After a long and circuitous journey, on 31 March 2022 Parliament passed the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act), which implements the final package of amendments to the existing Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). These amendments form part of an ever-increasing focus on the security of Australia’s critical infrastructure.
The SLACIP Act is the final component of the Government’s package of reforms to the SOCI Act that imposes security obligations on entities that own or operate critical infrastructure assets in Australia. It follows hot on the heels of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (SLACI Act), which was enacted in December 2021 and which substantially expanded the scope of the original SOCI Act from focussing on the physical security of traditional infrastructure assets (ports, water, electricity and gas) to addressing the impact of cyber incidents on a much broader range of sectors and assets. For more information on the SLACI Act and the obligations introduced under it, please refer to our previous article “Security of Critical Infrastructure Act (SOCI) reforms – what your business needs to know”.
The reforms themselves represent a core element of the Government’s response to the ever increasing cyber threats faced by Australian businesses. These threats were made evident by the findings published in mid-September 2021 by the Australian Cyber Security Centre (ACSC) in its Annual Cyber Threat Report, which found that cyber-attacks are escalating in severity and frequency at a rate of one reported attack every 8 minutes. Troublingly, that report revealed that approximately one quarter of cyber incidents reported to the ACSC in the 2020-21 financial year were associated with Australia’s critical infrastructure or essential services.
In the period since that report, the threat environment has only increased, as reiterated by the Minister for Home Affairs in a media release on the passing of the legislation: “Throughout the pandemic, Australia’s critical infrastructure sectors have been regularly targeted by malicious cyber actors seeking to exploit victims for profit, with total disregard for the community and the essential services we all rely on. Following Russia’s aggression against Ukraine, it is a sad reality that there is a heightened cyber threat environment globally, and the risk of cyberattacks has increased on Australian networks, either directly or inadvertently. This legislation completes a reform package that gives all Australians assurance that our essential services are resilient and protected.”
This article summarises the background to the SOCI Act and SLACIP Act, the key features of the SLACIP Act, and the next steps. While the passing of the SLACIP Act is a significant milestone, it is also only the beginning of efforts to protect Australia’s critical infrastructure, with further steps required for implementation and ongoing industry engagement still to come.
The passing of the SLACIP Act feels like a significant achievement, given how tortuous the legislative process has been. It has spanned over 18 months and involved numerous rounds of consultation and hundreds of engagement sessions with critical infrastructure providers, other regulators, and state and territory bodies. Whilst there remains much work to be done, notably with respect to the finalisation of the draft Risk Management Program Rules, industry and Government alike will be breathing a sigh of relief that this phase of the process is over.
Readers may recall that the original Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SOCI Bill) was split following consultation with industry and review by the Parliamentary Joint Committee on Intelligence and Security (PJCIS). This resulted in the PJCIS recommending in their September 2021 report that the less ‘urgent’ and more complex aspects of the reforms be deferred, allowing the less contentious elements of the SOCI Bill to be passed first while the Government responded to submissions on the more complex elements. For more information on the background to the splitting of the SOCI Bill, please see our previous article “Reform of Australia’s critical infrastructure laws – PJCIS Report the catalyst for imminent change?”
Whilst the SLACI Act was pushed through Parliament at the end of last year, the text of the SLACIP Act was subject to a further round of industry consultation between December 2021 and February 2022.
