New Security Obligations Introduced for the Telecoms Sector

Written By

patrick cordwell Module
Patrick Cordwell

Senior Associate
Australia

I am a senior associate in our Corporate and Commercial Group in Sydney, advising technology and communications clients on a range of commercial and regulatory matters.

thomas jones Module
Thomas Jones

Partner
Australia

As a partner in our Competition and Commercial Groups in Sydney, and co-head of the Technology and Communications Group in Australia, I specialise in cross-jurisdictional regulatory issues in technology and communications.

On 7 July 2022, Australia’s Minister for Communications, Michelle Rowland, made two legislative instruments aimed at protecting against threats to and strengthening the resilience of assets in the telecommunications sector.

The Telecommunications (Carrier License Conditions – Security Information) Declaration and Telecommunications (Carriage Service Provider – Security Information) Determination 2022 (the Instruments”), made under sections 63 and 99 of the Telecommunications Act 1997 (Cth) (“Telco Act”) respectively, create new carrier licence conditions and service provider rules which together impose positive security obligations on carriers and eligible carriage service providers (“CSPs”). Specifically, the Instruments require carriers and CSPs to:

  • 1notify the Australian Signals Directorate of cyber security incidents; and
  • 2report operational and control information to the Secretary of Home Affairs.

The obligations within the Instruments broadly mirror those set out in the Security of Critical Infrastructure Act 2018 (Cth) (SOCI) and bring the telecommunications industry into line with other critical infrastructure sectors.

Background

The introduction of the Instruments has occurred against the backdrop of significant amendments to SOCI over the previous 12 months, in line with the Australian Government’s Cyber Security Strategy 2020.

Among other changes, the classes of assets subject to the SOCI were expanded in late 2021. 'Critical telecommunications assets' were among those newly added asset classes brought within SOCI's scope.

Obligations contained in SOCI, which broadly parallel those set out in the Instruments, were subsequently ‘switched on’ in relation to most classes of critical assets by the Security of Critical Infrastructure (Application) Rules which took effect 8 April 2022. However, critical telecommunications assets were not included in the Rules and as such, the SOCI obligations were not activated in respect of these assets.

By bringing asset security obligations under the Telco Act, the Instruments build on a foundation set by the 2018 Telecommunications Sector Security Reforms, which were aimed at strengthening Australia's protection against threats to the telecommunications sector and managing national security risks associated with unauthorised access to and interference with telecommunications networks.

Security obligations

The obligations contained in the Instruments apply in respect of all tangible assets (excluding customer premises equipment) that are owned or operated by a carrier or eligible CSP and used to supply a carriage service.

1. Cyber security incident reporting

Carriers and CSPs are now required to notify the Australian Signals Directorate (“ASD”) of two types of cyber security incident:

  • ‘Critical’ cyber security incidents must be reported to the ASD within 12 hours of the carrier or CSP becoming aware of an incident which has had, or is having, a ‘significant impact’ on the availability of an asset.
  • 'Other' cyber security incidents must be reported to the ASD within 72 hours of the carrier or CSP becoming aware that an incident has occurred, is occurring or is imminent and has had, is having or is likely to have a 'relevant impact'.

2. Operational and control information reporting

From 7 October 2022, Carriers and CSPs will have an ongoing obligation to provide the Secretary of Home Affairs with ‘operational information’ about each of their assets.

They must also provide ‘interest and control information’. That is, certain information about any entity that holds a direct interest of 10% or more in an asset.

Key takeaways

Given the broad definition of ‘asset’ contained in the Instruments, carriers and CSPs should give careful consideration to which of their assets might be subject to these new obligations.

It is also important that carriers and CSPs act quickly to implement arrangements to ensure compliance. While the Cyber and Infrastructure Security Centre (a part of ASD) has indicated that the first 12 months from July 2022 will be a learning phase, the Telco Act provides for substantial pecuniary penalties for contraventions.

For more information, please contact Thomas Jones, Patrick Cordwell or Lukas Mitterlechner.

 

Sign up for our Connected newsletter for a monthly round-up from our Regulatory & Public Affairs team.

Latest insights

More Insights
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
flower

NEWSFLASH - The UK’s New Consultation on AI and Copyright: Purr-suing Balance?

Dec 19 2024

Read More
laptop phone

EU/UK sanctions regarding Russia and Belarus (16-12-2024)

Dec 19 2024

Read More