Publication
Financial services monthly wrap-up: October 2024
In October 2024, the Australian Securities and Investments Commission (ASIC) was successful in its action against a life insurer in relation to misleading statements.
Author:
Australia | Publication | July 2022
On 7 July, the Minister of Communications, Michelle Rowland, published cybersecurity reporting obligations that apply to carriers and certain carriage service providers (CSPs).1 The rules create positive security obligations, including cybersecurity reporting within 12 to 72 hours, depending on the severity of the cybersecurity incident. The rules underlie Government’s commitment to protect access to essential services by improving the security and resilience of critical infrastructure in the telecommunications industry. The Government is focused on the telecommunications industry given its importance to the economy and the sensitivity of the information carried across telecommunication networks. An overview of the positive security obligations is set out in 'What do carriers and CSPs need to do to comply with the new rules?'.
The new rules fit within the security of critical infrastructure regime introduced by Government in 2018 to manage national security risks of sabotage, espionage and coercion posed by foreign involvement in relation to Australia's critical infrastructure assets. This legislation is called the Security of Critical Infrastructure Act 2018 (Cth) or SOCI. The rules are in-line with SOCI but have in fact been published under the Telecommunications Act 1997 (Cth) (Telco Act). The interface between the new cyber-security reporting rules for the telecommunication sector and SOCI is discussed in the section 'Reconciling the new cybersecurity rules for telcos with SOCI'.
Telcos will need to ensure that their internal processes are set up to comply with these new obligations. The maximum penalty for a contravention is potentially $10 million. This is significantly higher than the penalties for contraventions under SOCI (although the Explanatory Statement states that any penalties will be ‘in line’ with those in the SOCI Act).2
The new rules apply to carriers (by way of a new carrier license condition) and to eligible CSPs (through a separate determination). The obligations for carriers and CSPs are broadly similar, with some minor differences in recognition of the fact that service providers generally have fewer physical assets and generally utilise the assets of licenced carriers.
The new rules create positive security obligations for carriers and eligible CSPs to:
A high-level summary of the key features of these obligations is set out below.
The rules create onerous obligations for all carriers and eligible CSPs to notify the ASD of cybersecurity incidents. Specifically:
The mandatory reporting obligations apply to any cybersecurity incident involving the carrier or eligible CSP’s assets. Assets are defined extremely broadly and include any tangible asset owned by a carrier/eligible CSP used to supply a carriage service. This potentially includes a telecommunication network, computer, computer program or computer data.
Importantly, the notification obligations apply individually to each carrier in a corporate group. However, another carrier in the group can provide cyber incident notifications on behalf of other carrier licensees.
Notifications may be given to the ASD orally or in writing.
Carriers and eligible CSPs will be required to provide the Secretary of the Department of Home Affairs with ‘operational information’ in relation to telecommunication assets. Furthermore, where an entity other than a carrier or eligible CSP holds a direct interest (which is effectively a percentage >10% or a controlling stake) in an asset owned or operated by the carrier/eligible CSP, the interest and control information of the direct interest holder must also be provided to the Secretary. There are also ongoing obligations to provide information including if any of the operational or control information changes.
Operational information includes information about the location of the telecommunication asset, the areas supplied using the asset and a description of the arrangements under which the carrier/eligible CSP operates the asset. Operational information also includes ‘maintained data’, which is defined to include personal information of at least 20,000 individuals, sensitive information that relates to any individual and information about research and development.
SOCI creates a framework of obligations for owners/operators of critical infrastructure, including: obligations to notify cyber-attacks, reporting obligations in respect of ownership of critical infrastructure assets, as well as additional powers for government to assist entities (through Ministerial intervention) that have experienced or are experiencing a cyber-attack. Initially, the sectors and types of critical infrastructure assets covered by SOCI were limited (gas, electricity, maritime ports and water) but earlier this year the Government expanded the reach of SOCI. Relevantly, SOCI has been expanded to include critical telecommunication assets and related sector assets, resulting in some overlap with existing telecommunications regulation that is still being worked through by government.
SOCI envisages that separate sector-based rules would need to be enacted under the SOCI Act to ‘switch on’ the relevant positive security obligations. However, a bespoke approach has been adopted in respect of telecommunications. Instead of sector-based rules published under the SOCI Act, Government decided to impose ‘SOCI-type’ rules on the telecommunications sector through the carrier licence condition and CSP determination published by Minister Rowland on 5 July.
The consequence of this approach appears to be that the new cybersecurity rules will supersede some of the SOCI obligations, unless Government later decides to publish separate rules under SOCI. In explaining the reasons for having a telecommunication-specific approach the Government indicated that the intention of the new cybersecurity rules is to avoid duplication and to leverage the well-established regulatory framework contained in the Telco Act.
The Telecommunications (Carrier License Conditions – Security Information) Declaration 2022 and Telecommunications (Carriage Service Provider – Security Information) Determination 2022).
The Explanatory Statement to the regulatory instruments states that if enforcement action is required “the intent is that any penalties sought would be in line with those in the SOCI Act”.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023