The draft legislation was then referred to the PJCIS for inquiry and report, with the PJCIS tabling its report (the Report) on the SLACIP Bill on 25 March 2022. As part of its inquiry, the PJCIS invited and considered 50 submissions and also heard significant classified evidence regarding the “deteriorating cyber threat environment”, which the PJCIS noted necessitated the passage of the legislation in the “shortest time possible”. The PJCIS recommended the passage of the legislation subject only to minor amendments. The Report put forward 10 recommendations, which were primarily concerned with boosting accountability and consultation, including:
- further industry consultation on the draft Risk Management Program Rules, and ongoing industry roundtables for review and improvement of rules enacted under the SOCI Act and the sector and asset definitions used in the rules and legislation;
- minor amendments to the SLACIP Act, such as the inclusion of:
- new definitions of “critical worker” and “critical component”;
- a provision requiring the Minister to report and notify the PJCIS of “Systems of National Significance” (SoNS) declarations;
- provisions requiring the Minister to periodically report to the PJCIS on the conduct, progress and outcomes of ongoing consultations undertaken by the Department in relation to the expanded provisions of the SLACIP Act and the SLACI Act; and
- provisions requiring the Minister to cause an independent review of the operation of the SOCI Act to be conducted and a copy of the report to be tabled in Parliament, to ensure that the intended operations, implications and effectiveness of the SOCI Act are being realised;
- amendments to the Explanatory Memorandum to the SLACIP Act to clarify the responsibilities of employers and the circumstances and scope of the intended operation of the enhanced cyber security obligations that relate to SoNS; and
- a recommendation that the Australian Government consider a legislative basis for merits review of some or all of the decisions exercised by the Minister under the SOCI Act.
Parliament responded to the PJCIS’ recommendations, with the final text of the SLACIP Act implementing all legislative amendments recommended by the PJCIS. An Addendum to the Explanatory Memorandum also amended the Explanatory Memorandum to reflect the PJCIS recommendations. The implementation of all relevant PJCIS’ recommendations and the passing of the SLACIP Act within one week highlights both the urgency of these reforms and the Government’s regard to industry concerns. The PJCIS has also reiterated that it has the discretion to launch an inquiry on the SOCI Act at any stage and will do so if it becomes aware of unintended or disproportionate operation of the Act.
Key features of the SLACIP Act
The SLACIP Act proposes two key measures to further amend the SOCI Act:
- a new “positive security obligation” requiring responsible entities to create and maintain a critical infrastructure risk management program; and
- a new framework of “enhanced cyber security obligations” that must be complied with by operators of SoNS (i.e. Australia’s most important critical infrastructure assets).
Risk Management Program
The SOCI Act as amended in December already contains two “positive security obligations” imposed on owners and operators of critical infrastructure assets:
- an obligation to report cyber incidents (Part 2B); and
- a requirement to report ownership and operational information relating to critical infrastructure assets (Part 2).
The SLACIP Act creates an additional positive security obligation under Part 2A, requiring responsible entities of certain critical infrastructure assets to adopt and maintain a risk management program.
The purpose of the risk management program is to enable entities to identify hazards that present a material risk to the availability of their critical infrastructure assets, and to proactively minimise or eliminate the risk of such hazards occurring. Once implemented, the responsible entities will be required to comply with their risk management program, as well as to maintain the program and ensure that it remains up to date. In addition, responsible entities are required to give an annual report to the relevant Commonwealth regulator or the Secretary relating to their risk management program.
Importantly, as is the case for the other positive security obligations, it is left up to “rules” to be implemented as delegated legislation under the Act to define which particular critical infrastructure assets or classes of critical infrastructure assets this obligation will actually apply to, and to provide further specificity regarding the nature of the obligation. Whilst the Minister is not able to officially make rules relating to the obligations under the SLACIP Act until it has received Royal Assent (and even then, not until a mandatory consultation process of not less than 28 days has concluded), an exposure draft of the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules (Risk Management Program Rules) has been released. We expect draft Risk Management Program Rules to be officially published for mandatory industry consultation shortly after the SLACIP Act receives Royal Assent. For more information on rules under the SOCI Act, please see our previous article “Rules, rules and more rules – further reform of Australia’s critical infrastructure laws”.
