Mandatory cyber security incident reporting now in force
New legislation now makes reporting of information security events mandatory for several industry sectors.
Under the Security of Critical Infrastructure 2018 Act, included industries must report cyber security incidents with ‘significant’ impact within 12 hours of discovery.
The nominated industry sectors include telecommunications, internet service providers, fuel companies, data storage and processing organisations, freight forwarders, banking, insurance and finance, along with food and groceries.
According to the government, reports to ACSC must be accompanied by written notifications within 84 hours.
Significant impact is defined as an infrastructure incident has materially disrupted the availability of essential good and services.
Incidents that affect the integrity, reliability or confidentiality of assets covered by the Act, or the systems they use, are deemed to have ‘relevant’ impact, and must be reported to the ACSC within 72 hours.
Organisations have a three-month grace period from 8 April, meaning that while mandatory reporting is now law, it won’t begin practice until July.
If you need help defining the severity of cyber security incidents, or wish to bolster your cyber security position, contact us below for a free GAP assessment.