www.itic.orgPromoting Innovation Worldwide 1
MEMO
To: Interested Parties
From: Information Technology Industry Council (ITI)
Re: 2022-2023 Global Cybersecurity Incident Reporting Policy Index
Over the past several years, governments around the world have taken steps to improve visibility into
cyber incidents through developing new cyber incident reporting requirements and updating existing
ones. To inform policy eorts around the world, ITI developed and released its own set of Global Incident
Reporting Policy Principles, which summarize ITI’s consensus position on what we believe makes good
cyber incident reporting policy. With this backdrop in mind, this index summarizes the latest requirements
put forth globally.
The index includes incident reporting policies from eight countries and covers key information such as the
scope of covered entities, threshold for reporting, timeline to report, enforcement mechanisms, among
other areas. It seeks to help further inform incident reporting eorts across the globe, particularly in
preventing fragmentation of approaches across borders. Because several of these eorts remain in ux,
particularly in Canada, the United States, and the United Kingdom, ITI will be closely tracking how these
proposals unfold over the next year.
Australia
1 Relevant impact: the impact (whether direct or indirect) of the incident on a) the availability, integrity, reliability
of the asset, b) the condentiality of (i) information about the asset; or (ii) if information is stored in the asset—the
information; or (iii) if the asset is computer data—the computer data.
Security Legislation Amendment (Critical
Infrastructure) Bill 2021
To strengthen existing critical infrastructure risk
management strategies, mainly against cyber-
related threats, the Australian government
amended the 2018 Security of Critical
Infrastructure Act. The Security Legislation
Amendment (Critical Infrastructure) Bill 2021
came into eect in 2021 and expanded the scope
of covered entities to 11 sectors, with the notable
inclusion of the Data Storage and Processing
sector, and their critical assets. The bill introduced
cybersecurity incident reporting obligations for
incidents that aect critical infrastructure assets.
The bill denes incidents as “unauthorized
access or modication to computer data or a
computer program or unauthorized impairment
of electronic communication.” More specically,
it dierentiates incidents between “relevant”
and “signicant” impacts
1
. Entities have 72 hours
to report an incident with relevant impact, and
12 hours to report one with signicant impact.
The bill also provides the option for entities to
initially provide an oral report in lieu of a written
submission, but those who do must provide a
written record shortly afterwards (48 hours after
an incident with relevant impact, 84 hours after
one with signicant impact). Failure to meet these
requirements will result in a monetary penalty. The
bill also grants the Australian government more
authority over private companies operating critical
infrastructure assets. When an entity is deemed
unwilling or unable to respond, the government
has the option to intervene, including gathering
information, ordering the operator to take specic
actions, or taking over operation of the asset.
October 2022
