Aussie firms face fines for failing to report cyber incidents

Sinister image of hand poised at keyboard for cyber-attack (cybercrime index)
Image: Shutterstock

Many Australian organisations are now subject to a 12-hour incident reporting timeframe after becoming aware of critical cyber incidents now that amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) have come into play, according to Cyber Security Connect.

The amendments took effect on July 8 under the newly introduced Critical Infrastructure Bill; the new requirements apply to cyber incidents that impact any “critical infrastructure assets”.

Related article: Russian spies launch cyberattack on Ukraine’s grid

Previously the SOCI Act categorised “critical asset classes” across four different sectors such as gas, electricity, water and ports. Now, the legislation has expanded to 11 new sectors that include asset classes that fall under data storage or processing, education, food and grocery, financial services and transport. In total, the new amendment has identified 22 critical asset classes.

According to ACSC data, cyber attacks have been reported at an average of once every eight minutes. About 25 per cent of a collective 67,500 reports were linked to Australia’s critical infrastructure and essential services, during the financial year 2020–2021.

Based on the Department of Home Affairs’ Critical Infrastructure Resilience Strategy, the amendments to the SOCI Act aim to support and enable “Australia’s critical infrastructure assets to continue to operate in an all-hazards environment”.

The Australian government has made national cyber security a top priority after its $9.9 billion commitment towards cyber security and the growing trend in cyber crime and cyber warfare.

Related article: Russian Conti hackers claim CS Energy cyberattack

For small businesses that are less equipped to properly identify and secure assets in comparison to big companies, the new SOCI Act amendments could have a serious, major impact. Businesses are facing fines starting from $11,100 for failure to notify the Australian Cyber Security Centre (ACSC) within 12 hours of becoming aware that they have been hit by a cyber incident such as ransomware or unauthorised access to an asset.

While the legal changes can appear problematic for many small-business owners nationwide, the SOCI Act amendments are primarily centred on awareness of an incident, according to the Department of Home Affairs reporting manual.

Previous articleWhat role will AI play in Australia’s energy transition?
Next articleNew discovery makes sodium batteries safer and cheaper