TL;DR
The Minister for Home Affairs (Minister) recently finalised the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 (Cth) (Rules), which means that the asset register reporting requirements and the cyber security incident notification obligations under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) have now been enlivened.
Commencement Dates
The Rules commenced on 8 April 2022 and responsible entities for certain classes of critical infrastructure assets will now have until:
- 8 July 2022 (i.e., 3 months after the commencement of the Rules) to commence mandatory reporting of cyber security incidents pursuant to Part 2B of the SOCI Act; and
- 8 October 2022 (i.e., 6 months after the commencement of the Rules) to provide information to the Register of Critical Infrastructure Assets (Register) pursuant to Part 2 of the SOCI Act.
Background
As discussed in our previous alert, the Government released an exposure draft of the Rules on 15 December 2021 for public comment. Following a 28-day consultation period which ended on 1 February 2022, the Minister has finally ‘switched on’ the positive reporting obligations incorporated into the SOCI Act by the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (SLACI Act) for certain critical infrastructure asset classes.
Incident Notification Obligations
Under Part 2B of the SOCI Act, responsible entities of critical infrastructure assets will be required to prepare reports about:
- critical cyber security incidents (i.e., a cyber security incident which has a significant impact on the availability of an asset) within 12 hours of becoming aware of the incident; and
- other cyber security incidents (i.e., a cyber security incident which has a relevant impact on an asset) within 72 hours of becoming aware of the incident.
The Rules are silent on the Commonwealth body which responsible entities must provide these incident reports to. However, we understand from consultations with the Department of Home Affairs that the relevant body is the Australian Cyber and Infrastructure Security Centre.
The Rules specify that the above cyber security incident notification obligations are now in force with respect to the following classes of critical infrastructure assets:
- critical broadcasting assets;
- critical domain name systems;
- critical data storage or processing assets;
- critical banking assets;
- critical superannuation assets;
- critical insurance assets;
- critical financial market infrastructure assets;
- critical food and grocery assets;
- critical hospitals;
- critical education assets;
- critical freight infrastructure assets;
- critical freight services assets;
- critical public transport assets;
- critical liquid fuel assets;
- critical energy market operator assets;
- critical ports;
- critical electricity assets;
- critical gas assets;
- critical water assets; and
- critical aviation assets which are:
- designated airports;
- assets used to perform an Australian prescribed air service operating screened air services that depart from a designated airport; or
- cargo terminals which are owned or operated by a regulated air cargo agent that is also a cargo terminal operator and is located at a designated airport.
However, the following types of assets have been excluded from having to comply with the incident reporting obligations:
- the Invicta, Pioneer, Racecourse and South Johnstone sugar mills located in Queensland;
- assets classified as critical aviation assets on or after the commencement of Part 1 of Schedule 3 to the Transport Security Amendment (Critical Infrastructure) Act 2022 (Cth); and
- assets classified as critical maritime assets on or after the commencement of Part 2 of Schedule 3 to the Transport Security Amendment (Critical Infrastructure) Act 2022 (Cth).
Asset Register Reporting Requirements
Under Part 2 of the SOCI Act, ‘reporting entities’ (being responsible entities and direct interest holders of critical infrastructure assets) will be required to give the following information to the Register:
- with respect to responsible entities – operational information about the critical infrastructure asset; and
- with respect to direct interest holders – interest and control information about the direct interest holder and the critical infrastructure asset.
The Minister has ‘switched on’ the asset register reporting requirements for the following classes of critical infrastructure assets:
- critical broadcasting assets;
- critical domain name systems;
- critical data storage or processing assets;
- critical financial market infrastructure assets that are payment systems;
- critical food and grocery assets;
- critical hospitals;
- critical freight infrastructure assets;
- critical freight services assets;
- critical public transport assets;
- critical liquid fuel assets;
- critical energy market operator assets;
- critical electricity assets (that were not classified as critical infrastructure assets prior to the SLACI Act); and
- critical gas assets (that were not classified as critical infrastructure assets prior to the SLACI Act).
The Minister has also exempted the four Queensland sugar mills mentioned above (and their corresponding reporting entities) from these reporting requirements.
Next steps
Entities which own or operate critical infrastructure assets that fall into any of the foregoing categories should take steps to review and, if necessary, update existing operational information, processes and procedures to ensure compliance with these new reporting obligations before the grace periods end on 8 July 2022 (for the cyber security incident notification obligations) and 8 October 2022 (for the asset register reporting requirements).