Security of Critical Infrastructure reforms passed swiftly in the Parliament and commenced on 2 April 2022. Impacted organisations must rapidly factor the proposed obligations into their risk programs.
The reforms require entities responsible for certain critical infrastructure assets to adopt and maintain a written critical infrastructure Risk Management Program (RMP). RMP Rules have been the subject of consultation and are expected to be shortly finalised following further public consultation for a minimum 28 days.
Organisations should act now to ensure they have an appropriate RMP and have taken a holistic and proactive approach in identifying and mitigating hazards that pose material risks to the availability, integrity, reliability or confidentiality of the asset.
Update on second tranche of reforms
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) proposed that amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) be split into two parts. The first tranche of reforms was set out in the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act), which commenced 2 December 2021. The second tranche of reforms is set out in the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act), which commenced on 2 April 2022.
Since our previous SOCI Round 2 update, consultation on the SLACIP Bill closed and the Bill was introduced to Parliament on 10 February 2022, progressing rapidly through the Lower House with strong bipartisan support.
As with the SLACI Act, the SLACIP Bill was referred to the PJCIS, which held a public hearing on 16 March 2022. It provided its Advisory Report on 25 March 2022, recommending passage of the SLACIP Bill subject to:
- continued consultation and refinement of the discretionary and collaborative aspects of the Bill’s desired outcomes
- appropriate reporting and notification to PJCIS of discretionary SoNS declarations
- independent review of the reforms after one year of operation.
This is to ensure that the intended operations, implications and effectiveness of the SOCI Act are being realised.
In its 2022 Advisory Report, the PJCIS:
- recognised the significant shift to sector-agnostic rules;
- was conscious of industry feedback that the potential costs for establishing and implementing RMPs is considerable for some organisations. It also recognised that the potential breadth and consequences of SoNS declarations brings uncertainty;
- recognised the substantial scope and impact concerning background checking of critical workers (and recommended the relevant definitions be in the Act, not just the Rules);
- noted that the Minister must undertake a further mandatory 28 day consultation process on the Rules for RMPs once the Bill passes;
- accepted Home Affairs’ continuing undertakings to work with and support entities affected by these wide-ranging measures; and
- recommended the government (re)consider establishing a merits review regime for decisions made under the Act.
This last recommendation was not accepted by the Government, with the final amendments introduced in the Senate before passing the SLACIP Bill, being:
- inserting definitions of critical component and critical worker in the SOCI Act
- requiring the Minister to notify the PJCIS of the declaration of a particular asset to be a SoNS
- inserting provisions to provide for reporting every six months to the Minister and PJCIS relating to the conduct, progress and outcomes of consultations undertaken by Home Affairs relating to the SLACIP Act and the SLACI Act, and
- requiring the Minister to cause an independent review of the SOCI Act after 1 year from commencement of the SLACIP Act and for the review report to be provided to the Minister within one year of the start of the review and for the Minister to table the report in Parliament.
While the SLACIP Act commenced on 2 April 2022, the Rules will still need to be published for consultation for at least 28 days.
The PJCIS 2022 Advisory Report has already recommended that Home Affairs and the Cyber and Infrastructure Security Centre (CISC) conduct a new round of consultation with critical infrastructure industry representatives, relevant employee representative bodies and trade unions to enable further feedback to be incorporated into the draft RMP Rules. This consultation is intended to ensure that the timeframes in the RMP Rules for implementation and commencement is agreed and may vary for specific assets.
Risk Management Program Rules
The SLACIP Act requires entities responsible for critical infrastructure assets (other than those exempted) to adopt and maintain a written critical infrastructure Risk Management Program. In line with this, the Government released draft Risk Management Program Rules (RMP Rules) in December 2021 as Attachment C to the Explanatory Memorandum of the SLACIP Bill. On 25 February 2022, CISC (acting on instruction from Home Affairs) strongly recommended immediate voluntary implementation of the RMP Rules in light of the rapidly evolving situation in Ukraine.
To avoid overregulation, it is proposed the following assets within the following sectors will be exempted from having to prepare a RMP:
- relevant assets (eg data centres) where the responsible entity is certified as 'Strategic' under the Australian Government's Hosting Certification Framework (which are regulated under that Framework with the highest level assurance);
- banking, superannuation, insurance and financial market infrastructure (which are regulated under the Australian Prudential Regulation Authority’s Prudential Standards);
- most defence industry assets (which are regulated by the Defence Industry Security Program);
- higher education assets (which are regulated by the Universities Foreign Interference Taskforce guidelines); and
- public transport assets (which are regulated by state and territory regulations).
RMP categories to address
The RMP Rules are divided into the following categories which bound entities will need to address in their RMP:
- Rule 1: Cyber and Information Security Hazards
- Rule 2: Personnel Hazards
- Rule 3: Supply Chain Hazards
- Rule 4: Physical and Natural Hazards
At a high level, each bound entity will need to consider for its RMP:
- a process or system for identifying the operational context of each of its critical assets
- a principles-based risk identification process to identify risks to each of its critical assets
- a risk management process or system that includes, for each material risk, a process or system to consider the risk and minimise or eliminate the risk as far as it is reasonably practicable to do so
- a process for reviewing the program and keeping the program up to date.
Considerations for the RMP
As part of establishing and maintaining the RMP, the entity must consider whether the RMP:
- describes the outcome of the process or system for identifying the operational context of each of its critical assets
- describes interdependencies between each of its critical assets and other critical infrastructure assets
- identifies each position (with contact details) within the entity that is responsible for developing and implementing the program and that is responsible for developing and implementing the minimisation or elimination for each minimisation or elimination of risk
- contains a risk management methodology or principles of a reasonable risk management methodology, and
- describes the circumstances in which the entity will review the program.
RMP timing and penalties
We expect the RMP Rules will provide for a minimum grace period for compliance. This is likely to be at least six months following the latter of the Rules commencing and the date that an asset becomes a critical infrastructure asset subject to the RMP Rules.
Entities required to have a RMP will need to maintain, comply with, review, and update the program, and a failure to do so may result in civil penalties up to 200 penalty units ($44,400) for an individual or 1,000 penalty units ($222,000) for a body corporate.
Entities will also need to submit an annual report within 90 days of the end of the financial year, in the specified form, which includes a statement:
- as to whether the RMP was up to date at the end of the financial year; and
- on any hazard that had a significant impact, including details of the hazard, the effectiveness of the RMP, and any responsive variation of the RMP.
This annual report must be approved by the relevant board, council or governing body of the entity, and failure to meet these obligations is an offence punishable by 150 civil penalty units ($33,300) for an individual or 750 penalty units ($166,500) for a body corporate.
The SLACIP Act commenced on 2 April 2022. The Rules are still subject to further consultation of a minimum of 28 days.
While the Rules may be refined and transition periods clarified, substantial revision is unlikely. With the current global situation, operators of critical infrastructure will be well served by ensuring their current processes will support compliance with their impending obligations, and in particular the RMP Rules.