Grace period up: Owners of critical infrastructure assets required to report cyber security attacks

Businesses that own or operate assets captured by Australia’s expanded critical infrastructure security laws could face fines if they fail to report cyber security attacks to Australian authorities.

Affected critical infrastructure operators and owners were given a three-month grace period to comply with the new requirements which were outlined in amendments to the Security of Critical Infrastructure Act 2018.


However, from today (8 July), owners will have to alert the Australian Cyber Security Centre if their infrastructure is the subject of a cyber-attack that significantly impacts its availability.

This notification must be made within 12 hours of the event, and other incidents that have a relevant impact must be reported within 72 hours.

A cyber security expert with leading Failing to report cyber attacks could result in finesprofessional services firm RSM Australia has warned a tripling in the number of sectors now captured by the new laws may catch some businesses by surprise, particularly small to medium enterprises (SMEs) in new sectors such as food, grocery, health care and transport.

Amendments to the Act expanded its coverage from specific entities in the electricity, gas, water and maritime port sectors to include assets in the communications, data storage or processing, financial services and markets, health care and medical, higher education and research, food and grocery, transport, space technology, and defence sectors.

RSM Australia Director and the National Head of Cyber Security and Privacy Risk Services Darren Booth said despite efforts by Australian Government authorities overseeing the roll-out of the new laws to identify affected industry stakeholders, he was concerned some organisations and businesses could still be in the dark about their new reporting obligations and other cyber security risk management requirements commencing later in the year.

Mr. Booth said well-regulated sectors such as energy, utilities and financial services, should already have well-developed security procedures and corporate reporting in place.


"However, less regulated sectors that may have strong physical security measures for their assets, but weaker cyber security, could have significant work to do to bolster their mitigation, response, reporting and recovery approaches to a potential cyber-attack,’’ he said.


"I think there’s been engagement with the big industries and players impacted by the legislative changes, but I’m concerned about the SMEs, particularly businesses in supply chains such as ‘farm to plate’ and freight services."

"When I’ve raised the new regulatory obligations with businesses that I’m dealing with, many have been unaware of the changes and have had to seek legal advice to determine if they’re captured in the expanded net of critical infrastructure assets,’’ he said.


‘’My advice to businesses in those identified sectors is to seek immediate expert advice to determine if the new laws apply to them.``


"The complexity of the changes, the current IT skills shortage, and the commencement of the new cyber incident reporting requirements just after the end of the financial year – the busiest time for business – may have also relegated the impending changes to the ‘too hard basket’ for some entities.’’

Mr. Booth expects the Australian Cyber Security Centre will take an "education first" approach to non-compliance in the early stages of the new requirements. However, operators found in breach of the new reporting requirements could face fines.

"Warning bells will start ringing for private companies when there’s been a serious attack on a piece of critical infrastructure and the Australian Government enforces its 'walk-in' rights to manage the situation,’’ he said.

RSM Australia recently released a comprehensive report on the cyber security landscape, thinkBig Cyber Security, which contained vital advice for SMEs.

About RSM Australia

Having grown into one of Australia’s leading professional services firms over the last 100 years, RSM Australia is committed to enabling clients through a greater understanding of what matters most to their- business. In addition to local knowledge provided by our advisers in 32 offices across Australia, we draw on our international reach and scale to ensure clients stay at the forefront of the world’s best practices, technology, and innovation within a rapidly changing global economy.

For more information

For further information, please get in touch with your local RSM office

Authors

Darren Booth
National Head of Cyber Security and Privacy Risk Services