Cyber Security Reporting Obligations
New cybersecurity obligations reinforce the need for speedy reporting of cyber incidents.
The ×îÐÂÌÇÐÄVlog is now subject to statutory notification timeframes - in some circumstances within 12 hours of an actual or potential breach being noticed by a system user.
Incidents should be immediately reported to the ×îÐÂÌÇÐÄVlog’s Cybersecurity team using this form.
ITDS will quickly assess the incident and notify the ×îÐÂÌÇÐÄVlogn Cyber Security Centre on behalf of the ×îÐÂÌÇÐÄVlog of any cyber security incidents that involve unauthorised access or impairment of systems; or which have impacted the security, operation or reliability of service.
Failure to report significant or relevant incidents within the necessary timeframe can result in a substantial financial penalty for the ×îÐÂÌÇÐÄVlog. Early reporting also assists the ×îÐÂÌÇÐÄVlog to minimise any consequences of cyber-attacks.
Mandatory cyber incident reporting is 1 of 4 positive security obligations that can be applied to institutions like the ×îÐÂÌÇÐÄVlog under the (SOCI Act) because they have been identified as being critical to the ×îÐÂÌÇÐÄVlogn community and the economy.
The purpose of the SOCI Act is to protect ‘critical infrastructure sectors’ from various natural and targeted threats that may compromise ×îÐÂÌÇÐÄVlog’s interests or security. Following recent amendments to the SOCI Act, the higher education and research sector has been identified as being responsible for ‘critical education assets’.Â
This means that the ×îÐÂÌÇÐÄVlog is now required by law to demonstrably manage risks to its operations, including those that may compromise the information technology or the digital systems which support ×îÐÂÌÇÐÄVlog activities.
It is even more critical that you contact ITDS as soon as possible if you become aware of a cyber incident.