A fully reformed critical infrastructure regime 13 min read
The final anticipated amendments to the Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act) have been passed in the nick of time, making their way through the Senate in its last sitting before the 2022 Federal Election. Supplementing the phase one government assistance measures and positive security obligations passed in November 2021, these latest amendments introduce new and enhanced obligations for risk management programs and security respectively, and the concept of ‘systems of national significance’. They also expand the SOCI Act to regulate various entities that previously weren’t captured.
Phase One – SLACI Act
- On 22 November 2021, the Federal Parliament passed the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (the SLACI Act), the first in a two-part process of amending the SOCI Act. The decision to split the reform into two parts followed recommendations from the Parliamentary Joint Committee on Intelligence and Security (the PJCIS), which we reported on in October last year.
- The expanded critical infrastructure asset definitions, which broaden the scope and application of the SOCI Act, and the introduction of the government assistance measures took effect on 3 December 2021.
Phase Two – SLACIP Act
- On 1 March 2022, public consultation on the phase two amendments concluded. The PJCIS published its advisory report on the SLACIP Bill on 25 March 2022 and Parliament has now passed the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) (the SLACIP Act).
- The SLACIP Act further amends various critical infrastructure asset definitions and introduces enhanced cybersecurity obligations for assets of the highest criticality, as nominated by the Minister. It also requires the adoption of a risk management program, though this obligation will need to be 'switched on' like the other positive security obligations from phase one.
- The Minister has published the Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021 (Cth) (the Definitions Rules), specifying the thresholds for capturing certain critical infrastructure assets. These are also now in effect.
- On 8 April 2022, the Minister issued the Security of Critical Infrastructure (Application) Rules 2021 (Cth) (the Application Rules), which will switch on the positive security obligations.
- The Minister has also published an exposure draft of the Security of Critical Infrastructure (Risk Management Program) Rules 2022 (Cth). We expect that these rules will be subject to imminent mandatory consultation.
- Determine whether your business is affected – these are economy-wide reforms that expand the SOCI Act to a range of previously unregulated entities. It will be important to understand if and how your business is likely to be affected.
- Be ready for the governance measures – newly captured entities should ensure they already have the necessary procedures in place to comply with the government assistance obligations introduced under the SLACI Act, as they’ve already commenced.
- Prepare for the 'switch-on' – the Minister has acted swiftly to finalise the Application Rules. Entities that fall under them should ensure they can comply with the registration and cyber incident notification obligations when the respective grace periods lapse. For some businesses, this may involve implementing contractual pass-throughs, and updating cyberattack response and recovery playbooks.
Legal, Board of Directors, Delivery and Compliance teams, IT and Information Security.
Overview of SOCI Act Reforms and Phase One
Following the reforms, the SOCI Act now applies to 13 critical infrastructure sectors1 and captures 22 classes of critical infrastructure assets,2 representing a significant expansion in the regime's scope. Expanded definitions under the SOCI Act also mean that more entities will be considered 'national security businesses' under the Foreign Acquisitions and Takeovers Act 1975 (Cth).
Government assistance measures – in force now
The 'last resort' assistance powers are effective from December 2021. These provide the Government with three key powers it can exercise, in limited circumstances, when a cybersecurity incident is affecting a critical infrastructure asset. Broadly speaking, the Government can now:
- require the disclosure of information;
- order an entity to act in a specified way; and
- authorise the Australian Signals Directorate (the ASD) to step in or take direct action where necessary.
Although the powers only arise when a cybersecurity incident is affecting a defined critical infrastructure asset, they can be applied very broadly to any ‘relevant entity’ of a 'critical infrastructure sector asset' (provided the cybersecurity incident is affecting a critical infrastructure asset, and not just a critical infrastructure sector asset).
Obligation to notify data service providers – in force now
There is now a very broad obligation to notify data storage and processing service providers when their services relate to 'business critical data'.3
This means if a 'responsible entity' for a critical infrastructure asset becomes aware they are processing or storing business critical data, and the service is provided by another entity on a commercial basis, that responsible entity must take reasonable steps to inform the service provider. As soon as practicable, the service provider should be made aware that:
- they’re providing data services to the responsible entity on a commercial basis; and
- such services relate to business critical data.
Positive security obligations
Even though the SLACI Act received royal assent, each of the new positive security obligations (set out below) must be 'switched on' by the Minister of Home Affairs before they apply to new entities.4 In other words, these obligations will not apply to new entities captured by the SOCI Act until applicable rules are issued, switching each obligation on for certain asset classes.
Mandatory cybersecurity incident notification requirements – switched-on
On 8 April 2022, the Application Rules were published and registered. They switch on the mandatory cyber incident reporting obligations for numerous responsible entities of critical infrastructure assets. The obligations commence on the later of:
- three months after the commencement of the Application Rules (ie 8 July 2022); or
- three months after the asset became a critical infrastructure asset (eg where a new critical hospital is built, three months after the hospital becomes a critical hospital asset per the SOCI Act).
