This article was written by Cheng Lim, Kirsten Bowe, Johnathon Hall, Thomas Dysart and Linus Schibler and published on 30 November 2020. It was updated on 9 December 2020.
On 9 November 2020, the Australian Government released the exposure draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (‘draft Bill’). The draft Bill is part of a broader national strategy to strengthen cyber security and was published following the public response to the Protecting Critical Infrastructure and Systems of National Significance Consultation Paper (‘Consultation Paper’).
In this alert, we highlight the key changes proposed by the draft Bill and the outstanding issues to be addressed as part of the Government’s ongoing consultation with industry.
Importance & Overview
The draft Bill has significant implications for owners, operators, buyers and sellers of assets and sectors deemed critical infrastructure. They will be subject to additional reporting and cyber-security obligations, ownership controls, and subject to Government assistance powers which enable authorities to step in if an entity is unwilling or unable. Accordingly, the scope of its application, definitions of its requirements and questions on how these will function are significant and material to many entities.
The consultative release of the draft Bill provides insight into how the broadened Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) will operate. The Federal Government had initially indicated to the various impacted sectors that the Bill would not be released for public consultation, which resulted in some uncertainty about how the existing framework of the SOCI Act would be expanded and the extent of changes to any existing obligations.
The draft Bill resolves some of these queries by:
- providing definitions for new critical infrastructure sector and critical infrastructure asset;
- confirming the legislative structure for the overall framework; and
- setting out the framework for positive security obligations, enhanced cooperation on cyber security, government assistance powers and enforcement provisions.
Exactly how the newly expanded scope of obligations will apply in a sector-specific manner and how those obligations interact with existing regulatory oversight is left for the sector specific rules which are intended to be the subject of consultation in the first half of 2021.
Critical Infrastructure Sectors and Assets
The Draft Bill expands the applicability of the SOCI Act to a range of new sectors. This means that critical infrastructure assets that are to be subject to the SOCI Act will be assets within the following sectors:
- Financial Services and Markets: banking, super, insurance (incl general, life & health), financial market infrastructure
- Communications: telecoms, broadcasting, domain name systems
- Data and the Cloud: data storage and processing
- Education, research and innovation: universities or organisations undertaking Commonwealth-funded research (eg CSIRO)
- Energy: Electricity, gas, energy market operators, liquid fuel
- Food and grocery: including supply chain players (logistics)
- Health: Hospitals
- Space: space related technology (including GPS and communication services)
- Transport: maritime ports, aviation, freight infrastructure, freight services, public transport
- Water & Sewerage
The sectors impacted by the new critical infrastructure framework in the draft Bill are largely consistent with those proposed in the initial Consultation Paper, which we previously explored in August.
The draft Bill also introduces definitions for a range of new critical infrastructure assets, many of which have been left intentionally broad to capture the wide range of assets that may be considered critical to a given sector. Government have indicated they it intends to provide greater clarity around the scope and application of obligations under the SOCI Act through the co-design of sector-specific rules and through the use of so-called ‘switch-on/switch-off’ powers (discussed further below).
The draft Bill also gives the Minister for Home Affairs the power to declare a critical infrastructure asset to be a ‘system of national significance’ (“SONS”) having regard to the nature and extent of its interdependencies with other critical infrastructure assets. Those who are the responsible entity for a declared SONS will be subject to the enhanced cyber security obligations discussed below.
Ownership reporting obligations
Under the existing SOCI Act, responsible entities and direct interest holders (i.e. entities holding a cumulative interest of at least 10% in an asset) for critical infrastructure assets are required to provide ownership and operational information to the Register of Critical Infrastructure Assets managed by the Department of Home Affairs. With the expanded range of new critical infrastructure assets set out in the draft Bill, this reporting obligation will apply to a significant number of businesses not currently captured under the SOCI Act.
