Regulated entities, under Part 2b of the Security of Critical Infrastructure Act 2018, aviation industry participants under Part 6 of the Aviation Transport Security Act 2004, maritime and offshore industry participants under Part 9 of the Maritime Transport and Offshore Facilities Security Act 2003, and carriers or certain carriage service providers under the Telecommunications Act 1997 covered by the Telecommunications Security Information instruments*, may be subject to mandatory cyber incident reporting requirements, these include:
Reporting critical cyber security incidents
If you become aware that a critical cyber security incident has occurred, or is occurring, AND the incident has had, or is having, a significant impact on the availability of your asset, you must notify the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) within 12 hours after you become aware of the incident.
A significant impact is one where both the critical infrastructure, aviation, maritime or offshore asset is used in connection with the provision of essential goods and services; and the incident has materially disrupted the availability of those essential goods or services.
If you make the report verbally you must make a written record using the form below within 84 hours of verbally notifying ASD's ACSC.
Reporting other cyber security incidents
If you become aware that a cyber security incident has occurred, or is occurring, AND the incident has had, is having, or is likely to have, a relevant impact on your asset you must notify the ASD's ACSC within 72 hours after you become aware of the incident.
A relevant impact is an impact on the integrity, reliability or confidentiality of your asset or systems.
If you make the report verbally you must make a written record using the form below within 48 hours of verbally notifying ASD's ACSC.
You can also notify the ASD’s ACSC about other cyber security incidents that do not meet the threshold for a significant or relevant impact. You can then receive assistance and advice as needed. Any information that ASD shares will be covered by Limited Use protections.
More information on reporting under the Security of Critical Infrastructure Act 2018 (SOCI Act), the Aviation Transport Security Act 2004, and the Maritime Transport and Offshore Facilities Security Act 2003 can be found on the Critical Infrastructure Security Centre website.
More information on reporting for Telecommunications providers can be found on the Department of Infrastructure, Transport, Regional Development, Communications and the Arts website.
*Part 2 of the Telecommunications (Carriage Service Provider—Security Information) Determination 2022 or, the Telecommunications (Carrier Licence Conditions—Security Information) Declaration 2022.
- Communications
- a critical telecommunications asset (carriers and eligible carriage service providers)
- a critical broadcasting asset
- a critical domain name system
- Data storage or processing
- Defence industry
- a critical defence industry asset
- Energy
- a critical electricity asset
- a critical gas asset
- a critical energy market operator asset
- a critical liquid fuel asset
- Financial services and markets
- a critical banking asset
- a critical superannuation asset
- a critical insurance asset
- a critical financial market infrastructure asset
- Food and grocery
- a critical food and grocery asset
- Health care and medical
- a critical hospital
- Higher education and research
- a critical education asset
- Space technology
- Transport
- a critical port
- a critical freight infrastructure asset
- a critical freight services asset
- a critical public transport asset
- a critical aviation asset
- Water and sewerage
- a critical water asset
Notifiable data breaches. A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act 1988 covers your organisation or agency, you must notify affected individuals and the Office of the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. If there is malicious cyber activity related to a data breach which you wish to report, please complete and submit the form below.
ATTENTION!
Fraud and Cybercrime: If you are reporting fraud or cybercrime, please refer to ReportCyber.
Please do not complete this form on any network you believe has been compromised.
Use a separate system and contact details to complete and submit this form.