Regulated entities, under Part 2b of the Security of Critical Infrastructure Act 2018, may be subject to mandatory cyber incident reporting requirements, these include: Reporting Critical Cyber Security Incidents If you become aware that a critical cyber security incident has occurred, or is occurring, AND the incident has had, or is having, a significant impact on the availability of your asset, you must notify the Australian Cyber Security Centre (ACSC) within 12 hours after you become aware of the incident. A significant impact is one where both the critical infrastructure asset is used in connection with the provision of essential goods and services; and the incident has materially disrupted the availability of those essential goods or services. If you make the report verbally you must make a written record and provide the written record to cyber.gov.au/report within 84 hours of verbally notifying the ACSC. Reporting other Cyber Security Incidents If you become aware that a cyber security incident has occurred, or is occurring, AND the incident has had, is having, or is likely to have, a relevant impact on your asset you must notify the ACSC within 72 hours after you become aware of the incident. A relevant impact is an impact on the integrity, reliability or confidentiality of your asset or systems. If you make the report verbally you must make a written record and provide the written record to cyber.gov.au/report within 48 hours of verbally notifying the ACSC. More information, including if these requirements relate to you, can be found on the Cyber and Infrastructure Security Centre’s website. See a list of critical infrastructure sectors and asset classes Communications a critical telecommunications asset a critical broadcasting asset a critical domain name system Data storage or processing Defence industry a critical defence industry asset Energy a critical electricity asset a critical gas asset a critical energy market operator asset a critical liquid fuel asset Financial services and markets a critical banking asset a critical superannuation asset a critical insurance asset a critical financial market infrastructure asset Food and grocery a critical food and grocery asset Health care and medical a critical hospital Higher education and research a critical education asset Space technology Transport a critical port a critical freight infrastructure asset a critical freight services asset a critical public transport asset a critical aviation asset Water and sewerage a critical water asset Notifiable data breaches. A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act 1988 covers your organisation or agency, you must notify affected individuals and the Office of the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. If there is malicious cyber activity related to a data breach which you wish to report, please fill in the form below. ATTENTION! Fraud and Cybercrime: If you are reporting fraud or cybercrime, please refer to the ReportCyber – Cybercrime page. Please do not fill this form on any network you believe has been compromised. Use a separate system and contact details to complete the form. Reason for reporting (please select all that apply)? To inform the Australian Cyber Security Centre (ACSC) To request assistance or advice from the Australian Cyber Security Centre (ACSC) Contact details First name Last name Email address Email address Verify email address Contact number Organisation details Organisation name ABN State/Territory - Select -ACTNSWNTQLDSATASVICWA Postcode Website address Is your organisation part of a critical infrastructure sector - Select -YesNoUnsure Select your critical infrastructure sector(s) Communications Financial services and markets Data storage or processing Defence industry Higher education and research Energy Food and grocery Health care and medical Space technology Transport, including aviation and maritime assets Water and sewerage Not listed Are you making a mandatory cyber incident report under the Security of Critical Infrastructure Act 2018? - Select -YesNoUnsure Do you consent for this information to be provided to the relevant regulator? - Select -YesNo Warning message If you do not consent to sharing this information with regulators, your organisation may be at risk of not meeting its reporting obligations. Incident details Date and time the incident was identified Date and time the incident was identified: Date Date and time the incident was identified: Time Is the incident ongoing? Yes No Which of the following are being impacted? Information technology systems? Operational technology systems? Customer data Was the incident identified by your organisation, or were you notified by a third party? - None -Own organisationThird party Please select the type of incident from the following Denial of service (DOS)? Scanning and reconnaissance? Unauthorised access to network or device Data exposure, theft or leak Malicious code/malware? Ransomware ? Phishing/spear-phishing? Other (please specify) Please describe the incident including how it occurred and the observed activity (such as the extent of the incident, any data loss/modifications and the impact to your business operations) Please provide any further details the ACSC may need to understand the effect of this incident. This may include detail on how you are responding to the incident. CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
