The Federal Government says it received 47 mandatory cyber incident reports in the first nine months of a new mandatory reporting regime.

Mandatory reporting of information security incidents came into effect for 11 critical infrastructure sectors last year, and the inaugural head of the Australian Cyber and Infrastructure Security Centre (CISC) Hamish Hansford has told senate estimates that incident reports are now flowing in. 

If companies in the targeted sectors experience an incident with an impact rated as either ‘critical’ or ‘relevant’, they must report it via the Australian Cyber Security Centre (ACSC), which then passes it to the CISC.

“The portal for mandatory cyber incident reporting is hosted by the ACSC within the Australian Signals Directorate, and then as part of that process, people can tick the fact that they’re reporting for their regulatory compliance requirement, and then that is automatically forwarded to the Cyber and Infrastructure Security Centre in Home Affairs,” Mr Hansford said.

“There’s been a steady number of mandatory cyber incident reports tabled into both the ACSC but also given to us as well, to get a true understanding of the nature of successful cyber incidents occurring on critical infrastructure.

“Forty-seven (47) reports have been provided that we say meet the criteria of the mandatory cyber incident report between the period of April 1 2022 and December 31 2022.”

Providers have up to 72 hours to lodge a mandatory incident report, depending on the severity.