On 7 July 2022, following consultations in February and March, Communications Minister Michelle Rowland declared a new licence condition for carriers (under s 63 of the Telecommunications Act 1997 (Cth)) (the Licence Condition), and a separate determination (under s 99 of the Telecommunications Act 1997 (Cth)) (the Determination) that applies to eligible carriage service providers (CSPs).
The Licence Condition and the Determination together require carriers and eligible CSPs to (i) notify the Australian Signals Directorate of cyber security incidents impacting applicable assets; and (ii) report operational, control and interest information for each applicable asset to the Secretary of Home Affairs. These requirements broadly align with equivalent obligations under the Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act), subject to some differences discussed further below. Relevant requirements under the SOCI Act were not directly applied to the telecommunications sector on the basis that sector specific rules would apply.
1. Obligation for carriers and CSPs to notify of cyber security incidents
The new Licence Condition and Determination require both carriers and CSPs to report “cyber security incidents” to the Australian Signals Directorate. These new obligations apply broadly to all tangible assets (excluding customer premises equipment) that are owned or operated by a carrier or CSP and used to supply a carriage service, including computers, computer programs and computer data.1
Like the SOCI Act, cyber security incidents are distinguished into two categories:
- Critical cyber security incidents arise when the carrier or CSP is aware an incident has occurred or is occurring and has had, or is having, a significant impact (whether direct or indirect) on the availability of any asset. An incident has a 'significant impact' on the availability of an asset where the asset is used in connection with the provision of essential goods and services, and the incident has materially disrupted the availability of those goods or services. Carriers and CSPs must report a “critical cyber security incident” to the Australian Signals Directorate as soon as practicable and within 12 hours of becoming aware of it. If reported orally, the carrier or CSP must provide a written report of the incident within a further 84 hours after the oral report was given.
- Other cyber security incidents arise where the carrier or CSP is aware an incident has occurred, is occurring, or is imminent and has had, or is having, or is likely to have a relevant impact on any asset. A 'relevant impact' occurs if the incident impacts (whether directly or indirectly) on the availability, integrity or reliability of the asset, or the confidentiality of information about the asset or stored in the asset (or, if the asset is computer data, the confidentiality of that computer data). Carriers and CSPs must report such an incident as soon as practicable and within 72 hours of becoming aware of it. If reported orally, the carrier or CSP must provide a written report of the incident within a further 48 hours after the oral report was given.
2. Obligation for carriers and CSPs to report information to Secretary of Home Affairs
The new Licence Condition and Determination also require carriers and CSPs to provide information to the Secretary of Home Affairs. These reporting obligations parallel the Register of Critical Infrastructure Assets reporting obligations under the SOCI Act. Carriers and CSPs are required to make an initial report to the Secretary of Home Affairs containing the “operational information” for each asset, and the “interest and control information” of each direct interest holder of an asset. Carriers and CSPs also have an ongoing obligation to notify the Secretary of Home Affairs of any changes to the reported “operational information” and “interest and control information” within 30 days of any change.
- Operational information consists of an asset's location, description of area for which carriage services are supplied by the asset, certain corporate information about the carrier/CSP, and a description of arrangements under which the carrier/CSP operates the asset and its arrangements for any maintained data (i.e. certain categories of significant data stored in connection with the asset). Where practicable, this should be at the level of component systems of telecommunications networks, constituent network units, and associated control or administrative systems, identifying these by each distinct operational region.
- Interest and control information includes, for each “direct interest holder”, certain required corporate information about the entity, details of the type and level of the interest held in the asset and the entity’s influence or control over the asset, information about access to any networks or systems, and a list of other entities in a position to directly or indirectly influence the direct interest holder and its higher entities. An entity is a 'direct interest holder' in an asset if it holds an interest (together with any associates) of at least 10% in the asset or holds an interest that puts it in a position to directly or indirectly influence or control the asset (and it does not qualify for any of the exclusions).
