Small businesses could be caught out and face fines if they suffer a cyber attack on critical infrastructure and fail to alert the Australian Cyber Security Centre, said one specialist.
RSM Australia national head of cyber security and privacy risk services, Darren Booth, said that expanded rules, effective from 8 July, took in many businesses that would be unaware of their obligations.
“I think there’s been engagement with the big industries and players impacted by the legislative changes, but I’m concerned about the SMEs, particularly businesses in supply chains such as ‘farm to plate’ and freight services,” said Mr Booth.
“When I’ve raised the new regulatory obligations with businesses that I’m dealing with, many have been unaware of the changes and have had to seek legal advice to determine if they’re captured in the expanded net of critical infrastructure assets.
“The complexity of the changes, the current IT skills shortage, and the commencement of the new cyber incident reporting requirements just after the end of the financial year – the busiest time for business – may have also relegated the impending changes to the ‘too hard basket’ for some entities.”
Sectors defined as critical infrastructure – originally electricity, gas, water and ports – have been expanded to include:
- Data storage or processing
- Financial services
- Healthcare and medical
- Higher education and research
- Food and grocery
- Space technology
- The defence industry
Businesses within these sectors have to alert the Australian Cyber Security Centre within 12 hours of the attack if it significantly impacts its availability and all other incidents must be reported within 72 hours.
Mr Booth said that well-regulated sectors such as energy, utilities and financial services should already have well-developed security and reporting procedures in place but smaller businesses in new sectors may not.
“Less regulated sectors that may have strong physical security measures for their assets, but weaker cyber security, could have significant work to do to bolster their mitigation, response, reporting and recovery approaches to a potential attack,” said Mr Booth.
The Australian Cyber Security Centre would likely take an education-first approach to non-compliance in the early days of the new requirements, said Mr Booth.
However, he said businesses found in breach of the new reporting rules would face fines at some point.
“Warning bells will start ringing for private companies when there’s been a serious attack on a piece of critical infrastructure and the Australian government enforces its ‘walk-in’ rights to manage the situation,” said Mr Booth.
The focus on cyber security would only grow with more cyber-security risk management requirements likely towards the end of the year.
The focus on making businesses responsible for protecting themselves against cyber attacks was highlighted by a recent Federal Court order that RI Advice engage a cyber-security expert after an attack that compromised the sensitive data of several thousand clients.
In the wake of that decision, ASIC deputy chair Sarah Court said it was imperative for businesses to have adequate cyber security in place.
“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment,” said Ms Court.