Earlier this year, Hamilton Locke published guidance on the new SOCI Critical Infrastructure Risk Management Program Rules (CIRMP Rules). With the six-month grace period to implement a risk management plan now expired, a review by the Federal Government of its Cyber Security Strategy 2023-2030 currently underway and imminent reforms to Australia’s privacy legislation, it is timely to review the key features of Australia’s security of critical infrastructure laws.
Reforms to Australia’s critical infrastructure laws in 2021 and 2022 extended the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) beyond the power, utilities and maritime ports sectors. The SOCI Act now applies to certain critical infrastructure assets in 11 sectors considered critical to the supply of essential services to Australians, including financial services, transport, healthcare, food and groceries and education. This followed recommendations in the government’s Cyber Security Strategy 2020, which identified the need to improve the protection of Australia’s critical infrastructure from emerging and evolving natural and human-induced threats, including cyber attacks and interference). The reforms to the SOCI Act were designed to strengthen the security and resilience of critical infrastructure assets by introducing positive security obligations for owners and operators of critical infrastructure assets and to provide the Federal Government with information about the assets and intervention powers in the event of certain cyber security incidents.
The obligations under the SOCI Act may apply to the entity responsible for the operation of the critical infrastructure asset and entities that have a direct interest in the critical infrastructure assets. But not all obligations apply to all sectors, or to all critical infrastructure assets; it is only those for which the obligations have been “switched on” under the Security of Critical Infrastructure (Application) Rules. We have included below a summary of the relevant sectors and assets for which the obligations are currently “switched on”.
Timeline of key events for the SOCI Act
|
5 key features of the SOCI Act
1. Mandatory notification of cyber security incidents
One of the key reforms to the SOCI Act was to introduce a mandatory requirement to notify the Australian Signals Directorate through its Australian Cyber Security Centre (ACSC) of certain cyber security incidents impacting critical infrastructure assets. A cyber security incident is defined quite broadly to mean an act, event or circumstance that involves the unauthorised access to or modification of a computer program or computer data. It also includes unauthorised impairments of electronic communications to or from a computer or the availability, reliability, security or operation of a computer, its data, or a computer program. For example, denial of service (DOS) and ransomware attacks, and other unauthorised access to networks, devices and data.
This reform introduced, for the first time in Australia, a mandatory notification obligation outside of an eligible data breach impacting personal information, largely in response to the Government’s increasing concern over the impact of cyber security incidents on critical infrastructure and essential services, with disruptions posing a significant risk to national security.
The notification obligation and the timeframe for reporting depends on the nature of the cyber security incident:
-
- Critical Cyber Security Incident
- Report within 12 hours of the responsible entity becoming aware of a cyber security incident that has occurred or is occurring and that had or is having a “significant impact” on the availability of a critical infrastructure asset.
- A significant impact is where the cyber security incident materially disrupts or disrupted the availability of essential goods and services provided using the critical infrastructure asset.
- If the report is made over the phone, it must be followed up by a written report within 84 hours.
- Critical Cyber Security Incident
-
- Relevant Impact Cyber Security Incident
- Report within 72 hours of the responsible entity becoming aware of a cyber security incident that has occurred, is occurring or is imminent and that had, is having or is likely to have a “relevant impact” on the availability, integrity, or reliability of the critical infrastructure asset, or on the confidentiality of information about or stored in the critical infrastructure asset.
- If the report is made over the phone, it must be followed up by a written report within 48 hours.
- Relevant Impact Cyber Security Incident
Failure to comply with the reporting obligations may result in a civil penalty (that is, a fine) of up to $15,650 (50 penalty units).
2. Critical infrastructure risk management plan
Responsible entities must adopt, maintain, comply with and keep updated a critical infrastructure risk management plan (CIRMP) for specified critical infrastructure assets, and comply with ongoing annual reporting obligations. Earlier this year, Hamilton Locke published guidance on the rules applicable to CIRMPs, which are now in effect.
