SOCI Risk Management Program requirements now in effect

5 minute read 21.02.2023 Vanessa Mellis, Zita Megyeri, Joey Henthorn

On 17 February 2023, the Security of Critical Infrastructure Risk Management Program Rules commenced. The clock is now ticking for impacted responsible entities to become compliant with the risk management program obligation under the Security of Critical Infrastructure Act.

Key takeouts

Before 18 August 2023, responsible entities for specified critical infrastructure assets must implement and comply with a risk management program, and then ensure they regularly review and maintain it.

Those responsible entities have until 18 August 2024 to have a process or system in place that enables them to comply with an appropriate cyber security framework.

Impacted responsible entities must provide a board approved annual report to the Department of Home Affairs (or other applicable regulator) relating to the entity's risk management program within 90 days after the end of the 23/24 financial year, and annually thereafter.

On 17 February 2023, the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (Cth) (CIRMP Rules) commenced. Impacted responsible entities now need to become compliant with the critical infrastructure risk management program (CIRMP) obligation under Part 2A of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).

Part 2A of the SOCI Act provides that a responsible entity for one or more of the specified critical infrastructure assets must have, and must comply with, a written CIRMP, unless an exemption applies. In summary, in its CIRMP, the responsible entity must:

identify 'material risks' – responsible entities should identify each hazard where there is a material risk that the occurrence of a hazard could have a relevant impact on the asset
minimise and eliminate material risks – responsible entities should minimise or eliminate the material risk of such hazard occurring, so far as is reasonably practicable to do so
mitigate relevant impact of the hazard – responsible entities should mitigate the relevant impact of such a hazard on the asset, so far as is reasonably practicable to do so.

Which entities are subject to the CIRMP obligation?

The CIRMP obligation only applies to responsible entities for the following asset classes:

critical broadcasting assets
critical domain name systems
critical data storage or processing assets
critical electricity assets
critical energy market operator assets
critical gas assets
designated hospitals (being a subset of ‘critical hospitals’ listed in Schedule 1 of CIRMP Rules)
critical food and grocery assets
critical freight infrastructure assets
critical freight services assets
critical liquid fuel assets
critical financial market infrastructure assets that are used in connection with a payment system critical to the security of financial services and markets
critical water assets.

What is the deadline for compliance?

Responsible entities for these assets must comply with the CIRMP requirements before 18 August 2023 (six months after the commencement of the CIRMP Rules). If an asset becomes a critical infrastructure asset (CI asset) after the commencement of the CIRMP Rules, the responsible entity will have to comply with the CIRMP requirements six months after the asset became a CI asset.

Responsible entities have until 18 August 2024 (or a further 12 months from the end of the applicable six month grace period) to have a process or system in place that enables them to comply with a cyber security framework.

Once implemented, responsible entities will need to review the CIRMP on a regular basis and keep it up to date as appropriate.

Importantly, responsible entities must provide a board approved annual report to the Department of Home Affairs' Cyber and Infrastructure Security Centre (CISC) (or other applicable regulator), relating to the entity's CIRMP, within 90 days after the end of the 23/24 financial year, and annually thereafter. This means, the first annual report will be due between 30 June 2024 and 28 September 2024. However, for the 22/23 financial year, the Cyber and Infrastructure Security Centre strongly encourages entities to submit an annual report voluntarily, as a pulse check on how the entity is implementing the CIRMP. The board, council or other governing body must approve the report by completing the Approval Form available on the Department Home Affairs' website.

The Reserve Bank of Australia (RBA) is specified as the relevant Commonwealth regulator for critical financial market infrastructure assets that are used in connection with a payment system critical to the security of financial services and markets. Responsible entities for those assets will be required to give their annual report to the RBA.

What is the format of the CIRMP?

There is no prescribed format for a CIRMP. CISC encourages responsible entities to incorporate existing risk management frameworks and processes into the CIRMP.

What material risks should be addressed in the CIRMP?

Material risks to be identified in the CIRMP include:

a stoppage or major slowdown of the CI asset’s functioning for an unmanageable period
a substantive loss of access to, or deliberate or accidental manipulation of, a critical component of the CI asset
an interference with the CI asset’s operating technology or information communication technology essential to the functioning of the CI asset (for example, a SCADA system)
the storage, transmission or processing of sensitive operational information outside Australia (sensitive operational information includes, among other things, layout diagrams, schematics, geospatial information, configuration information and operational constraints)
remote access to operational control or operational monitoring systems of the CI asset.