Once the three-month grace period has ended, these new cyber incident mandatory reporting requirements involve two levels of reporting:
- If an entity becomes aware that a cybersecurity incident has had, or is having, a significant impact on the availability of the asset, it must report this event within 12 hours to the ASD (or another agency nominated in the rules).
- If an entity becomes aware that a cybersecurity incident has had, or is having, a relevant impact on the availability of the asset, it must report this event within 72 hours to the ASD (or another nominated agency). The rules break down what constitutes a relevant impact.
Various critical infrastructure asset categories specified in the Application Rules will be required to comply with the cyber incident reporting requirements once they commence in July.5
Register of Critical Infrastructure Assets – switched-on
The obligation to register details in the Register of Critical Infrastructure Assets previously applied (under Part 2 of the SOCI Act) to electricity, gas, ports and water and sewerage assets. The reforms extend the existing reporting requirements to some of the new critical infrastructure asset classes.
The register is managed by the Cyber and Infrastructure Security Centre, and the obligation requires reporting entities, either direct interest holders or responsible entities of relevant critical infrastructure assets, to provide interest, control and operational information to the centre.6 Notably, the register is not publicly accessible and this obligation must also be switched on for newly affected entities.
The Application Rules will switch on the registration obligations for 13 categories of critical infrastructure assets.7 They commence on the later of:
- six months after the rules commence (ie 8 October 2022); or
- six months after the asset becomes a critical infrastructure asset.
New Phase Two Amendments
The SLACIP Act introduces the final component of the 'positive security obligations' for responsible entities (risk management programs), as well as enhanced obligations that apply to 'systems of national significance'. These measures make up phase two of the SOCI reforms.
The obligations under the SLACIP Act are substantially similar to those introduced under the 2020 SOCI Bill (discussed in our previous Insight), but some additions and refinements have been made as a result of public consultation over the past 12 to 18 months and the various PJCIS referrals.
Risk Management Program (Part 2A) – 2022 (must be the subject of mandatory consultation and then switched on)
Certain responsible entities will be required to implement and maintain a Risk Management Program that manages and mitigates prescribed risks associated with their critical infrastructure asset. Initially, the Government had intended for the obligations to be set out in the sector-specific rules. However, following public consultation and the PJCIS's March 2022 Advisory Report, the Government has confirmed that it intends to release a single set of principles-based rules that will apply across all relevant sectors.
Once these obligations are switched on, responsible entities will be required to adopt and maintain, comply with, review regularly, and take all reasonable steps to keep up to date a Risk Management Program. It must:8
- identify hazards that present a material risk to the availability, integrity, reliability and confidentiality of critical infrastructure assets, or information about, or stored in, those assets;
- mitigate risks to prevent incidents (so far as it is reasonably practicable to do so);
- minimise the impact of realised incidents (so far as it is reasonably practicable to do so); and
- implement effective governance and oversight procedures, including testing and evaluation, relating to security.9
Regulated entities will also need to report annually on their risk management program.
The new provisions let the Minister create rules in circumstances when an entity is responsible for more than one critical infrastructure asset. This makes the rules flexible and adaptable to the business processes and environment of each responsible entity. Further, the addition of provisions allows for industry-accepted documents to govern best practices for cybersecurity.10 These documents will be the accepted guidance materials when designing risk management programs, with potential for the Minister to declare further documents as the industry requires.
Some exemptions have been implemented, including for entities with an existing certified digital certification framework and those authorised by the Minister, although these entities will still have annual reporting obligations under Part 2AA of the SOCI Act.
Enhanced cybersecurity obligations (Part 2C)
The SLACIP Act has also introduced enhanced cybersecurity obligations for assets nominated by the Minister as having the highest criticality – 'systems of national significance'.
These enhanced security obligations require close partnership between responsible entities and government, and introduce obligations to:
- adopt and maintain incident response plans;
- undertake cybersecurity exercises, potentially under Department observation, and subsequent self-evaluation;
- undertake and report on vulnerability assessments; and
- provide the Government with access to system information (excluding personal information) to build a real-time threat picture.
Systems of 'national significance' (Part 6A)
The Minister may privately declare a particular critical infrastructure asset to be a system of national significance. Before declaring this, the Minister must consult with the responsible entity and consider the potential consequences for the social or economic stability of Australia (and its people), and national security.
