Key points
- Risk management program obligations under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) are now live, with the commencement of the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules).
- These obligations are intended to protect the essential services and assets that the Australian public and economy relies upon and ensure that businesses take a robust approach to preventing and mitigating key risks.
- The new obligations apply to responsible entities across 13 prescribed asset classes.
- While there is no set format, compliant risk management programs must meet a range of requirements in addressing all material risks to an asset, with discrete requirements for personnel, supply chain, physical security, natural, cyber and information security hazards.
- Affected entities need to take steps to:
- Implement a written risk management program by 17 August 2023
- Commence mandatory annual reporting from 30 June 2024
- Implement a mandatory cybersecurity framework by 17 August 2024
- Further SOCI Act amendments have been foreshadowed, as well as a potential new Cyber Security Act, as part of the Federal Government’s sharp focus on cybersecurity, sovereignty and protection of Australia’s critical services and assets.
Risk management program obligations have now been ‘switched on’ by the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules), which commenced on 17 February 2023. These obligations recognise the serious implications that disruptions and threats to critical infrastructure can have for the Australian public, economy and national security. In particular, they arise from the concern that “existing regulatory frameworks and market forces are insufficient to protect critical infrastructure against all hazard threats in a consistent and coordinated manner”.1
As highlighted in our previous articles here and here, the first two positive security obligations under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) were switched on last year (mandatory notification of cyber security incidents, effective from 8 July 2022, and Register reporting requirements, effective from 8 October 2022). The foreshadowed third obligation under Part 2A of the SOCI Act, requiring certain entities to implement a risk management program, has now been switched on, following industry consultation.
There is no prescribed format for the required written risk management program, given that each asset will have its own operational context and associated risks. Entities have been encouraged by the Cyber and Infrastructure Security Centre (CISC) to supplement and add to any existing frameworks and processes in meeting the new obligation, and adopt a robust, holistic and proactive approach to securing their assets. CISC describes the obligation as “a great opportunity for owners and operators to ‘think big’ and take an ‘all hazards’ approach to safeguarding their business, assets, and people”.2
Who is subject to the obligation?
The following 13 classes of critical infrastructure assets are specified by the CIRMP Rules:3
- critical broadcasting assets
- critical domain name systems
- critical data storage or processing assets
- critical electricity assets
- critical energy market operator assets
- critical gas assets
- designated hospitals
- critical food and grocery assets
- critical freight infrastructure assets
- critical freight services assets
- critical liquid fuel assets
- critical payment system financial market infrastructure assets
- critical water assets
As such, responsible entities for critical infrastructure assets within any of the above asset classes will be subject to the risk management program obligation.4
As noted here, entities should carefully assess whether or not a given asset within these 13 asset classes is a “critical infrastructure asset” by reference to the definitions in both the SOCI Act and the Security of Critical Infrastructure (Definitions) Rules 2021 (Cth). A private Ministerial declaration under s 51 of the SOCI Act may also render an asset critical and subject to the risk management program obligation.5
What are the requirements of a risk management program?
Responsible entities caught by the new obligation must now adopt, maintain, comply with, review, keep up to date and report on a written risk management program.6
The program must identify each hazard that, if it occurred, would have a material risk of a relevant impact on the asset. The program must then, so far as reasonably practical, minimise or eliminate any material risk of such a hazard occurring, as well as mitigate its impact should it occur.7
“Relevant impact” is defined to include a direct or indirect impact on an asset’s availability, integrity or reliability or on the confidentiality of asset information.8 “Materiality” of a risk is assessed by reference to the likelihood of the hazard occurring and the relevant impact of the hazard on the asset.9 Material risks are deemed to include (for example) stoppages or major slowdowns for an unmanageable period, deliberate or accidental manipulation of an asset’s critical component, or storage, transmission or processing of sensitive operational information outside Australia.10
The CIRMP Rules specify a number of other particular requirements for a risk management program, such as a risk identification process, a process or system to minimise/eliminate each material risk and mitigate its impact, a risk management methodology, a process for reviewing the program and keeping it up to date, and the designation of responsibilities for these tasks.11
More prescriptive requirements apply for four key hazard types:
Personnel hazards – Material risks may arise from both malice and negligence of critical workers, and occur from initial hiring decisions through to the off-boarding process. A risk management program must include suitability assessments for all employees and contractors with access to an asset’s critical components. The CIRMP Rules encourage the use of the AusCheck background checking scheme in assessing the suitability of critical workers.
Supply chain hazards – Threats may include malicious people, both internal and external, who exploit, misuse, access or disrupt the supply chain. Vulnerabilities also arise from over-reliance on particular suppliers. Entities must ensure that their risk management program identifies their major suppliers and the supply chain hazards which could have a relevant impact on the asset.
