Get clear guidance on notifying the Australian Cyber Security Centre and Department of Home Affairs when a maritime asset faces a security or cyber incident
When a ship, offshore facility or related maritime system experiences a security event, quick and correct notification is essential. Under Part 9 of the Maritime Transport and Offshore Facilities Security Act 2003, industry participants are obliged to report a maritime security incident as soon as they become aware of it.
This guidance explains the reporting routes, the specific obligations for cyber incidents, and the formal standards for a valid written submission. The aim is to help organisations act promptly while preserving evidence and enabling the relevant authorities to coordinate a response.
Reports must be made within a tight timeframe and follow legislative requirements outlined in the Maritime Transport and Offshore Facilities Security (Incident Reporting) Instrument 2018. Failing to include required details can mean a report is legally considered not to have been made under subsection 182(3) of the Act.
The information below sets out the practical steps to notify the Australian Cyber Security Centre (ACSC) and the Department of Home Affairs, what to include in written reports, and how the government’s just culture approach influences enforcement decisions.
Immediate reporting obligations
If you become aware of a maritime security incident, you must notify the Department of Home Affairs without delay and provide a written report within 24 hours of first becoming aware. The statutory requirement applies to maritime industry participants and covers physical and digital threats that affect the security of vessels, offshore facilities or related systems. The legislation emphasises timely, written notification so authorities can assess risk and coordinate protective measures. Use the official processes to ensure your submission contains the compulsory elements referenced in the Instrument 2018.
How to notify the ACSC and Home Affairs
For incidents with a cyber element, you should report to the Australian Cyber Security Centre (ACSC) and the Department of Home Affairs. You can lodge the initial report on the ACSC website and choose to give consent for the ACSC to share the information with Home Affairs. If you do not grant that consent, you must submit a separate maritime security incident report form to the department and select the ‘Cyber’ incident category. Completing the official form is recommended because it prompts the compulsory fields needed for a complete submission.
Telephone reporting and written follow-up
While an initial notification may be made by telephone in urgent situations, it must be followed by a written report within 24 hours. Telephone contact details for the Department of Home Affairs are 1300 791 581 (in Australia) and +61 2 5127 8995 (from outside Australia). Email reports can be sent to [email protected]. Relying solely on a verbal notification risks non-compliance, so plan to complete the formal paperwork as soon as practicable and to supplement early reports with any additional facts you later uncover.
What the written report must contain
A written submission must include as much accurate detail as possible at the time of reporting and any extra compulsory information you learn within the following 24 hours. The Maritime Transport and Offshore Facilities Security (Incident Reporting) Instrument 2018 specifies the formal requirements and the list of mandatory items. Provide descriptions of the affected asset, nature of the incident, time of discovery, actions taken to contain risk, and contact details for the reporting party. Remember that a report missing required information may be treated as not made under subsection 182(3), so completeness matters for both legal compliance and effective incident management.
A just culture approach to reporting
The Department supports a just culture principle for incident reporting: this encourages transparency and timely self-reporting without the immediate threat of enforcement when conditions are met. To benefit from this approach, organisations should voluntarily disclose the incident, be prepared to demonstrate that corrective actions have been taken to reduce the chance of recurrence if asked, and confirm the event was not the result of reckless behaviour. Further details and expectations are set out in official industry guidance, and following that guidance can influence how authorities respond after a report is made.