Current guidance on the declaration provisions indicates systems of national significance are likely to capture assets that underpin many other critical sectors. While it’s too soon to tell, at this stage, it appears the level of interconnectedness between critical assets will be a key consideration as to whether an asset will be a system of national significance. We understand the Minister for Home Affairs has reached out to a small number of assets proposed to be the first systems of national significance under the regime.11
Consequential amendments following PJCIS consultation
Businesses that have been following these reforms, or uplifting their practices based on the SLACI Act obligations and definitions that were introduced last year, should be aware that the SLACIP Act amended a number of definitions as a result of further public consultation and PJCIS recommendations. The new amendments have:
- clarified the definition of 'critical data storage or processing asset' by:
- carving out other critical infrastructure assets that may have previously been inadvertently captured within the scope of the critical data storage or processing definition, due to data storage or processing functions these assets perform (particularly in telecommunications); and
- reducing the scope of section 12F(1)(b) so information processed by government body entities must also relate to 'business critical data'. Previously, the processing of any government data would result in a service provider's assets being captured within this definition;
- clarified the definition of 'data storage or processing service' so it only applies to services provided on a commercial basis;
- defined a 'critical superannuation asset' as an 'RSE licensee' (as defined in the Superannuation Industry (Supervision) Act 1993 (Cth)) instead of a 'registrable superannuation entity';
- expanded the definition of a 'critical energy market operator asset' to include 'systems' as well as markets;
- brought the definition of 'critical telecommunications asset' in line with the current definition set out in the Telecommunications Act;
- re-defined 'critical education asset' so it covers only security-sensitive research of universities;
- added to the definition of 'critical gas asset' control rooms and any other asset required to operate a gas transmission pipeline;
- limited the definition of 'critical food and grocery asset' to only apply to 'essential' food and grocery services; and
- inserted the definition of a 'critical worker' and a 'critical component'.
The Government likely introduced these changes in response to feedback received on the scope for varying interpretations of these terms. That said, the proposed amendments may not completely resolve industry concerns, particularly concerning the definition of 'data processing services'. Even amended, the expression may have unintended consequences, as it’s still likely to capture a very broad range of services. Given the indications to date that the Government intends to liaise with the industry to achieve workability and compliance, we hope further rules have increased clarity.
In addition to these definitional changes, the SLACIP Act has also:
- Broadened the application of immunity provisions so members of related group companies and contracted service providers would not have any civil liability where they are required to comply with governance assistance directions.12
- Amended information sharing provisions to make it easier for regulated entities to share protected information (including the fact that the entity has been declared a system of national significance) with their relevant regulators. Provided the protected information relates to the disclosing entity, and the disclosure is to a prescribed person as required for their functions or responsibilities (eg regulatory duties), then an entity may disclose protected information. Without this amendment, entities are in breach of the SOCI Act if they inform a regulator that they have been declared as a system of national significance.
- Introduced exclusions to the meaning of 'direct interest holder', including a moneylending exemption (s 8(2)) to align the SOCI Act with provisions in the Foreign Acquisitions and Takeovers Regulation 2015. There are additional exemptions for providers of custodial or depository services (s 8(4)) to ensure they do not acquire obligations as direct interest holders.
- Introduced political accountability mechanisms, requiring the Secretary to provide regular reports to the Minister on the progress and outcomes of further consultation on amendments undertaken by the Department. The Minister will also be required to undertake an independent review and produce a written report on the operation of the SOCI Act as amended in 12 months (ie in March/April 2023).
Financial services and markets; Communications; Data storage and processing; Defence; Food and grocery; Higher education and research; Health care and medical; Transport; Energy; Space technology; Aviation; Maritime transport; and Water and sewerage.
Critical telecommunications asset; critical broadcasting asset; critical domain name system; critical data storage or processing asset; critical banking asset; critical superannuation asset; critical insurance asset; critical financial market infrastructure asset; critical water asset; critical electricity asset; critical gas asset; critical energy market operator asset; critical liquid fuel asset; critical hospital; critical education asset; critical food and grocery asset; critical port; critical freight infrastructure asset; critical freight services asset; critical public transport asset; critical aviation asset; a critical defence industry asset; an asset declared under section 51 of the SOCI Act to be a critical infrastructure asset; an asset prescribed by the rules.
SOCI Act, s12F(3).
The cyber incident reporting obligations under Part 2B of the SOCI Act have been switched on by the Application Rules for the following asset classes: critical broadcasting assets; critical domain name systems; critical data storage or processing assets; critical banking assets; critical superannuation assets; critical insurance assets; critical financial market infrastructure assets; critical food and grocery assets; critical hospitals; critical education assets; critical freight infrastructure assets; critical freight services assets; critical public transport assets; critical liquid fuel assets; critical energy market operator assets; certain critical aviation assets; critical ports; critical electricity assets; and critical gas assets.
SOCI Act, s23.
The registration obligations under Part 2 of the SOCI Act have been switched on by the Application Rules for the following asset classes: critical broadcasting assets; critical domain name systems; critical data storage or processing assets; critical financial market infrastructure assets that are a payment system; critical food and grocery assets; critical hospitals; critical freight infrastructure assets; critical freight services assets; critical public transport assets; critical liquid fuel assets; critical energy market operator assets; and critical electricity assets and critical gas assets that were not critical infrastructure assets before the commencement of s18A of the SOCI Act.
SOCI Act, s30AC– s30AF.
Contravention of any of these obligations carries a fine of 200 penalty units for individuals or 1,000 penalty units for bodies corporate (respectively).
See SOCI Act, ss 30ANA, 30ANB and 30ANC.
Letter from Hamish Hansford, Head – Cyber and Infrastructure Security Centre, dated 8 April 2022.
SOCI Act, ss 35ABB and 35BB.