Close
Login to MyACC
ACC Members


Not a Member?

The Association of Corporate Counsel (ACC) is the world's largest organization serving the professional and business interests of attorneys who practice in the legal departments of corporations, associations, nonprofits and other private-sector organizations around the globe.

Join ACC

LK Article Image

Key points

  • With Australia’s critical infrastructure laws subject to complex, ongoing and wide-ranging reform, there are important new ‘positive security obligations’ impacting entities across a range of sectors. Following the first wave of reform in December 2021, entities must pay heed to the next wave of obligations as they are successively rolled out. See the table provided at the end of our article for a snapshot of key requirements and effective dates.
  • Two out of the three new ‘positive security obligations’ under the Security of Critical Infrastructure Act 2018 (Cth) have now come into effect. 
  • Firstly, mandatory cyber incident reporting is now in effect. As of 8 July 2022, responsible entities for specified critical infrastructure asset classes must notify the Australian Signals Directorate of cyber security incidents within a window of 12 or 72 hours, depending on the incident type.
  • Secondly, a requirement to provide information to the Register of Critical Infrastructure Assets imposes reporting obligations on responsible entities and direct interest holders for specified critical infrastructure asset classes, with a deadline of 8 October 2022.
  • Thirdly, a mandatory risk management program scheme has been passed by Parliament, but obligations to adopt a compliant risk management program will not be ‘switched on’ until Risk Management Program Rules come into effect. Grace periods are likely to apply.
  • The Minister for Home Affairs can also declare an asset to be a system of national significance. In such a case, the responsible entity may be subject to enhanced obligations, such as incident response plans, cyber security exercises, vulnerability assessments and provision of system information. 

As we have previously commented, the reform of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) over the past year has been a complicated process for critical infrastructure owners, operators, suppliers and other stakeholders. The changes introduced at the end of 2021 expanded the scope of the legislation both horizontally, to include 11 sectors such as food/grocery, higher education, communications and data storage/processing, and vertically, up into supply chains and supporting networks to address potential security vulnerabilities. Yet, even as Australia reformed the SOCI Act, the threat ecosystem has only worsened with heightened geopolitical tensions. 1 Australian businesses have been urged to adopt an enhanced cyber security posture as a matter of priority. 2 While evident risks to Australia’s critical infrastructure are broader than cyber threats alone, cyber resilience has been a key focus of the reforms to the SOCI Act to date. As observed by Prime Minister Albanese, cyber security is integral to “[b]uilding and maintaining a strong economy, resilient supply chains and the skills, technology, infrastructure and industries” or, in other words, to Australia’s national security and critical infrastructure.3 



Separate to both the SOCI Act regime, and discrete legislative measures foreshadowed by the Federal Government in the wake of last week’s cyber-attack of Optus, the Shadow Minister for Home Affairs has today introduced to Parliament a bill intended to modernise criminal offences and combat the increasing trends of data theft, cyber extortion and ransomware.4  This would include an aggravated offence for persons who target critical infrastructure assets, carrying a maximum penalty of 25 years’ imprisonment. 



Mandatory notification of cyber security incidents now in effect



As of 8 July 2022, responsible entities for 21 defined asset classes, across each of Australia’s 11 critical sectors (other than space and defence) are subject to mandatory reporting of cyber security incidents. ‘Responsible entities’ are defined to include entities such as owners, operators, licence-holders or other prescribed entities with responsibility for the asset class in question. Notifications must be made within 12 or 72 hours, depending on the type of incident. Both actual and imminent incidents must be reported to the Australian Signals Directorate, where they have a “significant” or “relevant” impact on the availability of the critical infrastructure asset in question. Although many such incidents were already the subject of voluntarily reporting, the mandatory reporting regime is focussed on ensuring Government visibility over the extent and impact of cyber activity on the nation’s critical infrastructure: “The information collected will enhance the Australian Government’s ability to develop strategies to identify and respond to security risks for assets which, if disrupted, would significantly impact Australia”.5 



Reports must be made within 12 hours of a responsible entity becoming aware of a cyber security incident that has, or is likely to have, a “significant impact” on the availability of the critical infrastructure asset. The asset need not be totally impaired in order for this reporting obligation to be triggered. A “significant impact” occurs where the incident materially disrupts the availability of an asset used in connection with essential goods or services – for example, incidents that:

  • result in a loss of control over the asset’s operating technology;
  • prevent an asset from functioning as intended and/or delivering services; or
  • necessitate a shut down of core services to contain the incident.

