On July 7, 2022, following consultations in February and March, Communications Minister Michelle Rowland declared a new condition of license for carriers (under section 63 of the Telecommunications Act 1997 (Cth)) (the License condition), and a separate determination (under section 99 of the Telecommunications Act 1997 (Cth)) (the Determination) which applies to eligible transportation service providers (CSP).
The License Condition and Determination together require Carriers and Eligible CSPs to (i) notify Australian management of signals of Cyber Security Incidents affecting applicable assets; and (ii) report operational, control and interest information for each applicable asset to the Secretary of the Interior. These requirements broadly align with the equivalent obligations under the Critical Infrastructure Security Act 2018 (Cth) (the SOCI law), subject to certain differences described later. The relevant requirements of the SOCI Act were not directly applied to the telecommunications sector on the grounds that sectoral rules would apply.
1. Obligation for carriers and CSPs to notify cybersecurity incidents
The new condition of license and new determination require carriers and communications service providers to report “cybersecurity incidents” to the Australian Signals Authority. These new obligations generally apply to all tangible assets (excluding customer premises equipment) that are owned or operated by a carrier or CSP and used to provide a transportation service, including computers, computer programs and computer data.1
Like the SOCI law, cybersecurity incidents are distinguished into two categories:
- Critical Cyber Security Incidents occur when the carrier or the CSP is aware that an incident has occurred or is occurring and has had or has a significant impact (direct or indirect) on the availability of an asset. An incident has a “significant impact” on the availability of an asset when the asset is used in the provision of critical goods and services, and the incident has significantly disrupted the availability of those goods or services. Carriers and communications service providers must report a “critical cybersecurity incident” to the Australian Signals Directorate as soon as possible and within 12 hours of becoming aware of it. In the event of an oral report, the carrier or the CSP must provide a written report of the incident within an additional 84 hours of the oral report.
- Other cybersecurity incidents occur when the carrier or the CSP is aware that an incident has occurred, is occurring or is imminent and has had, has or is likely to have a relevant impact on an asset. A “relevant impact” occurs if the incident has an impact (direct or indirect) on the availability, integrity or reliability of the asset, or on the confidentiality of information relating to the asset or stored in the asset (or, if the asset consists of computer data, the confidentiality of that computer data). Carriers and CSPs must report such an incident as soon as possible and within 72 hours of becoming aware of it. In the event of an oral report, the carrier or the CSP must provide a written report of the incident within an additional 48 hours of the oral report.
2. Obligation for carriers and communication service providers to report information to the Secretary of the Interior
The new license condition and determination also requires carriers and communications service providers to provide information to the Secretary of the Interior. These reporting obligations parallel the Critical Infrastructure Asset Registry reporting obligations under the SOCI Act. Carriers and communications service providers are required to make an initial report to the Secretary of the Interior containing “operational information” for each asset and “interest and control information” for each direct interest holder. ‘active. Carriers and CSPs also have an ongoing obligation to notify the Interior Secretary of any changes to the reported “Operational Information” and “Interest and Control Information” within 30 days of any change.
- Operational information consists of the location of an asset, a description of the area for which transportation services are provided by the asset, certain corporate carrier/CSP information, and a description of the arrangements under which the carrier/CSP operates the asset and its arrangements for any data retained (i.e. certain categories of significant data retained in relation to the asset). As far as possible, this should be done at the level of the component systems of the telecommunications networks, the constituent network units and the associated control or administrative systems, identifying them by each distinct operational region.
- Information on interests and control includes, for each “direct interest holder”, certain required corporate information about the entity, details of the type and level of interest held in the asset and the influence or control of the entity on the asset, information on access to any network or system, and a list of other entities able to directly or indirectly influence the direct interest holder and his superiors. An entity is a “direct interest holder” in an asset if it holds an interest (together with any associates) of at least 10% in the asset or holds an interest that puts it in a position to influence or control directly or indirectly the asset (and it does not qualify for any of the exclusions).
The determination and condition of license does not require the Secretary of the Interior to add this information to the Master Registry of Critical Infrastructure Assets developed under the SOCI Act.
3. Timing and compliance
The obligation to report cybersecurity incidents for carriers and CSPs came into force on July 7, 2022. The obligation to report operational/control and interest information for carriers and CSPs will apply from of October 7, 2022.
Non-compliance with the new license condition by carriers results in monetary penalties of $50,000 for each violation (for corporations) and $10 million for each contravention (for corporations).
Failure by the FSC to comply with the determination results in monetary penalties of $50,000 for each violation (for non-individual corporations) and $250,000 for each contravention (for corporations).
While the above notifications apply to carriers/CSPs individually, a carrier or CSP that is part of a corporate group may provide notification of cybersecurity incidents and provide information on behalf of related carriers/CSPs. in its group of companies.
4. Interaction with the SOCI law
The obligations imposed by the Decision and Condition of License mimic those found in Parts 2 and 2B of the SOCI Act, which was recently amended by the Security (Critical Infrastructure) Amendment Act 2021 (Cth) (SLACI law) (covered by our article here) and Security (Critical Infrastructure Protection) Amendment Act 2022 (Cth) (SLACIP Act) (covered by our article here).
For companies meeting their SOCI compliance obligations, it is tempting to apply the license condition and determination as if it were just an extension of the SOCI regime. However, there are a few key differences to be aware of:
- The obligations set out in the Determination and Condition of License apply to a broader range of assets. Under SOCI, “critical telecommunications assets” are limited to telecommunications networks and “facilities” (as defined in the Telecommunications Act 1997) that are used to provide transport services. However, the reporting and recording obligations imposed by the determination and license condition apply to all tangible assets (excluding Customer Premises Equipment) that is used to provide a Transportation Service, including assets such as computers, computer programs and computer data. Companies that have gone through the assessment process to determine if their assets are “critical telecommunications assets” cannot use this analysis to inform their obligations under the determination and license condition.
- There is no grace period for incident reporting obligations under the Determination and License Condition – they apply from July 7, 2022. When SOCI incident reporting obligations were enabled by the Critical Infrastructure Security Rules (Enforcement) 2022, the industry was given a 3 month grace period to comply. It appears that no grace period has been put in place for the Permit Condition and Determination Incident Reporting Scheme, so it would come into effect alongside the SOCI Scheme which started on July 8, 2022.
- Only the carrier and the CSP are required to report operational and ownership information to the Secretary of the Interior. Under SOCI, asset reporting requirements apply to all “direct interest holders” of an asset. Under the determination and license condition, only carriers/CSPs have this obligation – other “direct interest holders” in the chain of ownership of the asset are not required to report (although the carrier /CSP is required to identify all “direct interest holders” of the asset as part of their own reporting).
- The Determination and License Condition apply a different definition of “direct interest holder” than SOCI, using different wording of the lender exception. Under the SOCI and the Determination and Condition of License, “pawnbrokers” are excluded from the definition of working interest holder. The Condition of License and Determination apply a different “pawnbroker” exception that focuses on whether the entity is able to directly or indirectly influence or control the asset. Companies that have gone through the process of assessing the “direct interest holders” of each “critical telecommunications asset” under the SOCI framework should apply this analysis with caution to their reports under the determination condition and of license.
- The Determination and License Condition requires carriers/FSCs to report more detailed “operational information” than that required under the SOCI Act. Specifically, carriers and CSPs are required to report on their “arrangements” for certain types of sensitive data (“retained data”), including corporate information about the entity retaining the data, where it is stored and the name of any cloud or SaaS service used to store the data.