The requirements applicable to each type of critical infrastructure asset vary, as set out in the below table.
Responsible entities must ensure they adopt a CIRMP by 17 August 2023 in order to maintain compliance with the SOCI Act. A failure to do so may result in a civil penalty of up to $62,600 (200 penalty units).
3. Register of Critical Infrastructure Assets
The SOCI Act reforms introduced a positive obligation to provide ownership and operational information about critical infrastructure assets to the Cyber and Infrastructure Security Centre (which sits within the Department of Home Affairs), to be recorded on the national Register of Critical Infrastructure Assets. The objective? To provide the Australian Government with an understanding of which entities own, control or have an interest in critical infrastructure assets, so as to help inform national security risk management.
This reporting obligation applies to responsible entities (those with operational responsibility for critical infrastructure assets), as well as direct interest holders (entities with an interest of at least 10% in a critical infrastructure asset, or an interest that puts the entity in a position to directly or indirectly influence or control the asset).
Failure to comply with these obligations may result in a civil penalty of up to $15,650 (50 penalty units).
4. Notify business critical data storage or data processing providers
Responsible entities are required to notify third party data storage or processing providers as soon as practicable, if that provider is storing or processing “business critical data” for a critical infrastructure asset. Failure to comply with this obligation may result in a civil penalty of up to $15,650 (50 penalty units).
“Business critical data” includes:
-
- personal information (as defined in the Privacy Act 1988 (Cth)) of at least 20,000 individuals;
- information related to R&D of a critical infrastructure asset;
- information related to any systems needed to operate a critical infrastructure asset;
- information needed to operate a critical infrastructure asset; or
- information relating to risk management and business continuity of a critical infrastructure asset.
Following notification, the data storage or processing provider will be on notice that it is storing or processing business critical data for a critical infrastructure asset. From the point of “knowing”, the data storage and processing service becomes a critical infrastructure asset and the responsible owner or operator of this asset will need to comply with the SOCI Act.
5. Government powers
If a cyber security incident has occurred, is occurring or is imminent, in certain circumstances the Secretary for Home Affairs may issue the responsible entity, direct interest holder, operator (entity operating the critical infrastructure asset or part of the asset) or managed service provider (entity managing the critical infrastructure asset or part of the asset) with information gathering directions, directions to take certain actions in response to the incident, or intervention requests authorising the Australian Signals Directorate to step in to respond to an incident. This marks a significant change to the role of government, which can have a significant impact on the operational response to cyber security incidents by the private sector.
The Minister for Home Affairs also has broad power to issue directions to a responsible entity or operator (entity operating the critical infrastructure asset or part of the asset) of a critical infrastructure asset where there is a risk that an act or omission would be prejudicial to national security.
Separately, the Minister for Home Affairs may declare an asset to be a ‘System of National Significance’ after consulting with a critical infrastructure asset holder. These are a subset of critical infrastructure assets that are most crucial to Australia, by virtue of their interdependencies across sectors and consequences of cascading disruption to other critical infrastructure assets and sectors.
A System of National Significance will continue to be subject to the obligations which apply to critical infrastructure assets, and the responsible entity for this asset may also be required to comply with enhanced cyber security obligations. This may include undertaking further incident response planning, cyber security exercises, vulnerability assessments, or providing system information to the Australian Signals Directorate.
Security obligations currently “switched on” by sector and asset
The below table sets out security obligations that are “switched on” at the time of writing for each critical infrastructure sector and relevant critical infrastructure assets under the SOCI Act.