Reports must be made within 72 hours of a responsible entity becoming aware of a cyber security incident that has a “relevant impact”, which is defined as a direct or indirect impact of the hazard on the asset’s availability, integrity or reliability, or on the confidentiality of information about or stored in the asset, or computer data. For example, where an incident:

  • does not affect the supply of core services by the asset, but the responsible entity must put in place workarounds to ensure supply;
  • does not interrupt the supply and delivery of core consumer goods by the asset, but causes an outage in consumer support services; or
  • results in access by an unauthorised party to consumer data.

Reports may be made via the Australian Cyber Security Centre (ACSC) at www.cyber.gov.au. Urgent verbal reports may be made by calling 1300Cyber1 (1300 292 371), but must be followed by written reports via the ACSC’s website shortly thereafter (within 84 hours of verbal notification for an incident with a “significant impact” and within 48 hours of verbal notification for an incident with a “relevant impact”).6

Importantly, incidents such as scam calls/emails, telephone denial of service attacks and physical hazards do not fall within the scope of this mandatory reporting regime. The Cyber and Infrastructure Security Centre (CISC) has provided sector-specific guidance, including examples of cyber incidents that will trigger the 12 hour and 72 hour reporting windows.7

In addition to any mandatory reporting requirements under the SOCI Act, entities must also consider any other applicable mandatory notification regimes, or requirements to liaise with sector-specific regulators. For example:

  • Organisations with an annual turnover exceeding $3 million (amongst others) must report ‘eligible data breaches’ and notify affected individuals under the Privacy Act 1988 (Cth). 
  • Australian businesses with international establishments or activities may have reporting obligations under foreign laws and regulations, such as the EU or UK General Data Protection Regulation.
  • Reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) have suspicious matter reporting obligations.
  • Financial institutions must report ‘material information security incidents’ under APRA Prudential Standard CPS 234. 

Compliance with Register requirements by 8 October 2022

By 8 October 2022, information relating to 13 defined classes of critical infrastructure assets must be provided to the Secretary of the Department of Home Affairs. The prescribed asset classes are critical broadcasting, domain name, data storage/processing, financial market infrastructure (payment systems), food/grocery, hospital, freight infrastructure and services, public transport, liquid fuel, energy market operator, electricity and gas assets (as defined).8

This information will be maintained on the Register of Critical Infrastructure Assets, which is not made public. Responsible entities for such assets must provide operational information (including, for example, the asset’s location, details regarding the responsible entity and its CEO, and how data is maintained). Direct interest holders for such assets must provide interest and control information (including, for example, information about their residence and country of incorporation or citizenship, the influence and control held by them and by any higher entity, and the ability of persons appointed by them to directly access networks or systems to operate or control the asset).

These reporting entities will be subject to an ongoing obligation to ensure that the information as maintained on the Register is correct and current. If the Register reporting obligations are ‘switched on’ for further asset classes, reporting entities for those assets will have a grace period of 6 months to comply.9 The purpose of the Register is to assist the Government to understand ownership and operational arrangements as well as interdependencies between critical infrastructure assets, and to identify and manage risks which could cause significant harm to Australia.10

Risk management program still to be ‘switched on’

While the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) (SLACIP Act), which came into effect on 2 April 2022, introduced into the SOCI Act the legislative framework for risk management program obligations, those obligations are yet to be ‘switched on’ for any classes of assets. That will occur through the commencement of rules.

The Minister for Home Affairs is considering the draft Risk Management Program Rules as released by the previous Government on 26 November 2021. Public consultation for at least 28 days is required on the rules as formally proposed, before risk management program obligations are then ‘switched on’ by such rules for prescribed classes of critical infrastructure assets.11 Currently, these obligations are proposed to initially apply to 11 classes of assets: critical broadcasting, domain name system, data storage/processing, hospital, energy market operator, water, electricity, gas, liquid fuel and financial market (payment system operator) assets and specified critical defence industry assets.12 

This aspect of the SOCI Act regime is intended to “uplift core security practices” by requiring responsible entities to adopt, maintain, review, update, report on and comply with a written risk management program.13 The focus of the program is on identification, minimisation and/or elimination of hazards that pose a material risk to critical infrastructure assets – ranging from physical risks such as pandemics and natural disasters, to key personnel risks, supply chain hazards, sabotage, terrorism, infiltration and cyber attacks. In mitigating cyber and information security threats, the draft Rules suggest that affected businesses may be required to have in place a risk management program that complies with a standard or framework equivalent to:

  • ACSC’s Essential Eight Maturity Model at maturity level one;
  • Standards Australia’s Information Security Management Systems – Requirements (AS ISO/IEC 27001:2015);
  • National Institute of Standards and Technology Cybersecurity Framework;
  • Cybersecurity Capability Maturity Model (C2M2) at Maturity Indicator Level 1; or
  • Security Profile 1 of the Australian Energy Sector Cyber Security Framework.

Enhanced cyber security obligations for systems of national significance



The SLACIP Act also introduced enhanced cyber security obligations for assets declared by the Minister for Home Affairs to be “systems of national significance” (SoNS).14 SoNS are a small subset of key critical infrastructure assets recognised by the Minister as being integral to Australia’s economy, society, defence or national security “by virtue of their interdependencies across sectors and potential for cascading consequences to other critical infrastructure assets and sectors if disrupted”.15 Before declaring any critical infrastructure assets to be SoNS, the Minister must first notify the responsible entity of the proposed declaration and undertake a mandatory consultation period.



If an asset is declared a SoNS, its responsible entity may be subject to enhanced obligations, such as incident response plans, cyber security exercises, vulnerability assessments or provision of system information to the Australian Signals Directorate. The Secretary of the Department of Home Affairs will consider which of these obligations are appropriate for each SoNS, depending on its specific role and function.



Government intervention powers and stakeholders’ secrecy obligations



As summarised in our previous article on the first round of reforms to the SOCI Act, responsible entities, direct interest holders and operators of critical infrastructure assets16 and upstream supply chain assets (critical infrastructure sector assets)17 are now subject to enhanced Government intervention powers and secrecy obligations. 



Entities and individuals (including those who own or operate either critical infrastructure assets or sector assets) should take particular care before using or disclosing any documents or information obtained or generated under the SOCI Act, as it may well be “protected information” and subject to strict secrecy obligations. Criminal offence and penalty provisions apply in the event of unauthorised use or disclosure.



Observations



The resilience and security of Australia’s critical infrastructure will continue to be a focus of the Albanese Government, as signalled by the establishment of Australia’s first Cyber Security Portfolio in May 2022. The Minister for Cyber Security (who is also Minister for Home Affairs) has instructed her department to create a new national cyber security strategy, announcing that it would be “grounded in sovereign capability, with a plan for the future workforce and growth of the cyber security sector, including Australian cyber SMEs”.18



CISC has foreshadowed that it will work with industry to ensure that entities understand their new obligations for cyber incident reporting and updating the Register. The Centre has indicated that for the first twelve months it intends to focus on education, rather than enforcement, where there is a genuine attempt at compliance. For example, during this initial education phase, CISC does not intend to take enforcement action where an entity erroneously identifies a cyber incident as having a “relevant impact” and reports it within 72 hours, where in fact it was a critical incident which was reportable within 12 hours.19



Affected entities should, as a priority, ensure that they are aware of their enlivened cyber incident reporting obligations and are in a position to provide required Register information by 8 October 2022.



