Insight,

First CIRMP annual reports under the SOCI Act - due soon

10 July 2024

Authored by:

Cheng Lim ,

Intan Eow ,

and Lucy Robinson

Tell me in 30 seconds

Responsible entities who are subject to the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules) are required to submit their first annual report within 90 days of the end of the financial year (by 28 September 2024). Responsible entities should now be taking steps to prepare the annual report to ensure it is ready to submit by the deadline. The annual report must be submitted through the Cyber and Infrastructure Security Centre’s (CISC) online form (see here).

The beginning of the new financial year also coincides with the CISC’s commencement of compliance activities with respect to the Security of Critical Infrastructure Act 2018 (SOCI Act), in accordance with its firmer compliance regulatory posture for FY24-25.

Quick recap: which critical infrastructure assets are subject to the annual report requirement?

The CIRMP Rules commenced on 17 February 2023 and apply to the responsible entities of the critical infrastructure assets in the diagram below.

The responsible entities of these assets were required to adopt, maintain and comply with a CIRMP by 18 August 2023.

The responsible entities of these assets are required to submit an annual report in respect of their CIRMP if, during the whole or a part of the FY23-24 financial year (the ‘relevant period’):

the entity was the responsible entity for one or more critical infrastructure assets; and
the entity had a CIRMP that applied to the entity.

Assuming a responsible entity was subject to the requirement to have a CIRMP in place by 18 August 2023, the ‘relevant period’ for such entity would be 18 August 2023 to 30 June 2024.

What needs to be included in the annual report?

SOCI Act requirements

Under section 30AG of the SOCI Act, the annual report must:

	DETAILS	INDIVIDUAL	Example uses 2
1. State whether the CIRMP was ‘up to date’ at the end of the financial year	Section 3.4, CISC online annual report form If the CIRMP was not ‘up to date’, the annual report will need to include details as to why this was the case. *‘Up to date’* is not defined under the SOCI Act. However, guidance from the CISC is that the following factors should be considered in determining whether a CIRMP was up to date: (CIRMP Rules) whether the CIRMP addresses all of the requirements under the CIRMP Rules, and if not, the report should identify the specifics and how these plan to be addressed (hazards and mitigation strategies) whether the CIRMP has: identified each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the relevant critical infrastructure assets; and whether the CIRMP has set out a mitigation strategy for such hazards (including whether significant control gaps exist); and (complete) whether the CIRMP: is fully completed for each critical infrastructure asset and if not, detail what gaps exist and how these plan to be addressed; and has sections that are complete, but do not reflect the current state for the reporting period.
2. If a hazard had a ‘significant’ ‘relevant impact’ on an asset during the ‘relevant period’:	Section 3.4, CISC online annual report form *‘Significant’:* The term ‘significant’ is not defined under the SOCI Act, as this will vary between sectors and assets. It will be up to the responsible entity to determine whether a relevant impact is ‘significant’. However, based on guidance from the CISC and the explanatory memorandum, the following issues could be considered: whether there were any genuine impacts on the availability of the asset or the services it offers (noting that the nature and duration of an impact will differ across assets and sectors) – e.g., such as would occur during a significant ransomware attack; whether the incident caused any harm to customers or end-users – e.g., a serious cyber attack on a financial institution which affected the ability of customers and businesses to access funds or make electronic payments; or whether there was a detrimental impact on information security which undermined the integrity of, or led to the unauthorised accessing of, sensitive or personal information – e.g., a significant data breach. *‘Relevant impact’: under the SOCI Act, a ‘relevant impact’ refers to where there is a direct or indirect impact on the availability, integrity, reliability or confidentiality of a critical infrastructure asset. ‘Relevant period’*: see definition under section above.
2. (A) identify the hazard;	Based on the CISC’s guidance, this should include a description of the specific critical infrastructure assets which were impacted, the hazard responsible for the impact, including the nature of the impact, how it occurred and the extent of the consequences.
2. (B) evaluate the effectiveness of the CIRMP in mitigating the significant relevant impact of the hazard on the asset; and	This should include a self-assessment of whether the CIRMP was sufficient to mitigate the hazard or could be improved. Guidance from the CISC notes that the following issues may be considered as part of this assessment: whether the occurrence or impact of the hazard could be mitigated into the future (so far as is reasonably practicable); and whether the severity of the impact of the hazard on the asset was reduced because of the CIRMP.
2. (C) if the CIRMP was varied during the financial year as a result of the occurrence of the hazard—outline the variation.	Based on the CISC’s guidance, this should cover: specific changes that were made to the CIRMP; and the implications of the changes to the management of risk for the impacted asset.
3. Be approved by the board, council or other governing body of the entity (if the entity has one)	Attestation – section 1, CISC online annual report form The annual report involves an attestation by the board (or council or other governing body, as applicable) of the responsible entity confirming that the information contained within the report has been approved by the board. As we discussed in our previous article (see here), in preparing their annual reports, responsible entities should think about the steps required to ensure that directors have the information needed to discharge their directors’ duties in connection with the approval of the annual report. Other important factors to consider include: has the board of the responsible entity approved the CIRMP? This will enable the board to approve the statements about the CIRMP in the annual report; and have any of the responsible entity’s SOCI obligations been delegated to other entities within the corporate group?

Other key items required in CISC’s online annual report form

The CISC’s online annual report form was recently updated on 14 June 2024. In addition to the SOCI Act requirements outlined in the section above, the CISC’s online form requires the following sections to be completed:

overview of responsible entity’s approach and processes to managing risks to its critical infrastructure assets (section 3.2);
identify the cyber security framework the responsible entity uses to manage risks frameworks and provide a maturity rating for the framework (section 3.3). See our previous article which discusses the requirement for responsible entities to comply with a designated cyber security framework (or equivalent framework) by 18 August 2024; and
any additional information relevant to the development and maintenance of the CIRMP for the critical infrastructure assets during the relevant period (section 3.4).

CIRMP does not need to be included

The CISC’s online form enables relevant documents to be attached to the report if needed. However, a copy of the entity’s CIRMP is not required to be submitted with the annual report. The CISC has noted that it may specifically contact an entity to request a copy of their CIRMP, if required.

So what?

Under section 30AG of the SOCI Act, a civil penalty of 150 penalty units (up to $234,750 for a body corporate) will apply to a responsible entity if it fails to lodge an annual report on a CIRMP for a critical infrastructure asset by 28 September 2024.

CISC to commence compliance activities in FY24-25

As discussed in our previous article (see here), the CISC will adopt a firmer compliance regulatory posture with respect to the SOCI Act in FY24-25 and undertake more regular compliance audit activities. This change in regulatory posture is intended to drive a further uplift in compliance by the responsible entities and direct interest holders of critical infrastructure assets.

Given the increasing focus of the CISC on ensuring and enforcing compliance with the SOCI Act, it is important that responsible entities subject to the CIRMP obligations submit their annual report by the relevant deadline.

Now what?

If you are a responsible entity for a critical infrastructure asset that is subject to the CIRMP Rules, you should now be taking steps to prepare your annual report to submit to the CISC by 28 September 2024. This includes:

reviewing the CISC’s online annual report form (see here) in advance of submitting the report, to ensure the entity is familiar with the sections it will be required to complete;
liaising with the relevant personnel within the responsible entity to prepare the information required to complete the annual report; and
considering the steps required to ensure that the directors of the responsible entity:
- have the information needed to discharge their directors’ duties in connection with their approval of the annual report; and
- approve the annual report in accordance with the entity’s normal governance arrangements.