Insight,

Consultation commences on critical infrastructure reforms

AU | EN
Current site :    AU   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

TLDR

The Minister for Home Affairs has commenced consultation on the proposed risk management program (RMP) under the amended Security of Critical Infrastructure Act 2018 (SOCI Act). Consultation is open for 45 days from Wednesday 5 October 2022 until Friday 18 November 2022.

Background

​RMP requirements

As part of the recent reforms to the SOCI Act, the previous Government introduced RMP requirements. The Minister for Home Affairs can require the responsible entity for one or more critical infrastructure assets to have, and comply with, a critical infrastructure risk management program (RMP) (new part 2A of the Act).

The purpose of an RMP is to, for each critical infrastructure asset of the relevant responsible entity:

  1. identify each hazard (both natural and human induced) where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset;
  2. so far as it is reasonably practicable to do so — minimise or eliminate any material risk of such a hazard occurring; and
  3. so far as it is reasonably practicable to do so — mitigate the relevant impact of such a hazard on the asset.

In determining whether a risk is a material risk, a responsible entity must consider the likelihood of the hazard occurring and the relevant impact of the hazard on the asset if the hazard were to occur.

Responsible entities must:

  • adopt, maintain, comply with, regularly review and take all reasonable steps to update an RMP;
  • have regard to any matters set out in the rules relating to the RMP requirements (RMP rules) when deciding whether to adopt or vary an RMP, or when reviewing an RMP;
  • give an annual report relating to their RMP; and
  • comply with any requirements that are specified in the RMP rules.

When do the RMP requirements apply?

The RMP requirements only apply to a critical infrastructure asset if they have been “switched on” by the RMP rules, or if the Minister has declared that the requirements apply to the asset.

Prior to the federal election earlier this year, the previous Government released an exposure draft of the rules relating to the RMP requirements (Draft RMP Rules) in the Explanatory Memorandum to the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) (SLACIP Act).

Given the reforms to the SOCI Act were passed with bipartisan support, it was expected that these rules would be carried forward by the current Government.

Application of the Draft RMP Rules to critical infrastructure assets

The Minister for Home Affairs proposes to apply the critical infrastructure risk management program requirements, through the risk management program Rules, to the following asset classes:

  • critical electricity assets;
  • critical energy market operator assets;
  • critical gas assets;
  • critical liquid fuels assets;
  • critical water and sewerage assets;
  • critical financial market infrastructure assets that are a critical payment system (other critical financial market infrastructure assets will not be captured);
  • critical data storage or processing assets;
  • critical hospital assets;
  • critical domain name system assets;
  • critical food and grocery assets;
  • critical freight infrastructure assets;
  • critical freight services assets; and
  • critical broadcasting assets.

A ‘grace period’ of 6 months applies from the commencement of the Rules, to allow time for the preparation of a Risk Management Program and implementation of the requirements.

Current consultation

The consultation, which commenced Wednesday 5 October 2022, covers the following areas:

  • Draft Risk Management Program Rules​
  • Draft Risk Management Program Guidance for Industry​
  • Draft Protected Information Guidance for Industry
  • Draft AusCheck background check​
  • Draft Annual Report Approval form

The Cyber and Infrastructure Security Centre (CISC) will hold two all sector introductory town hall meetings to commence the consultation, the first on Monday 10 October from 3:30-4:30PM AEDT, and the second on Wednesday 12 October, 3:30-4:30PM AEDT. The CISC will clarify the formal consultation process and the proposed RMP Rules and Guidance set out above.

For further information, including links to participate in these meetings, see the consultation page here.

We will provide an in-depth analysis on the draft rules and guidance material in the coming weeks.

LATEST THINKING
Insight
Australia’s competitive banking landscape, prudential settings and the accelerating challenge (and cost) of technology uplift are tipped to drive further consolidation in the sector in the coming decade.

16 January 2025

Insight
The Australian Securities and Investments Commission (ASIC) has reissued Regulatory Guide 133 Funds management and Custodial Services: Holding assets (RG 133).

15 January 2025

Insight
The MYEFO just released by the Treasurer shows that an end to the surpluses the Government has enjoyed over the last two year is fast approaching, with slowing revenues and the promise of new policies such as the Build to Rent tax incentives announced in the last Budget beginning to bite.

19 December 2024