The next tranche of the Security of Critical Infrastructure laws have been released in draft for comment. We explore the proposals and what the next steps would be for affected organisations.
Draft Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (Cth)
As recommended by the Parliamentary Joint Committee on Intelligence and Security, the original set of proposed amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) were split into two parts. The first tranche of reforms was set out in the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (SLACI Act), which received Royal Assent on 3 December 2021.
You can read more about the amendments that were introduced by the SLACI Act in our previous article.
On 15 December 2021, the Department of Home Affairs (Department) released the Exposure Draft of the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (Cth) (Draft Bill) for public comment. In light of the holiday period, interested parties only have a relatively short period to make submissions. A number of Town Halls are being convened over the next two weeks, at which feedback can also be submitted.
If passed by Parliament, the Draft Bill will give effect to the second tranche of amendments to the SOCI Act, including:
- requiring entities responsible for critical infrastructure assets (Responsible Entities) to adopt and maintain a critical infrastructure Risk Management Program;
- introducing a new sub-class of protected assets called 'Systems of National Significance' by:
- outlining the process through which the Minister for Home Affairs (Minister) can declare a critical infrastructure asset to be a System of National Significance; and
- prescribing enhanced cyber security obligations for Systems of National Significance (Enhanced Security Obligations); and
- making certain ancillary amendments and insertions, such as amending certain definitions relating to critical infrastructure assets specific to each critical sector and introducing information sharing provisions for regulated entities.
These amendments will augment the positive security obligations already introduced by the SLACI Act, including the obligations imposed on Responsible Entities to report serious cyber security incidents and to keep an asset register.
Critical Infrastructure Risk Management Programs
Part 2A of the Draft Bill includes a requirement for Responsible Entities to adopt and maintain a critical infrastructure Risk Management Program. As was the case with the SLACI Act, the obligation for Responsible Entities to adopt and maintain a Risk Management program will only be 'turned on' by Rules (which are yet to be drafted) or a declaration by the Minister.
Section 30AH of the Draft Bill sets out the following overarching obligations for Risk Management Programs:
- Identify material risks – Responsible Entities will have a responsibility to identify any risks, including both natural and human induced hazards, that may affect the availability, integrity, reliability and confidentiality of their critical assets.
- Minimise risks to prevent incidents - Responsible Entities will be required to have appropriate mechanisms in place to minimise the chance of any identified risks occurring.
- Mitigate the impact of realised incidents - Responsible Entities will be required to have robust procedures in place to mitigate impacts in the event of a hazard occurring and to recover as quickly as possible. This may include having backups of key systems, adequate stock on hand, redundancies for key inputs, out-of-hours processes and procedures, and communication protocols.
- Effective governance – to increase proactive risk management, Responsible Entities will be required to have appropriate risk management oversight arrangements in place, including evaluation and testing.
Entities that are required to develop and maintain a Risk Management Program would also need to provide annual compliance reports to the Secretary of
Home Affairs (Secretary), or a relevant regulator. Failure to comply with the Risk Management Program requirements will be subject to civil penalties (up to 200 penalty units, which currently equates to $44,400).
The Draft Bill contemplates that more details and principles-based requirements for Risk Management Programs will be contained in Rules developed following further industry consultation.
The Explanatory Document for the Draft Bill states that ‘where possible, the requirements under the Risk Management Program recognise or build on existing regulatory frameworks to minimise the regulatory burden on industry’ – that is, to avoid a duplication of regulatory obligations or requirements. An example provided of such duplication is the Defence Industry Security Program, which is considered to be broadly similar to (or exceed) the proposed Risk Management Program requirements. However, for other Responsible Entities, it remains to be seen whether other industry-specific information security requirements (for example, Prudential Standard CPS 234, which applies to banks and other APRA-regulated entities) are considered sufficiently similar to the Risk Management Program obligations so as to obviate the application of these new obligations.
