New legislation and increasing regulatory activity will see Australian businesses struggling to cope with the level of cyber regulation, according to insights from Clyde & Co.
2022 will see cyber regulation in Australia becoming increasingly onerous with a number of important developments taking place. Most significant will be the impact of the Security Legislation Amendment (Critical Infrastructure) Bill 2021, which received assent on December 2, 2021.
Related article: Russian Conti hackers claim CS Energy cyberattack
Known as the SOCI Bill, this piece of legislation—the first of two planned bills to amend the Security of Critical Infrastructure Act 2018—means that asset owners and operators in the substantially broadened application of ‘critical infrastructure’ must be prepared to identify a relevant cyber incident and report it to the Australian Signals Directorate within 12–72 hours, depending on the severity of the incident. They must also comply with government directions to disclose information or undertake an action during and after a cyber incident. The Australian Signals Directorate may also intervene.
Australia’s privacy regulator, the Office of the Australian Information Commissioner (OAIC), is also pushing for enhanced enforcement powers to increase regulatory compliance. From our frequent interactions with the OAIC, the regulator is paying close attention to organisations failing to report a breach expeditiously, those conducting insufficient investigations into ransomware incidents and those failing to notify individuals of an incident correctly among others.
Related article: The key cybersecurity challenges facing utilities
The impact of the SOCI Bill and vastly increased regulatory activity is that Australian is now an onerous—and increasingly onerous—jurisdiction in regard to cyber-regulated activity. And it’s not a question of dealing with one regulator: increasingly we are seeing our clients having to deal with multiple regulators and law enforcement agencies, who each take a different lens on a cyber incident —be it dealing with sensitive health data, breaching corporations law, or not meeting prudential standards around information security.