Marsh issues reminder on mandatory cyber incident reporting

Marsh has issued a reminder on the mandatory cyber incident reporting obligation required of regulated entities for certain critical infrastructure asset classes.

Starting July 8, regulated entities must report specific types of cyber security incidents to the Cyber and Infrastructure Security Centre (CISC) via the Australian Cyber Security Centre (ACSC). Any incident that has or is likely to have “significant” or “relevant impact” must be brought to the attention of ACSC.

Significant incidents refer to “incidents where you cannot deliver goods or services,” said Marsh, and must be reported within 12 hours. Relevant incidents, on the other hand, refer to “incidents that impact delivery of services or goods but they are deliverable.” These must be reported within 72 hours.

The statement from Marsh also enumerated the following critical infrastructure asset classes required to report incidents to the ACSC:

critical telecommunications assets
critical broadcasting asset
critical domain name system
critical data storage or processing asset
critical financial market infrastructure asset that is a payment system
critical food and grocery asset
critical hospital
critical freight infrastructure asset
critical freight services asset
critical public transport asset
critical liquid fuel asset
critical energy market operator asset
critical electricity asset that was not a critical infrastructure asset immediately before the commencement of section 18A of the Act
critical gas asset that was not a critical infrastructure asset immediately before the commencement of section 18A of the Act

Entities for these asset classes must submit cyber security incident reports through the ACSC website.

Marsh added that such incidents must also be reported to a company’s insurer if they have cyber insurance.

“Cyber insurance typically covers costs for investigating and responding to cyber incidents,” said the Marsh statement. “Upon notification an initial triage will be conducted by the appointed incident response manager (IRM). The IRM will then determine whether panel response vendors – such as IT forensics services – should be engaged.”