Marsh has issued a reminder on the mandatory cyber incident reporting obligation required of regulated entities for certain critical infrastructure asset classes.
Starting July 8, regulated entities must report specific types of cyber security incidents to the Cyber and Infrastructure Security Centre (CISC) via the Australian Cyber Security Centre (ACSC). Any incident that has or is likely to have “significant” or “relevant impact” must be brought to the attention of ACSC.
Significant incidents refer to “incidents where you cannot deliver goods or services,” said Marsh, and must be reported within 12 hours. Relevant incidents, on the other hand, refer to “incidents that impact delivery of services or goods but they are deliverable.” These must be reported within 72 hours.
The statement from Marsh also enumerated the following critical infrastructure asset classes required to report incidents to the ACSC:
Entities for these asset classes must submit cyber security incident reports through the ACSC website.
Marsh added that such incidents must also be reported to a company’s insurer if they have cyber insurance.
“Cyber insurance typically covers costs for investigating and responding to cyber incidents,” said the Marsh statement. “Upon notification an initial triage will be conducted by the appointed incident response manager (IRM). The IRM will then determine whether panel response vendors – such as IT forensics services – should be engaged.”
