Cyber Security Reporting Obligations
New cybersecurity obligations reinforce the need for speedy reporting of cyber incidents.
The University is now subject to statutory notification timeframes - in some circumstances within 12 hours of an actual or potential breach being noticed by a system user.
Incidents should be immediately reported to the University’s Cybersecurity team using this form.
ITDS will quickly assess the incident and notify the Australian Cyber Security Centre on behalf of the University of any cyber security incidents that involve unauthorised access or impairment of systems; or which have impacted the security, operation or reliability of service.
Failure to report significant or relevant incidents within the necessary timeframe can result in a substantial financial penalty for the University. Early reporting also assists the University to minimise any consequences of cyber-attacks.
Mandatory cyber incident reporting is 1 of 4 positive security obligations that can be applied to institutions like the University under the Security of Critical Infrastructure Act 2018 (SOCI Act) because they have been identified as being critical to the Australian community and the economy.
The purpose of the SOCI Act is to protect ‘critical infrastructure sectors’ from various natural and targeted threats that may compromise Australia’s interests or security. Following recent amendments to the SOCI Act, the higher education and research sector has been identified as being responsible for ‘critical education assets’.
This means that the University is now required by law to demonstrably manage risks to its operations, including those that may compromise the information technology or the digital systems which support University activities.
It is even more critical that you contact ITDS as soon as possible if you become aware of a cyber incident.