The Determination and Licence Condition do not require the Secretary of Home Affairs to add this information to the master Register of Critical Infrastructure Assets developed under the SOCI Act.
3. Timing and compliance
The obligation to notify of cyber security incidents for both carriers and CSPs took effect from 7 July 2022. The obligation to report operational/control and interest information for both carriers and CSPs will apply from 7 October 2022.
Non-compliance with the new Licence Condition by carriers attracts pecuniary penalties of $50,000 for each contravention (for non-body corporates), and $10 million for each contravention (for body corporates).
Non-compliance with the Determination by CSPs attracts pecuniary penalties of $50,000 for each contravention (for non-body corporates), and $250,000 for each contravention (for body corporates).
Although the above notifications are applied to carriers/CSPs individually, a carrier or CSP that is part of a corporate group can deliver notification of cyber security incidents and provide information on behalf of related carriers/CSPs in its corporate group.
4. Interaction with SOCI Act
The obligations imposed by the Determination and the Licence Condition mimic those found under Parts 2 and 2B of the SOCI Act, which was recently amended by the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (SLACI Act) (covered by our article here) and Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) (SLACIP Act) (covered by our article here).
For companies working through their SOCI compliance obligations, it is tempting to apply the Licence Condition and the Determination as though they are just an extension of the SOCI regime. However, there are a few key differences to be aware of:
- The obligations in the Determination and the Licence Condition apply to a broader range of assets. Under SOCI, “critical telecommunications assets” are limited to telecommunications networks and “facilities” (within the meaning of the Telecommunications Act 1997) which are used to supply carriage services. However, the reporting and registration obligations imposed by the Determination and Licence Condition apply to all tangible assets (excluding customer premises equipment) that are used to supply a carriage service, including assets such as computers, computer programs and computer data. Companies that have been through the process of assessing whether their assets are “critical telecommunication assets”, cannot use this analysis to inform their obligations under the Determination and Licence Condition.
- There is no grace period for the incident reporting obligations under the Determination and Licence Condition – they apply from 7 July 2022. When the SOCI incident reporting obligations were activated by the Security of Critical Infrastructure (Application) Rules 2022, industry was given a 3 month grace period to comply. It appears that a grace period was not implemented for the Determination and Licence Condition incident reporting regime, so that it would come into effect in parallel with the SOCI regime which commenced on 8 July 2022.
- Only the carrier and CSP have obligations to report operational and ownership information to the Secretary of Home Affairs. Under SOCI, the asset reporting obligations apply to all ‘direct interest holders’ of an asset. Under the Determination and the Licence Condition, only carriers/CSPs have this obligation - other ‘direct interest holders’ in the asset’s ownership chain are not required to report (although the carrier/CSP has an obligation to identify all “direct interest holders” of the asset as part of their own reporting).
- The Determination and the Licence Condition apply a different definition of “direct interest holder” compared to SOCI, using a different formulation of the moneylender exception. Under both SOCI and the Determination and Licence Condition, “moneylenders” are excluded from the definition of direct interest holder The Licence Condition and the Determination apply a different “moneylender” exception that is focussed on whether the entity is in a position to directly or indirectly influence or control the asset. Companies that have been through the process of assessing the “direct interest holders” of each “critical telecommunication asset” under SOCI, should be careful applying this analysis to their reporting under the Determination and Licence Condition.
- The Determination and Licence Condition require carriers/CSPs to report more detailed “operational information” than is required under the SOCI Act. Most notably, carriers and CSPs are required to report on their “arrangements” for certain types of sensitive data (“maintained data”), including corporate information about the entity maintaining the data, where it is held, and the name of any cloud service or SaaS used to hold the data.
Authors: Michael Caplan, Lesley Sutton, Claire Harris, Ethan Huang
1. Note that the Determination only applies to the supply of: (i) a standard telephone service, where any of the customers are residential customers or small business customers; (ii) a public mobile telecommunications service; (iii) a carriage service that enables end-users to access the internet (s10 of the Determination).