Since the Government's introduction of the Security of Critical Infrastructure Act 2018 (SOCI Act), there has been an ongoing focus and commitment from the Government on protecting Australia's critical infrastructure. In particular, in recent years, there has been an increased focus on protecting telecommunications infrastructure given the sensitivity of information carried across telco networks and their criticality to the economy.
Consistent with the Government's approach of avoiding duplication with existing regulatory frameworks, the SOCI obligations have been 'turned on' for the telecommunications sector via existing sector-specific mechanisms, rather than under the SOCI Act. Specifically, the obligations have been implemented via the Telecommunications (Carrier License Conditions – Security Information) Declaration and Telecommunications (Carriage Service Provider – Security Information) Determination 2022 (collectively, the Instruments).
On 5 July 2022, Michelle Rowland, the Minister of Communication, published the new carrier licence condition and CSP determination pursuant to powers under the Telecommunications Act 1997 (Telecommunications Act), creating new positive security obligations on carriers and eligible CSPs to:
- provide the Secretary of the Department of Home Affairs with certain information in relation to their telecommunications assets so it can be included in a register (Asset Register Obligations); and
- notify the ACSC if the carrier or CSP has been the subject of a critical or other cyber security incident in respect of a critical telecommunications asset (Incident Reporting Obligations).
A failure to comply with these new obligations could attract penalties under the Telecommunications Act (i.e. as a failure to comply with a licence condition) of up to A$10 million for each contravention by a body corporate. By contrast, although there are also penalties under the SOCI Act for failing to comply with the equivalent requirements, breaches of the SOCI Act carry a maximum of 50 penalty units (the current value of a penalty unit is $222).
Who needs to comply?
The Incident Reporting and Asset Register Obligations have been 'turned on' for all holders of a carrier licence granted under the Telecommunications Act as well as for all eligible CSPs.
Eligible CSPs must be members of the Telecommunications Industry Ombudsman Scheme and are defined in the Telecommunications Act as CSPs which supply:
a) standard telephone services, where any of the customers are residential customers or small business customers;
b) public mobile telecommunications service;
c) carriage service that enables end users to access the internet; or
d) carriage service intermediary who arranges for the supply of one of these services.
Incident reporting obligations
Effective from 7 July 2022, carriers and eligible CSPs must notify the ACSC of:
- 'critical' cyber security incident no later than 12 hours after the carrier or eligible CSP becomes aware of the incident. Critical incidents are incidents that have a significant impact on the availability of any of their assets; and
- 'other' cyber security incidents no later than 72 hours after the carrier or eligible CSP becomes aware of the incident. Other incidents are incidents that have a relevant impact on the availability, integrity, reliability and confidentiality of an asset.
Both Instruments define an 'asset' (for both a carrier and eligible CSP) as a tangible asset (excluding customer premises equipment), that is owned or operated by a carrier, and used to supply a carriage service. Without limiting this broad definition, an asset includes the following to the extent it is used for the supply of a carriage service:
a) a component of a telecommunications network;
b) a telecommunications network;
c) a facility;
d) computers;
e) computer devices;
f) computer programs; or
g) computer data.
The Incident Reporting Obligations mirror the incident reporting obligations under the SOCI Act. However, unlike the transition period that applied to organisations subject to the equivalent requirements under the SOCI Act, carriers and CSPs are not being granted any grace period to prepare for the introduction of these new requirements. Instead, these obligations commenced at the same time as the SOCI Act equivalent obligations. For this reason, to the extent that carriers and CSPs have not already been anticipating and preparing for these changes, it is critical they take steps now to ensure they meet the new obligations.
Asset reporting obligations
In addition to the enhanced security obligations, effective from 7 October 2022, carriers and eligible CSPs will have an ongoing obligation to provide the Secretary of Home Affairs (Secretary) with operational information in writing regarding each asset of the carrier.
Where an entity other than a carrier or eligible CSP holds a direct interest of at least 10% or a controlling stake in an asset, the information about the interest and control in the asset must also be reported the Secretary. Circumstances that may require an update to the Secretary would be operational information changes to the location and description of a telecommunication asset or any changes made to sensitive information in the maintained data.
The timing for the introduction of these new asset reporting obligations reflects the transition period under the SOCI Act, albeit the telecommunications industry is afforded a three month transition period only (as opposed to the six month period granted under the SOCI Rules).
Next steps
We recommend that affected organisations in the telecommunications industry act promptly to implement measures to address these new requirements.
Key areas of focus, or questions organisations should address, include:
a) identifying impacted assets and, if required, asset reporting information;
b) establishing or updating processes, procedures and policies to comply with the new obligations;
c) conducting training for all relevant staff and the Board, and testing their plans by conducting tabletop simulation exercises;
d) reviewing accountability and responsibility of data ownership and incident response in third-party provided services and software-as-a-service (SaaS) arrangements; and
e) reviewing and updating agreements to ensure these obligations are appropriately passed through to other entities in the supply chain.
Given the immediate effect of the Incident Reporting Obligations, and the short transition period for the Asset Register Obligations, affected organisations should not delay in taking action to implement their compliance arrangements.
