Cyber Security Incident Reporting – are you Aware of Your Obligations?

On 7 July 2022, the security instruments, Telecommunications (Carrier License Conditions – Security Information) Declaration 2022 and the Telecommunications (Carriage Service Provider – Security Information) Determination 2022 (‘Telco Security Instruments’) came into force, activating new rules for carriers and carriage service providers. 

In response to growing risks to the security and resilience of Australia’s critical infrastructure, the Security of Critical Infrastructure Act 2018 (SOCI Act) was amended in Dec 2021, introducing new obligations for a number of sectors, including the telecommunications sector.  

In order to avoid regulatory duplication, some of the obligations will be introduced under the Telecommunications Act 1997 for the telecommunications sector, including mandatory reporting of cyber security incidents and lodging an asset register. The mandatory reporting obligations commenced 7 July 2022, and the asset register obligation will commence from 7 October. 

We’ve prepared a whitepaper: Understanding Critical Infrastructure Obligations – Part One, IAA guidance to members on the: Telecommunications Sector Security Instruments – Cyber Security Incident Reporting, that seeks to guide members in understanding and complying with the cyber security incident reporting obligations under which significant and relevant cyber security incidents now must to be reported to the ACSC. We’ve also prepared a blog post providing commentary on the lack of meaningful engagement with industry in preparing us for the new regulations.