As the Explanatory Memorandum to the SLACIP Act makes clear, the risk management program obligations have been designed to establish a minimum set of safeguards where there are currently no other regulatory settings that achieve the same purpose. For example, those entities subject to APRA’s prudential regulation or the defence industry security program will not (with some exceptions) be subject to the risk management program obligations as they already have existing and equivalent obligations in place. The exposure draft of the Risk Management Program Rules provides that the risk management program obligations will initially apply to the following ten critical infrastructure assets:
- critical broadcasting assets
- critical domain name systems
- critical data storage or processing assets
- critical hospitals
- critical energy market operator assets
- critical water and sewerage assets
- critical electricity assets
- critical gas assets
- critical liquid fuel assets
- critical financial market infrastructure assets that are a critical payment system
The good news for entities that own or operate the above assets, though, is that the draft Risk Management Program Rules contemplate a six month grace period following the later of commencement of the rules and the date that the asset becomes a critical infrastructure asset during which they will not be required to comply with the obligations. (For certain specified cyber security frameworks, the grace period is an even longer period of 18 months). Additionally, whilst it is proposed that the obligations will also ultimately apply to critical food and grocery assets, critical freight services assets and critical freight infrastructure assets, given the supply chain impacts on those sectors resulting from the COVID-19 pandemic it has been proposed that the obligations for those sectors will not commence before 1 January 2023.
In terms of what a risk management program must contain, the rules are not overly descriptive. However, they require as a minimum:
- a process or system for identifying the operational context of each relevant critical infrastructure asset;
- a principles-based risk identification process used to identify risks to the critical infrastructure asset;
- a risk management process or system that includes, for each material risk to the asset, a process or system to consider the risk and minimise or eliminate the risk; and
- a process for reviewing the program, and for keeping the program up to date.
Responsible entities for critical infrastructure assets are expected to take an “all-hazards” approach when establishing their risk management program. This requires consideration of both natural and man-made hazards, including:
- Cyber and information security hazards
- Personnel hazards
- Supply chain hazards
- Physical security hazards and natural hazards
Given the breadth of the factors, responsible entities are expected to have regard to, it will come as no surprise to many that compliance with these obligations is expected to be costly. Whilst Government has been at pains to explain that the regulatory costs of compliance are minimal when compared to the anticipated damage to the economy if businesses underinvest in security and allow breaches to occur, that may be of little comfort to organisations when faced with the bill for such compliance. Analysis conducted around the average expected costs for compliance with the obligations suggests an average one-off cost of $9.2 million followed by an average ongoing cost of $3.7 million per annum. In its report, the PJCIS acknowledged that cost will be borne by industry, but stated the PJCIS believes that the cost will not be immediate and the cost will be outweighed by the resultant security uplift. For further information on the estimated average one-off cost and average annual ongoing cost of implementation and maintenance of the risk management program obligations for critical infrastructure assets, please see the Department of Home Affairs’ submission to the PJCIS’ SLACIP Bill review.
Failing to comply with the various requirements of the critical infrastructure risk management program carries notable civil penalties. Failure to adopt, maintain, comply with, regularly review, and take all reasonable steps to ensure the currency of a critical risk management program can result in a fine of $44,400 (200 penalty units), or $222,000 (1000 penalty units) for corporations, while failure to submit an annual report in a form approved by the Secretary and where relevant, approved by the entity’s board, council or other governing body, can result in a fine of $33,300 (150 penalty units), or $166,500 (750 penalty units) for corporations.
Enhanced cyber security obligations for Systems of National Significance
The SLACIP Act also creates a new tier of assets under the SOCI Act, and imposes enhanced obligations on the responsible entities for those assets.
In recognition of the fact that certain assets are absolutely fundamental to the continued security, economy and sovereignty of Australia, the SLACIP Act introduces Part 6A under the SOCI Act, which enables the Minister to privately declare a critical infrastructure asset to be a “System of National Significance”.
Before making such a declaration, the Minister is required to have regard to the asset’s interdependencies with other critical infrastructure assets, and the consequences to Australia’s national interest if a hazard were to occur that had a significant impact on the asset. In addition, the Minister is required to give the responsible entity for the asset a notice setting out the proposed declaration, and inviting the entity to make submissions about the proposed declaration.
