TLDR
The Minister for Home Affairs has commenced consultation on the proposed risk management program (RMP) under the amended Security of Critical Infrastructure Act 2018 (SOCI Act). Consultation is open for 45 days from Wednesday 5 October 2022 until Friday 18 November 2022.
Background
RMP requirements
As part of the recent reforms to the SOCI Act, the previous Government introduced RMP requirements. The Minister for Home Affairs can require the responsible entity for one or more critical infrastructure assets to have, and comply with, a critical infrastructure risk management program (RMP) (new part 2A of the Act).
The purpose of an RMP is to, for each critical infrastructure asset of the relevant responsible entity:
- identify each hazard (both natural and human induced) where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset;
- so far as it is reasonably practicable to do so — minimise or eliminate any material risk of such a hazard occurring; and
- so far as it is reasonably practicable to do so — mitigate the relevant impact of such a hazard on the asset.
In determining whether a risk is a material risk, a responsible entity must consider the likelihood of the hazard occurring and the relevant impact of the hazard on the asset if the hazard were to occur.
Responsible entities must:
- adopt, maintain, comply with, regularly review and take all reasonable steps to update an RMP;
- have regard to any matters set out in the rules relating to the RMP requirements (RMP rules) when deciding whether to adopt or vary an RMP, or when reviewing an RMP;
- give an annual report relating to their RMP; and
- comply with any requirements that are specified in the RMP rules.
When do the RMP requirements apply?
The RMP requirements only apply to a critical infrastructure asset if they have been “switched on” by the RMP rules, or if the Minister has declared that the requirements apply to the asset.
Prior to the federal election earlier this year, the previous Government released an exposure draft of the rules relating to the RMP requirements (Draft RMP Rules) in the Explanatory Memorandum to the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) (SLACIP Act).
Given the reforms to the SOCI Act were passed with bipartisan support, it was expected that these rules would be carried forward by the current Government.
Application of the Draft RMP Rules to critical infrastructure assets
The Minister for Home Affairs proposes to apply the critical infrastructure risk management program requirements, through the risk management program Rules, to the following asset classes:
- critical electricity assets;
- critical energy market operator assets;
- critical gas assets;
- critical liquid fuels assets;
- critical water and sewerage assets;
- critical financial market infrastructure assets that are a critical payment system (other critical financial market infrastructure assets will not be captured);
- critical data storage or processing assets;
- critical hospital assets;
- critical domain name system assets;
- critical food and grocery assets;
- critical freight infrastructure assets;
- critical freight services assets; and
- critical broadcasting assets.
A ‘grace period’ of 6 months applies from the commencement of the Rules, to allow time for the preparation of a Risk Management Program and implementation of the requirements.
Current consultation
The consultation, which commenced Wednesday 5 October 2022, covers the following areas:
- Draft Risk Management Program Rules
- Draft Risk Management Program Guidance for Industry
- Draft Protected Information Guidance for Industry
- Draft AusCheck background check
- Draft Annual Report Approval form
The Cyber and Infrastructure Security Centre (CISC) will hold two all sector introductory town hall meetings to commence the consultation, the first on Monday 10 October from 3:30-4:30PM AEDT, and the second on Wednesday 12 October, 3:30-4:30PM AEDT. The CISC will clarify the formal consultation process and the proposed RMP Rules and Guidance set out above.
For further information, including links to participate in these meetings, see the consultation page here.
We will provide an in-depth analysis on the draft rules and guidance material in the coming weeks.