Incident reporting and asset register obligations now in effect under SOCI

3 minute read  11.04.2022 Susan Kantor, Paul Kallenbach

On 6 April 2022, the Minister for Home Affairs enacted the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 (Cth) (Rules), which 'turn on' the incident reporting and asset register obligations for some sectors and assets under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).

 


Key takeouts


  • The critical assets that will be subject to the Rules are the same as those proposed by the draft version of the Rules released in December 2021.
  • The Rules only provide for a three month transition period for the incident reporting obligations under the SOCI Act, and six months for the asset register obligations under the Act.
  • Organisations should be taking steps now to implement systems, policies, processes and procedures for compliance with these new obligations under the SOCI Act.

As reported in our previous post, the incident reporting and asset register obligations under the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (SOCI Act) are only enlivened for certain critical infrastructure assets if they are 'turned on' via Ministerial Rules (Rules). The Rules were enacted by the Minister on 6 April 2022. They ‘turn on’ the incident reporting obligations for assets across most of the sectors that are regulated under the SOCI Act, as well as the asset reporting obligations for a smaller group of assets across the regulated sectors.

Organisations will need to consider whether they own or operate assets impacted by the Rules and ensure they implement measures now, so they are in a position comply with the new obligations under the SOCI Act by the end of the applicable transition periods.

Incident reporting obligations

The incident reporting obligations will commence for impacted incident reporting entities in three months.

Our previous post provides more detail about the incident reporting obligations. In summary, impacted entities are now required to make the following reports to the Australian Cyber Security Centre:

  • critical incidents: incidents that are having a significant impact on the availability of a critical asset – within 12 hours of becoming aware of the incident; and
  • other incidents: incidents that are having a relevant impact on a critical asset – within 72 hours of becoming aware of the incident.

The incident reporting obligations have been ‘turned on’ under the Rules for the following critical infrastructure assets:

  • critical broadcasting assets;
  • critical domain name systems;
  • critical data storage or processing assets;
  • critical banking assets;
  • critical superannuation assets;
  • critical insurance assets;
  • critical financial market infrastructure assets;
  • critical food and grocery assets;
  • critical hospitals;
  • critical education assets;
  • critical freight infrastructure assets;
  • critical freight services assets;
  • critical public transport assets;
  • critical liquid fuel assets;
  • critical energy market operator assets;
  • a critical aviation asset that is:
    • a designated airport;
    • an asset used to perform an Australian prescribed air service operating screened air services that depart from a designated airport;
    • a cargo terminal that is owned or operated by a regulated air cargo agent and that is also a cargo terminal operator, and that is located at a designated airport;
  • critical ports;
  • critical electricity assets;
  • critical gas assets; and
  • critical water assets.

However, the Rules specifically exclude the following assets from the incident reporting obligations:

  • four Queensland sugar mills – Invicta, Pioneer, Racecourse and South Johnstone;
  • assets that are classified as critical aviation assets on or after the commencement of Part 1 of Schedule 3 of the Transport Security Amendment (Critical Infrastructure) Act 2022 (Cth); and
  • assets that are classified as critical maritime assets on or after the commencement of Part 2 of Schedule 3 of the Transport Security Amendment (Critical Infrastructure) Act 2022 (Cth).

Asset reporting obligations

The asset reporting obligations will commence for impacted asset reporting entities in six months. Asset reporting entities are:

  • direct interest holders who hold a direct or joint interest of at least 10% in a critical infrastructure asset, or who hold an interest and are in a position to directly or indirectly influence or control the asset; and
  • responsible entities, being the entity licensed to operate a critical infrastructure asset.

These obligations have been ‘turned on’ for the following critical infrastructure assets:

  • critical broadcasting assets;
  • critical domain name systems;
  • critical data storage or processing assets;
  • critical financial market infrastructure asset that is a payment system;
  • critical food and grocery assets;
  • critical hospitals;
  • critical freight infrastructure assets;
  • critical freight services assets;
  • critical public transport assets;
  • critical liquid fuel assets;
  • critical energy market operator assets;
  • a critical electricity asset that was not a critical infrastructure asset immediately before the commencement of section 18A of the Act (in December 2021); and
  • a critical gas asset that was not a critical infrastructure asset immediately before the commencement of section 18A of the Act (in December 2021).

The four sugar mills referred to above have also been specifically excluded from these obligations.

Next steps

There are a range of activities that organisations should take to implement measures for compliance with these new obligations, including:

  • identifying impacted assets and, if required, asset reporting information;
  • updating their incident response plans and other systems, policies, processes and procedures;
  • conducting training for relevant staff and the Board, and testing their plans by conducting tabletop simulation exercises; and
  • reviewing and updating supply agreements to ensure these obligations are appropriately passed through to entities within the supply chain.

Given the short transition periods under the Rules, affected organisations should not delay in taking action to implement their compliance.

MinterEllison provides full service legal, technology consultancy and risk consultancy services, with extensive experience in cyber security, privacy, data protection and risk governance practices.

We can assist you in understanding and implementing your obligations under the new security of critical infrastructure laws.

Contact

Receive Intellectual Property and Technology law news in your inbox.

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiJkMGE0N2RhYy1jMDc0LTQ3NzgtYmRlZC0zMjI0MzMyNWI3OTkiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczMzMzNDg2MSwiZXhwIjoxNzMzMzM2MDYxLCJpYXQiOjE3MzMzMzQ4NjEsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2luY2lkZW50LXJlcG9ydGluZy1hbmQtYXNzZXQtcmVnaXN0ZXItb2JsaWdhdGlvbnMtbm93LWluLWVmZmVjdC11bmRlci1zb2NpIiwiYXVkIjoiaHR0cHM6Ly93d3cubWludGVyZWxsaXNvbi5jb20vYXJ0aWNsZXMvaW5jaWRlbnQtcmVwb3J0aW5nLWFuZC1hc3NldC1yZWdpc3Rlci1vYmxpZ2F0aW9ucy1ub3ctaW4tZWZmZWN0LXVuZGVyLXNvY2kifQ.N2mB8B3hZAGsAdwP-VhKN7Se9GboMkM68OkOUCk-nd8
https://www.minterellison.com/articles/incident-reporting-and-asset-register-obligations-now-in-effect-under-soci

Point of View: insights into key issues and challenges facing business today.

In this series of interviews with MinterEllison partners we hear their perspective on key areas of interest to our clients and the business community.