Declaration of Systems of National Significance
The Draft Bill contemplates the Minister being able to declare a critical infrastructure asset to be a 'Systems of National Significance'. These would be a smaller subset of critical infrastructure assets that are of the highest level of criticality.
Part 6A of the Draft Bill would allow the Minister to declare an asset a System of National Significance if:
- the asset is a critical infrastructure asset; and
- the Minister is satisfied that the asset is of national significance, having regard to:
- the consequences that would arise for the social or economic stability of Australia or its people and the defence of Australia or national security if a hazard were to occur that had a significant relevant impact on the asset;
- the nature and extent of interdependencies between the asset and other critical infrastructure assets of which the Minister is aware; and
- any other matters as the Minister considers relevant; and
- the Minister has engaged in consultations with the Responsible Entity in accordance with the requirements of Part 6A.
Entities that are responsible for a System of National Significance could be required to comply with enhanced security obligations from time to time, following a notice period.
Enhanced Cyber Security Obligations
Part 2A of the Draft Bill empowers the Secretary to impose Enhanced Cyber Security Obligations on Responsible Entities for assets declared to be a System of National Significance in certain circumstances. The Enhanced Cyber Security Obligations include:
- the development of cyber security incident response plans;
- cybersecurity exercises to build cyber preparedness;
- vulnerability assessments to identify vulnerabilities for remediation; and
- the provision of system information to build Australia's situational awareness.
While each of the Enhanced Cyber Security Obligations will not necessarily apply to every System of National Significance (this will be assessed on a case by case basis, which also involves consultation with the Responsible Entity for a System of National Significance), the obligations could be onerous and costly. For example, entities may be required to engage an independent designated officer to observe and report on a cybersecurity exercise, or to appoint an external auditor to prepare reports on the entity's preparedness for the Secretary.
Failure to comply with the Enhanced Cyber Security Obligations will also carry a civil penalty of up to 200 penalty units.
Other proposed amendments
The Draft Bill also includes revised definitions for provisions that have been identified during public consultation as requiring modification or clarification, such as in relation to the superannuation industry. The primary function of these amended definitions is to clarify the responsible entities for critical infrastructure assets, under section 12L of the SOCI Act and as set out in the Draft Bill.
Division 3 of Part 4 of the Draft Bill also sets out a framework for the use and disclosure of protected information. This framework would allow a Responsible Entity to disclose protected information relating to that entity if:
- the information is disclosed to a prescribed person or entity for the purpose of enabling or assisting the person to exercise the person’s powers or perform the person’s functions or duties; or
- where the Secretary has consented in writing.
Exposure Draft Security of Critical Infrastructure (Application) Rules 2021 (Draft SOCI Rules)
The other draft document released by the Department for consultation is the Draft SOCI Rules. The Draft SOCI Rules support the SLACI Act. As indicated in our previous article, First Security of Critical Infrastructure Bill is now live, the requirement to maintain a register of critical assets and the incident reporting obligations established under the SLACI Act only apply to Responsible Entities when those requirements are ‘switched on’ by the Rules.
As expected, the Government has not proposed to turn on the asset register obligations for assets within each of the sectors. Rather, the impacted assets are proposed to be in the following sectors:
- data and storage or processing;
- financial services and markets;
- food and grocery;
- transport; and
By contrast, the Government proposes to ‘switch on’ the incident reporting obligations for assets in all of the relevant sectors other than Defence. It is proposed that impacted entities will only have a three month transition period from the introduction of the Rules before their incident reporting obligations will take effect.
Next steps for those impacted by the draft SOCI Bill and Rules
Organisations that will be impacted by the Draft SOCI Bill and Draft SOCI Rules are encouraged to engage with government on the proposals, either through submissions or at the scheduled virtual Town Halls. Public Submissions close at 9:00am (AEDT) on 1 February 2022, and the last Town Hall will be held on 4 February 2022.
In preparation for these changes, and in light of the proposed short transition period, organisations should urgently consider what uplifts may be required to their existing policies, procedures and processes, as well as in their contracts with entities in their supply chain.