cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

SMEs face fines for failing to report cyber attacks

An expanded definition of critical infrastructure sectors may catch small businesses out, says RSM Australia.

user iconJosh Needs
Tue, 12 Jul 2022
SMEs face fines for failing to report cyber attacks
expand image

Small businesses could be caught out and face fines if they suffer a cyber attack on critical infrastructure and fail to alert the Australian Cyber Security Centre, a specialist told Josh Needs, a reporter at Cyber Security Connect's sister brand, Accountants Daily.

RSM Australia national head of cyber security and privacy risk services, Darren Booth, said that expanded rules, effective from 8 July, took in many businesses that would be unaware of their obligations.

“I think there’s been engagement with the big industries and players impacted by the legislative changes, but I’m concerned about the SMEs, particularly businesses in supply chains such as ‘farm-to-plate’ and freight services,” said Booth.


“When I’ve raised the new regulatory obligations with businesses that I’m dealing with, many have been unaware of the changes and have had to seek legal advice to determine if they’re captured in the expanded net of critical infrastructure assets.

“The complexity of the changes, the current IT skills shortage, and the commencement of the new cyber incident reporting requirements just after the end of the financial year – the busiest time for business – may have also relegated the impending changes to the ‘too hard basket’ for some entities.”

Sectors defined as critical infrastructure – originally electricity, gas, water and ports – have been expanded to include:

  • communications;
  • data storage or processing;
  • financial services;
  • healthcare and medical;
  • higher education and research;
  • food and grocery;
  • transport;
  • space technology; and
  • the defence industry.

Businesses within these sectors have to alert the Australian Cyber Security Centre within 12 hours of the attack if it significantly impacts its availability and all other incidents must be reported within 72 hours.

Booth said that well-regulated sectors such as energy, utilities and financial services should already have well-developed security and reporting procedures in place but smaller businesses in new sectors may not.

“Less regulated sectors that may have strong physical security measures for their assets, but weaker cyber security, could have significant work to do to bolster their mitigation, response, reporting and recovery approaches to a potential attack,” said Booth.

The Australian Cyber Security Centre would likely take an education-first approach to non-compliance in the early days of the new requirements, said Booth.

However, he said businesses found in breach of the new reporting rules would face fines at some point.

“Warning bells will start ringing for private companies when there’s been a serious attack on a piece of critical infrastructure and the Australian government enforces its ‘walk-in’ rights to manage the situation,” said Booth.

The focus on cyber security would only grow with more cyber security risk management requirements likely towards the end of the year.

The focus on making businesses responsible for protecting themselves against cyber attacks was highlighted by a recent Federal Court order that RI Advice engage a cyber security expert after an attack that compromised the sensitive data of several thousand clients.

In the wake of that decision, ASIC deputy chair Sarah Court said it was imperative for businesses to have adequate cyber security in place.

“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cyber security position to improve cyber resilience in light of the heightened cyber-threat environment,” said Court.

[Related: A spotlight on scams at national Law Week 2022]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.