Report cyber security incidents to ASD (SOCI)
Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.
Who must comply
Responsible entities for the 11 critical infrastructure sectors covered by SOCI.
What triggers it
A cyber security incident with significant impact (12h) or other reportable impact (72h).
When due
12 hours (significant) / 72 hours (other) of becoming aware.
Evidence required
Incident report to ASD, internal IR playbook records, log evidence.
Max penalty
Civil penalties up to $82,500 (250 penalty units, body corporate) per contravention, plus mandatory direction risks
Summary
Under the Security of Critical Infrastructure Act 2018, responsible entities for critical infrastructure assets must report cyber security incidents that have a 'significant impact' on the availability of the asset within 12 hours; other reportable cyber incidents within 72 hours. Reports go to ASD's ACSC.
Enforced by
Source legislation
Industries
Topics
Related obligations
- CWLTHGovernment cyber incident reporting via ASD ACSCFederal entities + critical infrastructure report cyber incidents to ASD ACSC.
- CWLTHComply with SOCI Positive Security Obligation (PSO) per sectorSector-specific cyber + risk obligations under SOCI Part 2.
- CWLTHAdopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)Covered critical infrastructure entities must adopt a CIRMP addressing cyber, physical, personnel, and supply-chain hazards.
- CWLTHComply with APRA CPS 234 (Information Security)APRA-regulated entities must maintain information security capability commensurate with the size and extent of threats.
- CWLTHReport serious NDIS incidents to the NDIS CommissionDeath, serious injury, abuse, neglect, unauthorised restrictive practices, and sexual misconduct must be notified.
- CWLTHAdopt Essential Eight Maturity Level 2 (federal subcontractors)Federal government contractors handling OFFICIAL: Sensitive must meet Right Fit For Risk (RFFR) including E8 ML2.
Frequently asked questions
- Who must comply with cyber security incidents to ASD (SOCI)?
- Responsible entities for the 11 critical infrastructure sectors covered by SOCI.
- What triggers cyber security incidents to ASD (SOCI)?
- A cyber security incident with significant impact (12h) or other reportable impact (72h).
- When is cyber security incidents to ASD (SOCI) due?
- 12 hours (significant) / 72 hours (other) of becoming aware.
- What is the maximum penalty for cyber security incidents to ASD (SOCI)?
- Civil penalties up to $82,500 (250 penalty units, body corporate) per contravention, plus mandatory direction risks
- What evidence is required for cyber security incidents to ASD (SOCI)?
- Incident report to ASD, internal IR playbook records, log evidence.
Source: https://cisc.gov.au/legislation-regulation-and-compliance/critical-infrastructure-risk-management-program. Rules Mate is not a law firm. Always verify against the live regulator source before acting.