The new Australian Cyber Security Bill has made incident reporting more complex rather than streamlining it. As highlighted by Annie Haggar at the Australian Cyber Conference in Melbourne, organisations now face a confusing matrix of reporting requirements.
Current Challenges
If you’re trying to report a cyber incident, you’re faced with a tangled web of questions and requirements:
First, you need to figure out who to tell. Are you supposed to report to APRA? OIAC? Maybe ACSC/ASD? Or is it Home Affairs? The answer depends on your industry and the type of incident. Then there’s the timing puzzle. You might have either a 12-hour, 72 hour or 30 day notification period.
But here’s the extra layer of complexity— these timeframes can actually differ for the same regulatory body depending on whether the affected system is considered critical infrastructure or not. So you could end up with different reporting deadlines to the same agency for different parts of your organisation.
The legal implications add another layer of headache. When you share information with government agencies, you need to think about whether that data could be exposed during legal discovery later on. This puts organisations in a tricky spot — they want to be helpful and transparent, but they also need to be careful about what they disclose to protect themselves legally.
The reporting requirements vary based on multiple factors:
- Which government body regulates your industry
- Whether existing reporting legislation applies
- Whether the affected system is classified as critical infrastructure
Organisations must also consider whether shared data could be disclosed during legal discovery, which affects how much information they choose to share.
A Better Model: Aviation Safety Reporting
The aviation sector provides an excellent template for effective incident reporting. The Australian Transport Safety Bureau (ATSB) serves as a single point for all aviation safety reports, including near-misses. While other agencies like CASA play regulatory roles, the ATSB’s no-blame approach to investigations promotes industry-wide safety improvements through centralised reporting. Replicating this to the cyber world, much more than just the Cyber Incident Review Board for limited critical incident, would greatly benefit all Australians as it would help us much better understand the threat landscape and the cyber security challenges facing our economy.
Missed Opportunity
The establishment of the new Cyber Incident Review Board could have been used to simplify the reporting system. A streamlined approach, with ACSC/ASD as the central reporting body, would offer several benefits:
- Reduced complexity for organisations
- Increased reporting compliance
- Better threat intelligence gathering
- Clearer understanding of the cyber threat landscape
- No-blame investigations focused on improvement
While the current bill unfortunately adds another layer of complexity, future amendments could still create a more streamlined, aviation-style reporting system.
So whilst it’s disappointing they added yet another layer to the the reporting matrix, hopefully in future amendments the Government will consider streamlining the reporting process. It will also be very interesting to see what incidents will trigger a review by the Cyber Incident Review Board, and how well resourced it will be to conduct it’s investigations.
