New Security of Critical Infrastructure Protections

This article applies to organisations that manage critical infrastructure assets.

Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (Cth)

Please be advised that the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the Bill) passed Parliament on 30 March 2022 and received Royal Assent on 1 April 2022, later commencing on 2 April 2022. The Bill will amend the Security of Critical Infrastructure Act (2018) (Cth) (the Act).

By way of overview, the Bill will amend the Act to create obligations for responsible entities that manage or operate critical infrastructure assets to have and comply with a critical risk management program. The Bill also creates annual reporting requirements for the critical risk management program and creates enhanced cyber security obligations for entities responsible for the management of systems deemed to be of national significance.

Critical infrastructure risk management programs

The new Part 2A of the Act will require the responsible entity for one or more critical infrastructure assets to adopt and maintain a critical infrastructure risk management program.

The purpose of the program is to:

  • identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset;
  • so far as it is reasonably practicable to do so—minimise or eliminate any material risk of such a hazard occurring;
  • so far as it is reasonably practicable to do so—mitigate the relevant impact of such a hazard on the asset.

The matters to be considered when adopting or making variations to the critical infrastructure risk management program will be specified by legislative instrument, referred to as risk management program rules (yet to be released as at the date of publication).

The program may also be required to include provisions required by the rules, such as requiring a background check of individuals that may contain electronic or in person verification checks.

The responsible entity must comply with the program, review the program on a regular basis and take all reasonable steps to ensure the program is up to date.

A civil penalty of 200 penalty units (currently $36,348) applies for failure to comply with the requirements outlined above.

Reporting obligations relating to critical infrastructure assets

The responsible entity will be required to give an annual report relating to its risk management program within 90 days of the end of the financial year.  If there is a relevant Commonwealth regulator that has functions relating to the security of the critical infrastructure asset, the report must be given to that regulator, or in any other case the report must be given to the Secretary of Home Affairs.  For example, an entity that is controlling a critical telecommunications asset, must report to the Australian Communications and Media Authority (ACMA).

If during the reporting period, a hazard had a significant relevant impact on the asset, the report must include a statement that identifies the hazard, evaluates the effectiveness of the program in mitigating the impact of the hazard, and any variations to the program that occurred because of the hazard.  If the responsible entity has a board, council or other governing body, the report must be approved by the board, council or other governing body as the case may be.  Failing to meet these reporting requirements carries a civil penalty of 150 penalty units (currently $27,261).

Reporting obligations for assets that are not covered by a critical infrastructure risk management program

Responsible entities may be exempt from the reporting obligations for one or more critical infrastructure assets if the entity holds a certificate of hosting certification (strategic level) issued under the hosting certification framework. In this case, if a hazard had a significant relevant impact on the asset, the entity must produce a statement that:

  • identifies the hazard;
  • evaluates the effectiveness of the actions taken to mitigate the impact on the assets;
  • is in the approved form and approved by the board, council or other governing body.

Failure to do so carries a civil penalty of 150 penalty units (currently $27,261).

Enhanced cyber security obligations

The Bill sets out enhanced cyber security obligations that relate to systems of national significance. The Secretary has power to notify an entity that they are the responsible entity for a system of national significance and determine that the statutory incident response planning obligations will apply. In determining if an asset is of national significance, the Minister will consider the impacts on the social or economic stability of Australia, defence, or national security if a hazard were to occur that had a significant relevant impact on the asset.

Entities that manage systems of national significance will be required to adopt, maintain, comply with, regularly review, and update the incident response plan that applies in relation to the system and cyber security incidents. The organisation must also provide a copy of the incident response plan to the Secretary as soon as practicable after its adoption. Failure to meet these obligations carries a civil penalty of 200 penalty units (currently $36,348).

An incident response plan is defined in the Bill as a written plan that:

  • applies to an entity that is the responsible entity for a system of national significance; and
  • that relates to the system; and
  • that relates to cyber security incidents; and
  • the purpose of which is to plan for responding to cyber security incidents that could have a relevant impact on the system; and
  • that complies with such requirements (if any) as are specified in the rules.

The Secretary of Home Affairs may require the responsible entities for systems of national significance to undertake a cyber security exercise in relation to the system and all types of cyber security notices.

A cyber security exercise may be done with the purpose to:

  • test the entity’s ability to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and
  • test the entity’s preparedness to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and
  • test the entity’s ability to mitigate the relevant impacts that all types of cyber security incidents could have on the system.

The entity will be required to prepare an evaluation report relating to the cyber security exercise and provide a copy of the report to the Secretary of Home Affairs within 30 days of the completion of the exercise. The Secretary also has the power to appoint an external auditor to create a new evaluation report.

An evaluation report, in relation to a cyber security exercise that was undertaken in relation to a system of national significance serves to:

  • evaluate the entity’s ability to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and
  • evaluate the entity’s preparedness to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and
  • evaluate the entity’s ability to mitigate the relevant impacts that all types of cyber security incidents could have on the system.

Failure to comply with the requirement to undertake a cyber security exercise carries a civil penalty of 200 penalty units (currently $36,348).

The Secretary may also give written notice to the entity to undertake a vulnerability assessment in relation to a cyber security incident.

A vulnerability assessment relates to a system of national significance and serves to test the vulnerability of the system to all types of cyber security incidents. The entity will be required to prepare a vulnerability assessment report relating to the assessment and provide a copy of the report to the Secretary within 30 days of completing the assessment.

Please click here to access the full Bill.


Contact

For further information please contact the Law Compliance team:

Phone: 1300 862 667

Email: info@lawcompliance.com.au

Share this post

Ready to get in touch?