Physical security and natural hazards – Depending on an asset’s operating environment, material risks may range from oil or chemical spills through to bushfire, flood or biohazard health hazards. Entities must ensure that their risk management program incorporates controls such as restricted personnel and visitor access to an asset’s physical critical components, and testing of security arrangements and breach recovery procedures.
Cyber and information security hazards – In the context of the worsening cyber threat environment, experienced acutely across all Australian industry sectors, risk management programs must ensure compliance with one of the following (or its equivalent):
- Australian Signals Directorate, Essential Eight Maturity Model, at maturity level one;
- Australian Standard AS ISO/IEC 27001:2015;
- US National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity;
- US Department of Energy, Cybersecurity Capability Maturity Model, Maturity Indicator Level 1; or
- Australian Energy Market Operator Limited, 2020-21 AESCSF Framework Core, Security Profile 1.
By when?
In recognition of the substantial nature of the risk management obligation and the significant steps, time and cost that businesses will require to achieve compliance (particularly in bringing their cybersecurity programs up to the required baseline), the following staged timeframes apply:
- Adopt and maintain a risk management program within a 6 month grace period12: by 17 August 2023
- Establish and maintain compliance with the mandated cybersecurity framework requirements within an 18 month grace period13: by 17 August 2024
- Commence annual reporting for FY2023-2024: within 30 June to 28 September 2024
Responsible entities for assets subject to the CIRMP Rules must submit an annual report on their risk management programs. Reports must be approved by an entity’s Board or other governing body and submitted in approved form to the Reserve Bank of Australia (for payment system assets) or to CISC (otherwise), within 90 days of the end of the Australian financial year.14 CISC has advised that the first annual report required will be for FY2023-2024, which must be submitted between 30 June and 28 September 2024.15 However, CISC strongly encourages the voluntary submission of a “[not] overly complex or detailed” report for FY2022-2023, to “provide a ‘pulse-check’” on how entities are progressing with their risk management programs.16
On the horizon: further cyber laws ahead for critical infrastructure, industry, government
While the risk management program obligation completes the third and final positive security obligation to be switched on under the SOCI Act, more legislative activity can be expected in this space.
Extensive reforms to Australia’s cybersecurity laws have been foreshadowed, with the release of the 2023-2030 Australian Cyber Security Strategy Discussion Paper,17 and the establishment of the Department for Home Affairs’ new National Office for Cyber Security, to be led by a Coordinator for Cyber Security. Key developments to be aware of include:
- Possible expansion of the SOCI Act to include customer data and systems in the definition of critical infrastructure assets, allowing government intervention powers to be triggered in the event of data hacks such as those experienced by Optus and Medibank
- The potential for a new Cyber Security Act to impose cyber-specific legal obligations on industry and government, and possibly direct obligations for company directors
- Legislation to address the circumstances in which ransomware payments are permitted, or prohibited
- Bolstering the Federal Government’s incident response capabilities for major cyber attacks
For now, affected responsible entities should ensure their risk management programs meet all mandatory requirements within the applicable 6 and 18 month grace periods, and are effectively and consistently complied with, maintained, reviewed, updated and reported on. Doing so will not only satisfy the newest statutory obligations, but assist in safeguarding both the asset and the financial, reputational and other interests of its owner or operator.
1 Explanatory Statement to the CIRMP Rules, [18].
2 Cyber and Infrastructure Security Centre, Risk management – frequently asked questions (20 October 2022).
3 Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (‘CIRMP Rules’) s 4(1).
4 Security of Critical Infrastructure Act 2018 (Cth) (‘SOCI Act’) ss 30AB–30AD.
5 SOCI Act s 30AB(1)(b).
6 SOCI Act ss 30AC – 30AG.
7 SOCI Act s 30AH(1).
8 SOCI Act s 8G.
9 SOCI Act s 30AH(7).
10 CIRMP Rules s 6.
11 CIRMP Rules s 7.
12 CIRMP Rules s 4(2). If an asset later becomes a critical infrastructure asset to which the CIRMP Rules apply, a responsible entity will then have a grace period of 6 months to develop its risk management program from the date on which the asset became a critical infrastructure asset.
13 CIRMP Rules s 8(3).
14 SOCI Act s 30AG; CIRMP Rules s 5. Annual reports are also required for certain assets not covered by the risk management program obligation but prescribed by SOCI Act s 30AQ (including where strategic level hosting certificates issued by the Digital Transformation Agency are held).
15 https://www.cisc.gov.au/legislative-information-and-reforms/critical-infrastructure/regulatory-obligations.
16 Ibid.
17 Released on 27 February 2023. See: https://www.homeaffairs.gov.au/reports-and-pubs/files/2023-2030_australian_cyber_security_strategy_discussion_paper.pdf.
Amy Cooper-Boast,
Principal, LK