8 July 2022: Grace period ended for Mandatory Cyber Incident Reporting
8 October 2022: Grace period ended for Registering ownership and operational information
The security of Australia's critical infrastructure is facing growing risks.
Are you proactive? There are fresh legislative mandates for critical infrastructure owners and operators. Let us assist you in navigating your responsibilities:
Comprehend your current position, identify your target, and outline the necessary steps to reach your goal.
Put your plan into action and consistently oversee its management.
Continuously seek methods to enhance and bolster resilience across your organization.
Summary of the recent mandates
The Security of Critical Infrastructure Act (2018) was reinforced through two phases of legislation: the initial one in December 2021, followed by the second in April 2022.
These combined updates broaden the Act’s scope, encompassing now 11 sectors instead of the original 4, and establish a framework characterized by the following components:
A Favorable Security Responsibility
- Submission of ownership and operational details to the Register of Critical Infrastructure Assets
- Compulsory adherence to cyber incident reporting requirements within specified timeframes
- Creation, adoption, and upkeep of a Risk Management Program, emphasizing cyber, physical, personnel, and supply chain risks (yet to be initiated).
Government Support Measures
These pertain to all critical infrastructure assets and consist of three distinct components:
- Authorities for gathering information
- Directives for taking action
- Powers for intervention.
Elevated Cybersecurity Requirements
These are relevant exclusively to specified ‘Systems of National Significance,’ encompassing:
- Incident Response Plan
- Cybersecurity Drills
- Evaluation of Vulnerabilities
- Submission of system information.
Sectors Affected by the enhanced regulatory framework are:
- Health + Medical
- Space technology
- Grocery and food
- Water and sewerage
The impact of the Security of Critical Infrastructure reforms is becoming tangible as the grace periods conclude for two of the Positive Security Obligations: mandatory reporting of cyber incidents by July 8, 2022, and the submission of ownership and operational details to the Register of Critical Infrastructure Assets by October 8, 2022.
As you gear up to align with the new requirements, here are six key points that we believe you should be aware of:
- Selective Applicability: While the complete array of reforms may not pertain to your business, your attention is still crucial. The reforms encompass more than meets the eye.
- Segmented Breakdown: The Security of Critical Infrastructure Act (SOCI) divides the 11 Critical Infrastructure Sectors into 22 Asset Classes. Delve into the detailed definitions underlying these classes to ascertain if your business falls within their scope and whether you qualify as a responsible entity.
- Activated Responsibilities: If you are deemed a ‘responsible entity’ based on the aforementioned comprehensive definitions, your next step is determining which obligations are activated for your specific asset class. While Government Assistance Measures apply across all 22 asset classes, not all Positive Security Obligations such as mandatory cyber incident reporting, the Risk Management Program, and Asset Register obligations are universally activated.
- Engagement Incentives: Even if not all obligations apply to your asset class, there are compelling reasons to engage with the SOCI reforms, as outlined below.
- Provider Implications: Your service providers might now be classified as critical infrastructure assets due to their commercial ties with you. If you are responsible for a critical infrastructure asset and engage third-party data storage or processing services related to your business-critical data, it’s imperative to inform your provider that they are handling data related to a critical infrastructure asset. This obligation remains regardless of the activation status of Positive Security Obligations and non-compliance may incur civil penalties.
- Supply Chain Dynamics: Risk Management Programs necessitate responsible entities to provide assurance regarding risk management across their supply chain. This might lead to you or your providers being recognized by other critical infrastructure assets as interconnected systems on which they rely. This implies that other businesses might seek information about your risk management protocols.
- Potential National Security Business Designation: If you qualify as a ‘responsible entity’ as per SOCI or your business holds a direct interest in relation to a critical infrastructure asset, FATA regulations could classify you as a National Security Business.
Considering these points and comprehending the intricacies of the Security of Critical Infrastructure reforms is paramount for businesses subject to these regulatory changes.
It’s not solely about your own risk tolerance. This is why the Government has the authority to intervene during emergencies. These reforms underscore the significance of critical infrastructure to the nation, granting CI entities a unique social license.
Recent years have shown that the public anticipates government intervention during emergencies. These reforms align with that expectation. Considering the downstream and cascading effects that compromised services could have on the nation offers insight into the government’s perspective.
On a positive note, the government’s most authoritative powers, including direct intervention, are subject to stringent safeguards. The Home Affairs Minister needs the agreement of the Prime Minister and the Defence Minister before activating this authority. Nonetheless, this power’s existence encourages businesses to take robust measures to minimize cyber incident probabilities, even if not legally compelled to do so.
Should the Minister for Home Affairs consider designating any of your assets as a System of National Significance, you’ll have an opportunity to provide input. The notice will include a comment period, usually 28 days or shorter if urgency demands. Preparing your response and familiarizing yourself with the implications of ‘Enhanced Cyber Security Obligations’ for your business is recommended.
While cyber considerations are paramount, an exclusively cyber-focused approach falls short. This is a chance to align your Board’s priorities with cybersecurity. These reforms address the intersection of various risk factors. While cyber plays a pivotal role, meeting obligations necessitates a comprehensive perspective encompassing personnel, physical, cyber, and supply chain security.
These reforms emphasize that entities are more than just their components, so treating each element in isolation isn’t sufficient. This might be a suitable time to assess whether your governance and arrangements reflect this, and make adjustments if necessary.
Furthermore, these reforms clarify that Critical Infrastructure extends beyond tangible assets like infrastructure. Digital components are equally essential within the realm of critical infrastructure.
Security of Critical Infrastructure Act Overview
The Security of Critical Infrastructure Act (2018) (SOCI) has undergone substantial reinforcement through two legislative amendment phases. The initial phase was enacted in December of the previous year, while the second phase became effective in April 2022. Collectively, these amendments extend the Act’s scope from 4 to 11 sectors and establish a framework characterized by the following elements:
- Positive Security Obligation: This includes the provision of ownership and operational details to the Register of Critical Infrastructure Assets, mandatory cyber incident reporting within specified timeframes, and the development of a Risk Management Program.
- Government Assistance Measures: These measures encompass information gathering powers, action directives, and intervention capabilities. They are applicable to all critical infrastructure assets.
- Enhanced Cyber Security Obligations: These obligations are targeted solely at designated ‘Systems of National Significance’.
This is a very high level summary, if you have any further questions about your cyber security, please contact us.