Commonwealth Consolidated Acts

[Index] [Table] [Search] [Search this Act] [Notes] [Noteup] [Previous] [Next] [Download] [Help]

SECURITY OF CRITICAL INFRASTRUCTURE ACT 2018 - SECT 30CR

External evaluation report

Scope

  (1)   This section applies if an entity has undertaken a cyber security exercise under section   30CM, and:

  (a)   all of the following conditions are satisfied:

  (i)   the entity has prepared, or purported to prepare, an evaluation report under section   30CQ relating to the exercise;

  (ii)   the entity has given a copy of the report to the Secretary;

  (iii)   the Secretary has reasonable grounds to believe that the report was not prepared appropriately; or

  (b)   the entity has contravened section   30CQ.

Requirement

  (2)   The Secretary may, by written notice given to the entity, require the entity to:

  (a)   appoint an external auditor; and

  (b)   arrange for the external auditor to prepare an evaluation report (the new evaluation report ) relating to the exercise; and

  (c)   arrange for the external auditor to give the new evaluation report to the entity; and

  (d)   give the Secretary a copy of the new evaluation report within:

  (i)   the period specified in the notice; or

  (ii)   if the Secretary allows a longer period--that longer period.

  (3)   The notice must specify:

  (a)   the matters to be covered by the new evaluation report; and

  (b)   the form of the new evaluation report and the kinds of details it is to contain.

Consultation

  (4)   Before giving a notice to an entity under this section in connection with a cyber security exercise that relates to a system of national significance, the Secretary must consult:

  (a)   the entity; and

  (b)   if there is a relevant Commonwealth regulator that has functions relating to the security of that system--the relevant Commonwealth regulator.

Eligibility for appointment as an external auditor

  (5)   An individual is not eligible to be appointed as an external auditor by the entity if the individual is an officer, employee or agent of the entity.

Compliance

  (6)   An entity must comply with a requirement under subsection   (2).

Civil penalty:   200 penalty units.

Immunity

  (7)   The new evaluation report is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act (other than subsection   (6)).


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback