Cyber security
Critical infrastructure reporting under SOCI, APRA CPS 234 information security, ASD Essential Eight, Right Fit For Risk for federal subcontractors, and the broader cyber compliance stack.
11
Obligations
3
Regulators
6
Recent enforcement
Regulators
Obligations (11)
- criticalCWLTHcurrentReport cyber security incidents to ASD (SOCI)
Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.
- criticalCWLTHcurrentAdopt Essential Eight Maturity Level 2 (federal subcontractors)
Federal government contractors handling OFFICIAL: Sensitive must meet Right Fit For Risk (RFFR) including E8 ML2.
- criticalCWLTHcurrentComply with Serious Incident Response Scheme (aged care)
Residential and home-care providers must notify Aged Care Quality and Safety Commission of priority 1 incidents within 24 hours.
- criticalCWLTHcurrentComply with SOCI Positive Security Obligation (PSO) per sector
Sector-specific cyber + risk obligations under SOCI Part 2.
- criticalCWLTHcurrentComply with APRA CPS 220 (Risk Management)
APRA-regulated entities must have a comprehensive risk management framework.
- criticalCWLTHcurrentComply with APRA CPS 234 (Information Security)
APRA-regulated entities must maintain information security capability commensurate with the size and extent of threats.
- criticalCWLTHcurrentReport serious NDIS incidents to the NDIS Commission
Death, serious injury, abuse, neglect, unauthorised restrictive practices, and sexual misconduct must be notified.
- highCWLTHcurrentAdopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)
Covered critical infrastructure entities must adopt a CIRMP addressing cyber, physical, personnel, and supply-chain hazards.
- highCWLTHcurrentISO/IEC 27001 ISMS certification — increasingly customer-mandated
Information Security Management System per ISO 27001 increasingly required by customers + government.
- highCWLTHcurrentRegister as a responsible entity / direct interest holder under SOCI
Captured critical-infrastructure assets must be registered with Home Affairs.
- highCWLTHcurrentGovernment cyber incident reporting via ASD ACSC
Federal entities + critical infrastructure report cyber incidents to ASD ACSC.
Recent enforcement
- home-affairs-socienforcement focus2025SOCI CIRMP audit findings — first compliance phase 2025
First major SOCI CIRMP attestation cycle by 28 September 2024; Home Affairs audited + identified gaps in 2024-2025.
- home-affairs-socidirection2024Home Affairs SOCI directions 2024
Multiple SOCI Part 3A directions issued to responsible entities for critical infrastructure assets following cyber incidents + risk assessments.
- home-affairs-socidirection2024Home Affairs SOCI mandatory cyber direction (illustrative)
Following a significant cyber incident, the Minister exercised SOCI Part 3A direction powers to require a responsible entity to comply with specific mitigation actions.
- asicreview decision2023FIRB review — Port of Darwin (Landbridge)
FIRB national security review of the 99-year Port of Darwin lease held by Landbridge Group (China). Government concluded no divestment required.
- apracapital directive2023APRA increase in Medibank capital requirements (CPS 234)
APRA imposed an additional $250 million capital adjustment on Medibank following the 2022 cyber incident.
- asiccivil penalty$750K2022ASIC v RI Advice (cyber security)
RI Advice failed to have adequate cyber security risk management systems across its authorised representative network despite multiple incidents.