Report cyber security incidents to ASD (SOCI)
Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.
Who must comply
Responsible entities for the 11 critical infrastructure sectors covered by SOCI.
What triggers it
A cyber security incident with significant impact (12h) or other reportable impact (72h).
When due
12 hours (significant) / 72 hours (other) of becoming aware.
Evidence required
Incident report to ASD, internal IR playbook records, log evidence.
Max penalty
Civil penalties up to ~$2.2M for non-reporting plus mandatory direction risks
Summary
Under the Security of Critical Infrastructure Act 2018, responsible entities for critical infrastructure assets must report cyber security incidents that have a 'significant impact' on the availability of the asset within 12 hours; other reportable cyber incidents within 72 hours. Reports go to ASD's ACSC.
Enforced by
Source legislation
Industries
Topics
Source: https://cisc.gov.au/legislation-regulation-and-compliance/critical-infrastructure-risk-management-program. Rules Mate is not a law firm. Always verify against the live regulator source before acting.