accountants daily logo

Website Notifications

Get notifications in real-time for staying up to date with content that matters to you.

SMEs face fines for failing to report cyber attacks 


An expanded definition of critical infrastructure sectors may catch small businesses out, says RSM Australia

By Josh Needs4 minute read

Small businesses could be caught out and face fines if they suffer a cyber attack on critical infrastructure and fail to alert the Australian Cyber Security Centre, said one specialist. 


RSM Australia national head of cyber security and privacy risk services, Darren Booth, said that expanded rules, effective from 8 July, took in many businesses that would be unaware of their obligations.

“I think there’s been engagement with the big industries and players impacted by the legislative changes, but I’m concerned about the SMEs, particularly businesses in supply chains such as ‘farm to plate’ and freight services,” said Mr Booth.

“When I’ve raised the new regulatory obligations with businesses that I’m dealing with, many have been unaware of the changes and have had to seek legal advice to determine if they’re captured in the expanded net of critical infrastructure assets.

“The complexity of the changes, the current IT skills shortage, and the commencement of the new cyber incident reporting requirements just after the end of the financial year – the busiest time for business – may have also relegated the impending changes to the ‘too hard basket’ for some entities.”

Sectors defined as critical infrastructure originally electricity, gas, water and ports have been expanded to include:

  •         Communications
  •         Data storage or processing
  •         Financial services
  •         Healthcare and medical
  •         Higher education and research
  •         Food and grocery
  •         Transport
  •         Space technology
  •         The defence industry

Businesses within these sectors have to alert the Australian Cyber Security Centre within 12 hours of the attack if it significantly impacts its availability and all other incidents must be reported within 72 hours.

Mr Booth said that well-regulated sectors such as energy, utilities and financial services should already have well-developed security and reporting procedures in place but smaller businesses in new sectors may not. 

“Less regulated sectors that may have strong physical security measures for their assets, but weaker cyber security, could have significant work to do to bolster their mitigation, response, reporting and recovery approaches to a potential attack,” said Mr Booth. 

The Australian Cyber Security Centre would likely take an education-first approach to non-compliance in the early days of the new requirements, said Mr Booth. 

However, he said businesses found in breach of the new reporting rules would face fines at some point. 

“Warning bells will start ringing for private companies when there’s been a serious attack on a piece of critical infrastructure and the Australian government enforces its ‘walk-in’ rights to manage the situation,” said Mr Booth.

The focus on cyber security would only grow with more cyber-security risk management requirements likely towards the end of the year. 

The focus on making businesses responsible for protecting themselves against cyber attacks was highlighted by a recent Federal Court order that RI Advice engage a cyber-security expert after an attack that compromised the sensitive data of several thousand clients. 

In the wake of that decision, ASIC deputy chair Sarah Court said it was imperative for businesses to have adequate cyber security in place. 

ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment,” said Ms Court.

SMEs face fines for failing to report cyber attacks 
image intro
accountantsdaily logo
Josh Needs

Josh Needs


Josh Needs is a journalist at Accountants Daily and SMSF Adviser, which are the leading sources of news, strategy, and educational content for professionals in the accounting and SMSF sectors.

Josh studied journalism at the University of NSW and previously wrote news, feature articles and video reviews for Unsealed 4x4, a specialist offroad motoring website. Since joining the Momentum Media Team in 2022, Josh has written for Accountants Daily and SMSF Adviser.

You can email Josh on: This email address is being protected from spambots. You need JavaScript enabled to view it.

accountants daily logo Newsletter

Receive breaking news directly to your inbox each day.