Not all assets in a critical infrastructure sector are “critical infrastructure assets”. Determining whether assets will be “critical infrastructure assets” can require close consideration of the relevant definitions in, and rules made under, the SOCI Act.
| Critical infrastructure asset | Applicable positive security obligations | |||
| Sector | Asset | Register of Critical Assets
In force 8 April 2022 (6-month grace period ended 8 October 2022). |
Notification of cyber incidents
In force 8 April 2022 (3-month grace period ended 8 July 2022) |
Risk management program
In force 17 February 2023 (6-month grace period ends 17 August 2023).1 |
| Communications | Telecommunications | X2 | X2 | X2 |
| Broadcasting | ✓ | ✓ | ✓ | |
| Domain name systems | ✓ | ✓ | ✓ | |
| Data storage or processing | Data storage or processing | ✓ | ✓ | ✓ |
| Defence | Defence | X | X | X |
| Education | Education | X | ✓ | X |
| Energy | Electricity | ✓ | ✓ | ✓ |
| Energy market operator | ✓ | ✓ | ✓ | |
| Gas | ✓ | ✓ | ✓ | |
| Liquid fuel | ✓ | ✓ | ✓ | |
| Financial services and markets | Banking | X | ✓ | X |
| Super | X | ✓ | X | |
| Insurance | X | ✓ | X | |
| Financial market infrastructure | ✓3 | ✓ | ✓ | |
| Food and grocery | Food and grocery | ✓ | ✓ | ✓ |
| Hospital | Hospital | ✓ | ✓ | ✓ |
| Space technology | Space technology4 | X | X | X |
| Transport | Port | ✓ | ✓ | X |
| Freight infrastructure | ✓ | ✓ | ✓ | |
| Freight services | ✓ | ✓ | ✓ | |
| Public transport | ✓ | ✓ | X | |
| Aviation | X | ✓5 | X | |
| Water and sewerage | Water and sewerage | ✓ | ✓ | ✓ |
1An additional 12-month grace period ends 17 February 2024 for responsible entities to achieve compliance with cybersecurity framework in risk management plan.
2 Equivalent obligations apply under the Telecommunications Act 1997 (Cth).
3 Only applicable to payment systems.
4 No assets currently defined.
5 Only applicable to certain assets.
Impact on supply chain and acquisitions
The reforms to the SOCI Act will also have flow-down impacts for other Australian businesses that are part of a responsible entity’s supply chain.
With the CIRMP Rules now in force and the prescribed timeframes for reporting cyber security incidents, responsible entities will require contracts with suppliers of goods or services relating to their critical infrastructure assets to include rights and obligations that enable the responsible entity to comply with its obligations under the SOCI Act. We are already seeing this with respect to expanded and more prescriptive obligations for reporting, information-sharing and assisting in the event of a cyber security incident.
The reforms will also likely have an impact on future RFP and vendor security assessment processes. Australian businesses that supply goods and services should review their standard form supply agreements, tender response materials, playbooks and internal processes to ensure they can meet these requirements (and also conduct an updated risk assessment).
For prospective purchasers or investors in owners or operators of critical infrastructure assets, questions around processes to comply with SOCI Act obligations, particularly reporting and CIRMP Rule obligations, should be included as part of the due diligence process.
Next steps
With key reforms to the SOCI Act now in force (other than the grace period to achieve compliance with cyber security frameworks included in CIRMPs, which ends in February 2024), entities subject to the SOCI Act should review their obligations and proactively address any compliance issues, including with respect to risk management, and any up-lift required for existing procurement, incident response and other policies, as well as internal reporting, processes and training.
A key task for responsible entities is to closely review existing data breach response plans and other business continuity plans and policies to ensure they provide for required reporting obligations under the SOCI Act, together with testing and training on the plan. All outsourced data storage and processing arrangements should also be reviewed, and where they relate to “business critical data”, notifications issued and contract terms reviewed in line with the CIRMP Rules.
In addition to ensuring compliance with the SOCI Act, this review and compliance “up-lift” will mean your organisation is well-placed ahead of anticipated (and imminent) reforms to Australia’s privacy laws, as well as any future law reform that may result from the government’s Cyber Security Strategy 2023-2030, once finalised.
For more information, please contact Sophie Bradshaw and Adam Rose.
