Organisations across multiple sectors need to start preparing for changes to cybersecurity regulations contained in the Security of Critical Infrastructure Act 2018 (Cth). Recent incidents such as the shutdown of US Colonial Pipeline indicate that critical infrastructure assets are a vulnerable and attractive target for cyber-attacks, particularly as threats to such assets are evolving in a post-COVID world. To address this potential vulnerability, on 22 November 2021, the Government passed the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (the Bill), which amends the Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act) to impose various cybersecurity obligations on organisations responsible for critical infrastructure assets. The organisations to which the amendments apply are varied and from multiple sectors, including the communications and data storage or processing sectors.
The amendments to the SOCI Act in this tranche (noting that a further tranche, discussed below, is expected to be introduced later) introduce the following:
It is important to note that the rules, which have yet to be released, will act as ‘on’/’off’ switches for various obligations set out in the SOCI Act, for example by providing that certain assets are not critical infrastructure assets or that certain obligations do not apply to certain sectors/assets.
These obligations will apply to organisations responsible for critical infrastructure assets in the following sectors (Responsible Entities):
The expanded government powers will also apply to organisations who are direct interest holders of, operators of or managed service providers of such assets.
Under the reformed regime, if the Responsible Entity becomes aware that a cyber security incident is occurring or has occurred which will have an impact on the availability of the relevant asset, the responsible entity must notify the relevant regulator (to be specified in the rules or otherwise, the Australian Signals Directorate). The information to be included in such report will also be detailed by the forthcoming rules. Failure to notify will result in a fine of 50 penalty units, which as at the date of this article amounts to $11,100.
Notification must occur within:
In this context, ‘significant’ refers to the situation where the asset is used in connection with the provision of essential goods or services and the availability of such goods or services has been materially disrupted, or such other circumstances to be determined by the rules.
Under the SOCI Act, as amended, regulators will also have expansive powers in the event that a cyber security incident is occurring or has occurred which is likely to have an impact on a critical infrastructure asset.
In such circumstances, and where:
We note that action directions and intervention requests must be proportionate, reasonably necessary and technically feasible, and are subject to other restrictions, for example they must only be issued where the entity is unwilling or unable to take all reasonable steps to respond to the incident.
Both obligations arise when the Bill receives royal assent. There is no set time period on which such assent will be received.
At a later date, the government plans to also introduce the following (which were removed from the version of the Bill that was passed):
Contacts: Sophie Dawson, Julie Cheeseman, Joel Parsons, James Hoy, Jessica Laverty, Emma Croft