With the rapid rise of data breaches in the public and private sectors in Australia and around the world, we can anticipate a dramatic rise in government action with the recent announcement of a cyber defence budget of $9.9B over the next decade to the Australian Signals Directorate for the Resilience, Effects, Defence, Space, Intelligence, Cyber and Enables (REDSPICE) package.
In late 2021, the Australian Security of Critical Infrastructure Act 2018 was amended to outline how and when company directors would face consequences in the event of a data breach. The legislation being geared towards preventing an increase in data breaches and encouraging company directors to take their own cyber resilience more seriously.
Here’s what you need to know.
What is the Bill?
This bill came into effect December 2021, as an amendment to a previous Security Legislation Amendment (Critical Infrastructure) Bill.
What does it say?
This amendment changes and expands the definition of “critical infrastructure sector.” The main difference is that the new Act expands the term to include 11 sectors that have been designated as “essential,” as opposed to the old Act’s narrow definition that only covered select assets in the gas, electricity, water, and maritime ports sectors.
Now, the definition of “critical infrastructure asset” includes 22 different classes, covering a much more diverse range than previously. Why the expansion? This change will cover more entities that face mandatory reporting obligations and other requirements, broadening the scope of companies that face consequences for failing to protect data.
Mandatory Notification of Cyber Incidents
One crucial aspect of the new legislation creates very specific requirements on when and how a data breach must be reported, should it occur. The main goal of these inclusions is to help company directors understand the threats to critical infrastructure with the view that they will invest in more proactive measures for cyber protection.
Now, an entity or company director must report any “critical cyber security incident” within 12 hours of knowing that an incident of “significant impact” has occurred. Events are considered to be of “significant impact” if they impact the availability of products or services of the asset. An entity still must report any cyber events within 72 hours if they are thought to carry a “relevant impact” on the company or asset.
The takeaway? It is clear the government is creating a more defined protocol for company directors to familiarise themselves due to the growing nature of cyber threats.
Consequences and Penalties
Under this amended legislation, more companies and business leaders are responsible for “critical infrastructure assets” and assume the duty of keeping them safe and protected against cyber threats.
Not only must more organisations assume this responsibility, but they also assume the consequences. According to the legislation, if a reporting entity violates their responsibility, it faces a penalty of AU $11,100 (50 penalty units) per day of violation OR AU $55,500 (250 penalty units) if it is a corporation. (Source).
Company directors are now much more personally responsible for data and sensitive assets relating to their products or services. It is now more important than ever for company directors to follow a proactive approach in response to growing cyber threats.
How to Proactively Prevent Data Breaches
Over 80% of data breaches involve a “human error” component. Fortunately, company directors can minimise this risk significantly by driving behaviour changes and creating a “cyber aware” workforce. I’ve outlined a step by step guide to driving these changes and preventing cyber attacks in this month’s ebook. Click here to grab a free copy.
PhishNet delivers highly effective, engaging, and affordable cybersecurity awareness training to help businesses mitigate the risks of human error data breaches.
Talk to PhishNet today to learn more or check out our free Risk Assessment as you gather a baseline of your organisation’s cyber resilience.