The Cyber and Infrastructure Security Centre (CISC) assists critical infrastructure owners and operators to manage risks and protect the Australians that rely on the essential services they provide.
Critical infrastructure providers also have important reporting and compliance obligations to the CISC. All critical infrastructure assets must meet their legal obligations under the amended Security of Critical Infrastructure Act 2018 (SOCI Act).
This article explores the types of asset classes which these obligations apply to, and the key reporting and compliance considerations, as outlined by the CISC.
Register of Critical Infrastructure Assets obligations
The Register of Critical Infrastructure Assets is managed by the CISC. The Register enables the government to identify who owns and controls critical infrastructure assets, board structures, ownership rights of interest holders, and operational, outsourcing, and offshoring information.
Asset registration is required of the following critical asset classes:
- Broadcasting.
- Domain name system.
- Data storage or processing.
- A critical financial market infrastructure asset that is a payment system.
- Food and grocery.
- Hospital.
- Freight infrastructure.
- Freight services.
- Public transport.
- Liquid fuel.
- Energy market operator.
- Electricity.
- Gas.
Assets obligations are covered under Part 2 of the SOCI Act. Mandatory compliance commenced on 8 April 2022. There is a grace period of six months for critical infrastructure assets who do not already report to the Register, to comply with this obligation.
All the above critical asset classes, together with additional asset classes such as banking, superannuation, and insurance, must also report certain types of cyber security incidents.
Reporting
There are two types of reporting entities which are required to provide information to the Register of Critical Infrastructure Assets:
- Direct Interest Holder – an entity that holds a direct or joint interest of at least 10 percent in a critical infrastructure asset, or who holds an interest and is in a position to directly or indirectly influence or control the asset.
- Responsible Entity – the body licensed to operate the critical infrastructure asset.
A form will need to be completed to make a report. The relevant form to complete will depend on whether you are the Direct Interest Holder or the Responsible Entity, and whether you are registering an asset for the first time or are advising of changes to an existing registration
Reporting entity | Registration scenario | Form to complete |
Responsible Entity | You are registering your asset for the first time | Registration form for the Responsible Entity of a Critical Infrastructure Asset |
Responsible Entity | A notifiable event has occurred, and you are advising of changes to an existing registration | Responsible Entity: Notification of change to an existing registration on the Register of Critical Infrastructure Assets form |
Direct Interest Holder | You are registering your asset for the first time | New registration of a Critical Infrastructure Asset form |
Direct Interest Holder | A notifiable event has occurred, and you are advising of changes to an existing registration | Direct Interest Holder: Notification of change to an existing registration on the Register of Critical Infrastructure Assets form |
A “notifiable event” occurs when information relating to the original registration is invalid, incorrect, or outdated. Reporting entities are obligated to report any notifiable changes to the required information within 30 days of the event. Any delays in submitting your online registration could result in penalties.
It is worth noting that above forms may change with the introduction of new legislation, so for up-to-date information, check the “reporting” section of the CISC website. Important information to note when registering is also provided.
Compliance
The CISC monitors industry compliance with the Register of Critical Infrastructure Assets.
Owners and operators of critical infrastructure assets must report and provide accurate and up to date information to the Register. Failure to do so can attract a civil penalty.
Key takeaways
Critical infrastructure providers have important reporting and compliance obligations to the Cyber and Infrastructure Security Centre (CISC). Failure to comply may attract a civil penalty.