The Australian government is currently in the process of implementing reforms directed at protecting Australian critical infrastructure assets (in various sectors including communications and data processing/storage) from cyber threats. The first tranche of reforms to the Security of Critical Infrastructure Act 2018 (the SOCI Act) was discussed in our article here.
On 15 December 2021, the Government released an exposure draft of the second tranche, titled the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the SLACIP Bill) for public consultation. The SLACIP Bill proposes to amend the SOCI Act as follows:
- requiring certain entities to implement risk management programs;
- empowering the relevant minister to declare assets to be ‘Systems of National Significance’; and
- imposing additional cyber security obligations in respect of such Systems of National Significance.
RISK MANAGEMENT PROGRAMS
If the SLACIP Bill is passed, entities responsible for critical infrastructure assets will each be required to implement a Risk Management Program (RMP), being a plan designed to identify and minimise potential risks to the availability, integrity or confidentiality of the relevant critical infrastructure asset.
In addition to any rules made by the relevant minister in respect of RMPs, entities responsible for a critical infrastructure asset would also be required to:
- comply with their RMP;
- provide an annual report on their RMP to their governing body; and
- review their RMP on a regular basis.
Where possible, the government intends to build any additional obligations upon pre-existing regulatory frameworks (for example APRA Prudential Standard CPS 234) so as to minimise the regulatory burden on the industry.
SYSTEMS OF NATIONAL SIGNIFICANCE
If passed, the relevant minister will be empowered to privately declare certain critical infrastructure assets to be ‘Systems of National Significance’ (SONS). This designation is set to be made by reference to the role the relevant asset plays in the social or economic stability, defence, or national security of Australia. It will also be an offence to disclose that an asset has been declared as a SONS, with various exceptions.
The purpose of such declaration is to subject entities responsible for Systems of National Significance to enhanced cybersecurity obligations, including:
- statutory incident response planning obligations; and
- requirements to undertake various cybersecurity exercises and vulnerability assessments.
Where a computer is declared to be a System of National Significance or is required in order to operate a System of National Significance, the entity responsible for such critical infrastructure asset may be subject to further obligations, including a requirement to provide the Australia Signals Directories with periodic and event-based reports of system information, and to install software that transmits such information.
NEXT STEPS?
The Department of Home Affairs invited interested parties to make submissions on the SLACIP Bill by 1 February 2022. Consultation processes are continuing, including in relation to specific rules underlying the SOCI Act, so those entities with an interest should consider participating.
For further information, please contact:
Julie Cheesemen, Partner, Bird & Bird
james.gong@twobirds.com