To provide greater clarity, Government has proposed that these obligations will only apply to critical infrastructure assets that are specified in the sector-specific rules or that are subject to a declaration. Practically – this means these reporting obligations will need to be “switched on” going forward and will not apply automatically to a critical infrastructure asset.
New Positive Security Obligations
Responsible entities for critical infrastructure assets may be subject to new positive security obligations under the draft Bill. These obligations take two primary forms:
- Critical infrastructure risk management programs – Responsible entities must adopt, maintain, comply with, review, and update a critical infrastructure risk management program that applies to the entity. A critical infrastructure risk program must identify hazards with a material risk to critical infrastructure assets, minimise or eliminate material risks of hazard occurring, mitigate the impact of such hazards, and implement effective governance in compliance with any requirements specified in rules. The responsible entity will also have annual reporting obligations.
- Mandatory reporting of cybersecurity incidents – Responsible entities must notify the relevant Commonwealth body of:
- “critical cyber security incidents” (these are incidents that has had, is having, or is likely to have, a significant impact (whether direct or indirect) on the availability of an asset) within 12 hours of becoming aware; and
- “other cyber security incidents” (these are incidents that has had, is having, or is likely to have, a relevant impact on an asset) within 24 hours of becoming aware.
As with the reporting obligations, the draft Bill provides that these obligations will only apply to critical infrastructure assets that are specified in the rules or that are subject to a declaration. Practically – this means these obligations need to be “switched on” and will not apply automatically to a critical infrastructure asset. The sector-specific rules will also play an important role in determining the issues that will need to be considered by responsible entities in developing and maintaining a critical infrastructure management program.
The draft Bill provides that where a critical infrastructure risk management program is in place, the entity must provide a report to the Secretary of Home Affairs detailing its compliance with the program for the financial year. The draft Bill also provides that this annual report must be signed by each member of the board. As the Explanatory Document explains, “this is designed to ensure that the most senior levels of an entity are aware of the risk management practices of the entity and personally accountable compliance with this regime.”
Enhanced cyber security obligations
The draft Bill introduces a new set of enhanced cyber security obligations that will apply to the responsible entity for a declared SONS. These may require the responsible entity to adopt and maintain an incident response plan, undertake cyber security exercises or vulnerability assessments, or install specified computer programs on its systems.
Government assistance powers
The draft Bill provides the Minister powers to authorise the giving of certain directions or requests in the event of a cyber security incident that seriously prejudices (or is likely to seriously prejudice) the social/economic stability, defence or national security of Australia. These include issuing information gathering directions to entities, directions to entities to undertake specific actions, and the ability for a Government agency to step in to perform actions where the entity is unwilling or unable.
Consultation on Sector-specific rules
Following the amendment of the SOCI Act, a series of further consultations will take place with each impacted sector to inform the develop of the sector-specific rules.
As is clear from the draft Bill, the rules are critical to the implementation of the reforms, determining the scope and application of the reforms , the critical infrastructure assets they will apply to, and the way in which the new positive security obligations will be switched “on or off”.
Key questions to be answered throughout the consultation process include:
- What assets and entities will be caught? – further clarification on the assets and entities that are to be subject to the new framework.
- Who will be regulators? – the identity of the relevant regulators for each sector.
- What are the thresholds for obligation enlivening? – the sector-specific thresholds for enlivening the various levels of security obligations.
- De-conflicting overlapping regulation – how will the new SOCI Act interact with existing regulatory regimes which cover the same ground (in whole or in part), such as the Australian Prudential Standard CPS 234 and the TSSR provisions in the Telecommunications Act 1997 (Cth).
Consultation on the draft Bill closed for public submissions on 27 November 2020. It is anticipated that the Federal Government will consider this feedback ahead of the draft Bill being introduced to Parliament later this year. Workshops involving the government and industry will be held throughout 2021 to design the sector-specific rules. It is expected that the positive security obligations will take effect mid-2021 following a 6 month grace-period for entities to achieve compliance.