Stakeholders should also consider the draft Risk Management Program Rules, any revisions that are released and the risk management program fact sheet circulated by CISC.  Although it is likely that a grace period for compliance will apply, entities would be well-served to consider, in advance, what steps and timeframes would be required to uplift their risk-based plans, by reference to the criteria and standards cited in the draft Rules.



Key amendments to the SOCI Act (as at 26 September 2022) - Click here to see the table.

[1]     Australian Cyber Security Centre (ACSC), ‘Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure’ (Joint Advisory AA22-110A, 17 May 2022); ACSC, ‘Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations’ (Joint Advisory AA22-257A, 14 September 2022).

[2]     ACSC, ‘Australian organisations should urgently adopt an enhanced cyber security posture’ (Advisory 2022-02, Version 11 as updated on 28 April 2022).

[3]     The Hon. Anthony Albanese, ‘An address by Opposition Leader Anthony Albanese’ (Speech delivered at the Lowy Institute, Sydney, on 10 March 2022).

[4]     Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 (Cth), introduced as a private member’s bill on 26 September 2022.

[5]     Cyber and Infrastructure Security Centre (CISC), Industry Awareness Session: Protecting Critical Infrastructure and Systems of National Significance (7 July 2022).

[6]     Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), ss 30BC(3) and 30BD(3); Cyber and Infrastructure Security Centre (CISC), Fact Sheet – Cyber Security Incident Reporting (July 2022).

[7]      CISC, Guide – Mandatory Cyber Incident Reporting: Initial guidance for Critical Infrastructure Sectors.

[8]     SOCI Act, s 18A(1)(a) and Security of Critical Infrastructure (Application) Rules 2022 (Application Rules), r 4(1).

[9]     SOCI Act, s 18A(3); Application Rules, r 4(3).

[10]    CISC, Fact Sheet – Register of Critical Infrastructure Assets Guidance (September 2022).

[11]   SOCI Act, s 30ABA(3).

[12]   CISC, Fact Sheet – Risk Management Program (August 2022).

[13]    Ibid.

[14]    The SLACIP Act also (among other things) amended the definitions of certain classes of critical infrastructure assets and extended civil immunities to related group companies and contracted service providers.

[15]    CISC, Fact Sheet – The Enhanced Cyber Security Obligations Framework (May 2022).

[16]    An asset is a “critical infrastructure asset” if it (a) falls within one of 22 asset classes specified in the SOCI Act; (b) is subject to a Ministerial declaration; or (c) is prescribed by the Security of Critical Infrastructure (Definitions) Rules 2021 (Cth) (Definition Rules).

[17]    An asset is a “critical infrastructure sector asset” if it “relates to” one or more of Australia’s 11 critical infrastructure sectors.  This broad concept is intended to capture supply chains for critical infrastructure or other interdependent parts of the ecosystem.

[18]    Geoff Chambers, ‘Labor wipes slate clean in overhaul of Scott Morrison’s cyber security strategy’, The Australian (18 August 2022).

[19]    CISC, Guide – Mandatory Cyber Incident Reporting: Initial guidance for Critical Infrastructure Sectors; CISC, Industry Awareness Session: Protecting Critical Infrastructure and Systems of National Significance (7 July 2022).

ACC
ACC Global Headquarters
1001 G Street NW
Suite 300W
Washington, D.C. 20001 USA

Contact Directory

Explore ACC
Privacy & Other Policies © 1998-2024, Association of Corporate Counsel. All Rights Reserved.

This site uses cookies to store information on your computer. Some are essential to make our site work properly; others help us improve the user experience.

By using the site, you consent to the placement of these cookies. For more information, read our cookies policy and our privacy policy.

Accept