The Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 set out the commencement dates for the new reporting obligations for operators of critical financial market infrastructure assets and critical banking assets under the Security of Critical Infrastructure Act 2018. Background.

Critical infrastructure is broadly defined as physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.

The cyber security incident notification obligations and the asset register reporting requirements have been activated as follows:

• mandatory reporting of cyber security incidents affecting critical banking assets commences on 8 July 2022; and
• asset register reporting requirements for critical financial market infrastructure assets that are payment systems commence on 8 October 2022.

The rules apply to the financial services and markets sector which means the sector of the Australian economy that involves:
(a) carrying on banking business; or
(b) operating a superannuation fund; or
(c) carrying on insurance business; or
(d) carrying on life insurance business; or
(e) carrying on health insurance business; or
(f) operating a financial market; or
(g) operating a clearing and settlement facility;
(h) operating a derivative trade repository; or
(i) administering a financial benchmark; or
(j) operating a payment system; or
(k) carrying on financial services business; or
(l) carrying on credit facility business.

Critical banking assets

Responsible entities of critical banking assets will be required to prepare reports about:

• critical cyber security incidents (i.e., a cyber security incident which has a significant impact on the availability of an asset) within 12 hours of becoming aware of the incident; and
• other cyber security incidents (i.e., a cyber security incident which has a relevant impact on an asset) within 72 hours of becoming aware of the incident.

Critical financial market infrastructure assets that are payment systems

Responsible entities and direct interest holders of critical infrastructure assets will be required to give the following information to the Register:

• with respect to responsible entities – operational information about the critical infrastructure asset; and
• with respect to direct interest holders – interest and control information about the direct interest holder and the critical infrastructure asset.

Responsible entities for critical infrastructure assets must adopt, and maintain, a written critical infrastructure risk management program unless an exemption applies to the entity.

The Government may also require the responsible entity for a system of national significance (SoNS) to undertake:

• statutory incident response planning obligations;
• undertaking cyber security exercises;
• undertaking vulnerability assessments; and
• providing access to system information.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.