Telco update: What you need to know about the new cybersecurity reporting rules and how they interface with SOCI

Key takeaways

On 7 July, the Minister of Communications, Michelle Rowland, published cybersecurity reporting obligations that apply to carriers and certain carriage service providers (CSPs).¹  The rules create positive security obligations, including cybersecurity reporting within 12 to 72 hours, depending on the severity of the cybersecurity incident. The rules underlie Government’s commitment to protect access to essential services by improving the security and resilience of critical infrastructure in the telecommunications industry. The Government is focused on the telecommunications industry given its importance to the economy and the sensitivity of the information carried across telecommunication networks. An overview of the positive security obligations is set out in 'What do carriers and CSPs need to do to comply with the new rules?'.

The new rules fit within the security of critical infrastructure regime introduced by Government in 2018 to manage national security risks of sabotage, espionage and coercion posed by foreign involvement in relation to Australia's critical infrastructure assets. This legislation is called the Security of Critical Infrastructure Act 2018 (Cth) or SOCI. The rules are in-line with SOCI but have in fact been published under the Telecommunications Act 1997 (Cth) (Telco Act). The interface between the new cyber-security reporting rules for the telecommunication sector and SOCI is discussed in the section 'Reconciling the new cybersecurity rules for telcos with SOCI'.

Telcos will need to ensure that their internal processes are set up to comply with these new obligations. The maximum penalty for a contravention is potentially $10 million. This is significantly higher than the penalties for contraventions under SOCI (although the Explanatory Statement states that any penalties will be ‘in line’ with those in the SOCI Act).²

What do carriers and CSPs need to do to comply with the new rules?

The new rules apply to carriers (by way of a new carrier license condition) and to eligible CSPs (through a separate determination). The obligations for carriers and CSPs are broadly similar, with some minor differences in recognition of the fact that service providers generally have fewer physical assets and generally utilise the assets of licenced carriers.

The new rules create positive security obligations for carriers and eligible CSPs to:

• inform the Australian Signals Directorate (ASD) of cyber security incidents that have had or are having a significant or relevant impact on a telecommunication asset (Mandatory reporting obligations); and
• provide information to the Secretary of the Department of Home Affairs with operational information about telecommunication assets (Obligation to provide information).

A high-level summary of the key features of these obligations is set out below.

Mandatory reporting obligations (effective from 7 July)

The rules create onerous obligations for all carriers and eligible CSPs to notify the ASD of cybersecurity incidents. Specifically:

• Any cybersecurity incident that has occurred or is occurring and which has a ‘significant impact’ on the availability of any of the carrier’s assets must be reported to the ASD as soon as reasonably practicable and within at least 12 hours of the carrier/eligible CSP becoming aware of the incident.
  
  Cybersecurity incidents that have a significant impact are limited to instances where the asset is used in connection with the provision of essential goods or services and the incident has materially disrupted the availability of goods/services. The intent is only to capture those goods or services that are critical to the health, safety, or good order of the Australian community.
• Any other cybersecurity incident that is having a ‘relevant impact’ must be notified to the ASD within 72 hours of the carrier/eligible CSP becoming aware of the incident. This obligation relates to incidents that impact the availability, integrity, reliability and confidentiality of the carrier/eligible CSP’s assets.

The mandatory reporting obligations apply to any cybersecurity incident involving the carrier or eligible CSP’s assets. Assets are defined extremely broadly and include any tangible asset owned by a carrier/eligible CSP used to supply a carriage service. This potentially includes a telecommunication network, computer, computer program or computer data.

Importantly, the notification obligations apply individually to each carrier in a corporate group. However, another carrier in the group can provide cyber incident notifications on behalf of other carrier licensees.

Notifications may be given to the ASD orally or in writing.

Obligation to provide information (effective 7 October)

Carriers and eligible CSPs will be required to provide the Secretary of the Department of Home Affairs with ‘operational information’ in relation to telecommunication assets. Furthermore, where an entity other than a carrier or eligible CSP holds a direct interest (which is effectively a percentage >10% or a controlling stake) in an asset owned or operated by the carrier/eligible CSP, the interest and control information of the direct interest holder must also be provided to the Secretary. There are also ongoing obligations to provide information including if any of the operational or control information changes.

Operational information includes information about the location of the telecommunication asset, the areas supplied using the asset and a description of the arrangements under which the carrier/eligible CSP operates the asset. Operational information also includes ‘maintained data’, which is defined to include personal information of at least 20,000 individuals, sensitive information that relates to any individual and information about research and development.

Reconciling the new cybersecurity rules for telcos with SOCI

SOCI creates a framework of obligations for owners/operators of critical infrastructure, including: obligations to notify cyber-attacks, reporting obligations in respect of ownership of critical infrastructure assets, as well as additional powers for government to assist entities (through Ministerial intervention) that have experienced or are experiencing a cyber-attack. Initially, the sectors and types of critical infrastructure assets covered by SOCI were limited (gas, electricity, maritime ports and water) but earlier this year the Government expanded the reach of SOCI. Relevantly, SOCI has been expanded to include critical telecommunication assets and related sector assets, resulting in some overlap with existing telecommunications regulation that is still being worked through by government.

SOCI envisages that separate sector-based rules would need to be enacted under the SOCI Act to ‘switch on’ the relevant positive security obligations. However, a bespoke approach has been adopted in respect of telecommunications. Instead of sector-based rules published under the SOCI Act, Government decided to impose ‘SOCI-type’ rules on the telecommunications sector through the carrier licence condition and CSP determination published by Minister Rowland on 5 July.

The consequence of this approach appears to be that the new cybersecurity rules will supersede some of the SOCI obligations, unless Government later decides to publish separate rules under SOCI. In explaining the reasons for having a telecommunication-specific approach the Government indicated that the intention of the new cybersecurity rules is to avoid duplication and to leverage the well-established regulatory framework contained in the Telco Act.