The CIRMP should identify hazards specifically relating to:

cyber and information security
personnel
supply chain
physical security.
Cyber and information security

Before 18 August 2024, or 12 months after the end of the applicable six month grace period mentioned above, a responsible entity must comply with a cybersecurity framework listed in the CIRMP Rules, or an equivalent framework to one of those listed, as specified in its CIRMP. Accordingly, an entity will have a total of 18 months to start complying with a chosen cybersecurity framework.

Cybersecurity frameworks specified in the CIRMP Rules are:

Australian Standard AS ISO/IEC 27001:2015 (item 1), which is the Australian Standard that adopts the requirements of International Standard ISO 27001
Essential Eight Maturity Model published by the Australian Signals Directorate, with the condition that the entity is required to meet maturity level 1
Framework for Improving Critical Infrastructure Cybersecurity published by the US National Institute of Standards and Technology
Cybersecurity Capability Maturity Model published by the US Department of Energy, with the condition that the entity is required to meet Maturity Indicator Level 1
2020-21 AESCSF Framework Core published by Australian Energy Market Operator Limited, with the condition that the entity is required to meet Security Profile 1.

If a framework is updated or changes, the entity is required to meet the updated requirements as soon as reasonably practicable.

Personnel hazards

The responsible entity must establish and maintain a process or system in its CIRMP:

to identify the entity’s critical workers
to permit a critical worker access to critical components of the CI asset only where the critical worker has been assessed to be suitable to have such access
as far as is reasonably practicable to do so, to minimise or eliminate material risks arising from:

malicious or negligent employees or contractors
the off-boarding process for outgoing employees and contractors.

The process and system for considering the suitability of a critical worker to have access to critical components of a CI asset may be a background check under the AusCheck scheme; however, use of the AusCheck scheme is not mandated. The AusCheck Legislation Amendment (Critical Infrastructure Background Check) Regulations 2023 (Cth) also commenced on 17 February 2023, and it provides for the establishment and operation of the AusCheck background checking scheme for an individual for whom a CIRMP permits a background check.

Supply chain risks

The CIRMP should also address vulnerabilities in the entity's supply chain in areas such as security, suppliers and logistics, and identify hazards throughout the supply chain that could impact the availability, integrity, reliability or confidentiality of the CI asset.

A responsible entity must have regard in its CIRMP to whether:

the CIRMP lists the entity’s major suppliers
the supply chain hazards, which could have a relevant impact on the CI asset, are described in the CIRMP.

Physical security and natural hazards

For physical security hazards and natural hazards, a responsible entity must establish and maintain a process or system in its CIRMP:

to identify the physical critical components of the CI asset
to control access to physical critical components
for responding to incidents where unauthorised access to a physical critical component occurs
for managing and mitigating a variety of physical security hazards and natural hazards to their CI assets.

Next steps

Organisations that are subject to the SOCI Act and CIRMP Rules must take steps now to implement a CIRMP to meet the 18 August 2023 deadline. It will be important for these organisations to consider what uplifts may be required to their existing risk management plans, policies and procedures, or whether a new all hazards risk management plan should be implemented, to comply with the CIRMP Rules.

Additionally, organisations that are subject to the CIRMP Rules should start preparing for compliance with an appropriate cyber security framework so they can meet the 18 August 2024 deadline.

These responsible entities should also assess their contracts with third parties across their supply chain, and consider what amendments may be required to mitigate material risks and relevant impacts.

Finally, boards should understand the CIRMP requirements applicable to the entity, in preparation for providing approval of the annual report relating to the entity's risk management program, which will first be required within 90 days after the end of the 23/24 financial year.

How we can help

MinterEllison provides full-service IT legal and consultancy services with extensive experience in SOCI laws, risk governance, privacy, data protection, software and IT service procurement. Please contact us if you would like assistance in understanding the risk management program requirements and with implementing a compliant risk management program under the new CIRMP Rules.

For more information about recent far reaching amendments to the SOCI Act, see our previous articles: