Reporting requirements are changing for federal critical infrastructure. Are you ready?

Under new legislation amendments, major operators of certain pieces of infrastructure will be required to report cyber threat activity and provide ownership details to the Australian Cyber Security Centre (ACSC). These amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act) came into effect on 8th April 2022. While a three-month grace period is currently in place for businesses that are not yet ready to fulfil these new reporting requirements, mandatory reporting will be required under the legislation from 8th July 2022. The industries impacted by these changes include:
  • broadcasting 
  • domain name systems 
  • data storage or processing banking 
  • superannuation 
  • insurance 
  • financial market infrastructure 
  • food and grocery 
  • hospital 
  • education 
  • freight infrastructure 
  • freight services 
  • public transport 
  • liquid fuel 
  • energy market operator 
  • aviation, that is any of the following: 
  • a designated airport 
  • an Australian prescribed air service operating screened air services that depart from a designated airport, or 
  • a regulated air cargo agent that is also a cargo terminal operator at a designated airport 
  • ports 
  • electricity 
  • gas; and 
  • water 
Another bill, the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 is currently before the senate, and introduces further security measures and requirements for Australia’s critical infrastructure assets to comply with. The bill passed the House of Representatives on 16th February 2022 and is currently under review by the Parliamentary Joint Committee on Intelligence and Security. The second bill will:
  • introduce an additional Positive Security Obligation, the Risk Management Program, which will be applied to entities responsible for critical infrastructure. 
  • ​introduce Enhanced Cyber Security Obligations, including vulnerability reporting, cyber incident response planning and exercises, for entities responsible for assets most critical to the nation (known as systems of national significance). 
The Risk Management Program creates a mandatory requirement for owners and operators of critical infrastructure to have cyber risk management systems in place, whereas the Enhanced Cyber Security Obligations will provide obligations for exercising, reporting vulnerability with government and being subject to audit.
The second bill will not pass parliament before the election, but will likely become law in the near future. This, along with the new mandatory cyber incident reporting requirements will likely catch many operators off guard if they are not already aware of the changes. Is your business ready? Don’t leave it until the last minute. Put your business in the safest hands possible, and see how our experienced and knowledgeable team can help your business in this constantly changing world.

Share this post