could reasonably be expected to have a (direct or indirect) impact on a report - ing business entity; • an entity (the extorting entity) demands a benefit; and • the reporting entity (or a third party on their behalf) makes the ransomware payment. Such a report must be given with 72 hours of the reporting business entity becoming aware of the payment and must contain certain information. A “cyber security incident” for these purpos - es broader than under the SOCI Act as it not only includes any such incident that falls within the scope of the SOCI Act, but is presumed to include any incident: • involving unauthorised impairment of elec - tronic communication to or from a computer (per the SOCI Act) including mere interception of any such communication; and • where the incident is (actually or is reasonably expected to be) effected by means of “tel - egraphic, telephonic or other like service”, if the incident (actually, probably, or it is reason - able to expect it) impeded or impaired “the ability of a computer to connect to such a service” or the incident (probably or is rea - sonably expected to have) prejudiced Aus - tralia’s social/economic stability, defence or national security. Voluntary Incident Reporting Obligations The ACSC has a cyber-incident reporting portal through which critical asset owners are encour -
18
CHAMBERS.COM
Powered by FlippingBook