Reforms to the Security of Critical Infrastructure Act 2018 (Cth) passed

Organisations across multiple sectors need to start preparing for changes to cybersecurity regulations contained in the Security of Critical Infrastructure Act 2018 (Cth). Recent incidents such as the shutdown of US Colonial Pipeline indicate that critical infrastructure assets are a vulnerable and attractive target for cyber-attacks, particularly as threats to such assets are evolving in a post-COVID world. To address this potential vulnerability, on 22 November 2021, the Government passed the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (the Bill), which amends the Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act) to impose various cybersecurity obligations on organisations responsible for critical infrastructure assets. The organisations to which the amendments apply are varied and from multiple sectors, including the communications and data storage or processing sectors.

The amendments to the SOCI Act in this tranche (noting that a further tranche, discussed below, is expected to be introduced later) introduce the following:

  • mandatory cyber incident reporting; and
  • expanded government powers in relation to entities responsible for critical infrastructure sector assets in response to significant cyber-attacks that impact such assets.

It is important to note that the rules, which have yet to be released, will act as ‘on’/’off’ switches for various obligations set out in the SOCI Act, for example by providing that certain assets are not critical infrastructure assets or that certain obligations do not apply to certain sectors/assets.

Who do the obligations apply to?

These obligations will apply to organisations responsible for critical infrastructure assets in the following sectors (Responsible Entities):

  • data storage or processing;
  • communications;
  • defence;
  • energy;
  • financial services and markets;
  • food and grocery;
  • health care and medical;
  • higher education and research;
  • space technology;
  • transport; and
  • water and sewerage.

The expanded government powers will also apply to organisations who are direct interest holders of, operators of or managed service providers of such assets.

What do the obligations involve?

Mandatory Cyber Incident Reporting

Under the reformed regime, if the Responsible Entity becomes aware that a cyber security incident is occurring or has occurred which will have an impact on the availability of the relevant asset, the responsible entity must notify the relevant regulator (to be specified in the rules or otherwise, the Australian Signals Directorate). The information to be included in such report will also be detailed by the forthcoming rules. Failure to notify will result in a fine of 50 penalty units, which as at the date of this article amounts to $11,100.

Notification must occur within:

  • 12 hours (where the impact on the asset is ‘significant’); or
  • 72 hours (where there is an impact on the asset but it is not ‘significant’).

In this context, ‘significant’ refers to the situation where the asset is used in connection with the provision of essential goods or services and the availability of such goods or services has been materially disrupted, or such other circumstances to be determined by the rules.

Expanded Government Powers

Under the SOCI Act, as amended, regulators will also have expansive powers in the event that a cyber security incident is occurring or has occurred which is likely to have an impact on a critical infrastructure asset.

In such circumstances, and where:

  • there is a material risk that the incident will seriously prejudice the social or economic stability, defence or national security of Australia; and
  • no other existing Australian regulatory system could be used to provide an effective response to the incident,
    the relevant minister may (in certain circumstances) authorise the following being issued to an entity:
  • information-gathering directions, which require the entity to provide information to the Secretary;
  • action directions, which require the entity to do, or refrain from doing, a specified act or thing; and
  • intervention requests: which request that the Australian Signals Directorate do one or more specified acts or things (such as access or modify a computer, analyse a computer, its programs or data, access, restore, copy, alter or delete data, alter a computer’s functioning, or remove, disconnect or connect a computer) in relation to the asset.

We note that action directions and intervention requests must be proportionate, reasonably necessary and technically feasible, and are subject to other restrictions, for example they must only be issued where the entity is unwilling or unable to take all reasonable steps to respond to the incident.

When will the obligations arise?

Both obligations arise when the Bill receives royal assent. There is no set time period on which such assent will be received.

What’s next?

At a later date, the government plans to also introduce the following (which were removed from the version of the Bill that was passed):

  • mandatory critical infrastructure risk management programs;
  • enhanced cyber security obligations for certain entities; and
  • designations of systems of national significance, to which more stringent obligations will apply.

Contacts: Sophie Dawson, Julie Cheeseman, Joel Parsons, James Hoy, Jessica Laverty, Emma Croft

Latest insights

More Insights