Critical Infrastructure Reforms

As you gear up to align with the new requirements, here are six key points that we believe you should be aware of:

1. Selective Applicability: While the complete array of reforms may not pertain to your business, your attention is still crucial. The reforms encompass more than meets the eye.
2. Segmented Breakdown: The Security of Critical Infrastructure Act (SOCI) divides the 11 Critical Infrastructure Sectors into 22 Asset Classes. Delve into the detailed definitions underlying these classes to ascertain if your business falls within their scope and whether you qualify as a responsible entity.
3. Activated Responsibilities: If you are deemed a ‘responsible entity’ based on the aforementioned comprehensive definitions, your next step is determining which obligations are activated for your specific asset class. While Government Assistance Measures apply across all 22 asset classes, not all Positive Security Obligations such as mandatory cyber incident reporting, the Risk Management Program, and Asset Register obligations are universally activated.
4. Engagement Incentives: Even if not all obligations apply to your asset class, there are compelling reasons to engage with the SOCI reforms, as outlined below.
5. Provider Implications: Your service providers might now be classified as critical infrastructure assets due to their commercial ties with you. If you are responsible for a critical infrastructure asset and engage third-party data storage or processing services related to your business-critical data, it’s imperative to inform your provider that they are handling data related to a critical infrastructure asset. This obligation remains regardless of the activation status of Positive Security Obligations and non-compliance may incur civil penalties.
6. Supply Chain Dynamics: Risk Management Programs necessitate responsible entities to provide assurance regarding risk management across their supply chain. This might lead to you or your providers being recognized by other critical infrastructure assets as interconnected systems on which they rely. This implies that other businesses might seek information about your risk management protocols.
7. Potential National Security Business Designation: If you qualify as a ‘responsible entity’ as per SOCI or your business holds a direct interest in relation to a critical infrastructure asset, FATA regulations could classify you as a National Security Business.

Considering these points and comprehending the intricacies of the Security of Critical Infrastructure reforms is paramount for businesses subject to these regulatory changes.

It’s not solely about your own risk tolerance. This is why the Government has the authority to intervene during emergencies. These reforms underscore the significance of critical infrastructure to the nation, granting CI entities a unique social license.

Recent years have shown that the public anticipates government intervention during emergencies. These reforms align with that expectation. Considering the downstream and cascading effects that compromised services could have on the nation offers insight into the government’s perspective.

On a positive note, the government’s most authoritative powers, including direct intervention, are subject to stringent safeguards. The Home Affairs Minister needs the agreement of the Prime Minister and the Defence Minister before activating this authority. Nonetheless, this power’s existence encourages businesses to take robust measures to minimize cyber incident probabilities, even if not legally compelled to do so.

Should the Minister for Home Affairs consider designating any of your assets as a System of National Significance, you’ll have an opportunity to provide input. The notice will include a comment period, usually 28 days or shorter if urgency demands. Preparing your response and familiarizing yourself with the implications of ‘Enhanced Cyber Security Obligations’ for your business is recommended.

While cyber considerations are paramount, an exclusively cyber-focused approach falls short. This is a chance to align your Board’s priorities with cybersecurity. These reforms address the intersection of various risk factors. While cyber plays a pivotal role, meeting obligations necessitates a comprehensive perspective encompassing personnel, physical, cyber, and supply chain security.

These reforms emphasize that entities are more than just their components, so treating each element in isolation isn’t sufficient. This might be a suitable time to assess whether your governance and arrangements reflect this, and make adjustments if necessary.

Furthermore, these reforms clarify that Critical Infrastructure extends beyond tangible assets like infrastructure. Digital components are equally essential within the realm of critical infrastructure.

Security of Critical Infrastructure Act Overview

The Security of Critical Infrastructure Act (2018) (SOCI) has undergone substantial reinforcement through two legislative amendment phases. The initial phase was enacted in December of the previous year, while the second phase became effective in April 2022. Collectively, these amendments extend the Act’s scope from 4 to 11 sectors and establish a framework characterized by the following elements:

• Positive Security Obligation: This includes the provision of ownership and operational details to the Register of Critical Infrastructure Assets, mandatory cyber incident reporting within specified timeframes, and the development of a Risk Management Program.
• Government Assistance Measures: These measures encompass information gathering powers, action directives, and intervention capabilities. They are applicable to all critical infrastructure assets.
• Enhanced Cyber Security Obligations: These obligations are targeted solely at designated ‘Systems of National Significance’.

This is a very high level summary, if you have any further questions about your cyber security, please contact us.