As of the date of publication of this article, it is unknown which assets will be declared SoNS. To avoid identifying and publicising their significance to malicious actors, the intent appears to be to keep the list a closely guarded secret. However, the Explanatory Memorandum to the SLACIP Act clarifies that “these are a significantly smaller subset of critical infrastructure assets”, and as such the enhanced cyber security obligations introduced under the SLACIP Act will not apply to the majority of critical infrastructure assets.
Once an asset has been designated a SoNS, the Secretary of Home Affairs may require the responsible entity for the asset to comply with one or multiple of the ‘enhanced cyber security obligations’ introduced into the SOCI Act pursuant to a new Part 2C.
There are four core enhanced cyber security obligations outlined in the SLACIP Act:
- Statutory incident response planning obligations – if the Secretary determines that the statutory incident response planning obligations apply to an entity, the entity must adopt, maintain and comply with an incident response plan with respect to its assets and must provide a copy to the Secretary.
- Requirement to undertake cyber security exercises – cyber security exercises are intended to test the relevant entity’s ability and preparedness to respond to cyber incidents that could have an impact on the system, and to mitigate the impacts of cyber incidents on the system. The relevant entity may be required to prepare both internal and external reports relating to the exercise, and in some circumstances to allow external audits of the exercise.
- Requirement to undertake vulnerability assessments – similarly, the Secretary may require responsible entities to undertake a vulnerability assessment in respect of the relevant asset, the purpose of which is to test the vulnerability of the asset to cyber incidents.
- Provision of access by ASD to system information – if a computer is a system of national significance, or is needed to operate a system of national significance, a relevant entity for the system may be required to give the ASD periodic or event-based reports of system information, or install software that transmits system information to the ASD.
Additional requirements relating to each of the above enhanced cyber security obligations may be specified in rules to be published by the Minister (which, as of the date of this article, do not exist).
Again, failure to adopt, maintain, comply with, regularly review, take all reasonable steps to ensure currency of, and provide a copy and variations to the Secretary as soon as practicable after adoption and variation of, an incident response plan that applies to an entity can result in a fine of $44,400 (200 penalty units), or $222,000 (1000 penalty units) for corporations. The same fines apply for non-compliance in respect of cyber security exercises where an entity fails to comply with a notice to undertake a cyber security exercise, provide an internal or external evaluation report to the Secretary as required, as well as non-compliance in respect of vulnerability assessments where an entity fails to comply with a notice to undertake a vulnerability assessment, assist a designated officer, and provide a vulnerability assessment report to the Secretary. Failure to comply with a notice to provide system information to the extent that an entity is capable of doing so or install software that transmits systems information to the ASD can also result in the same fines.
In addition to the primary measures outlined above, the SLACIP Act also contains other amendments to the SOCI Act incorporated in response to parliamentary and industry feedback. These include:
- amendments to various definitions of types of critical infrastructure assets in response to stakeholder feedback, such as the retention of the “wholly or primarily” threshold test for identifying a “critical data storage or processing asset”;
- changes to the provisions governing the use and disclosure of protected information to enable greater information sharing between responsible entities and Commonwealth, State and Territory regulatory agencies;
- clarifying certain consultation requirements of the Minister, including a right of reply for impacted stakeholders and for that reply to be considered before the Minister’s decision can be made on a matter;
- expanding the scope of immunities from prosecution available to responsible entities, their employees, contractors and other agents, where they take actions under the government assistance measures in Part 3A of the SOCI Act; and
- clarifying the exception from reporting obligations in Part 2 of the SOCI Act for moneylenders until they enforce their security in relation to a critical infrastructure asset.
Whilst the SLACIP Act as a whole commences from the day after the Act receives the Royal Assent, there are several steps that need to be taken before the obligations under the SOCI Act will apply to any given critical infrastructure assets.
The SLACIP Act is still awaiting Royal Assent, after which we expect the draft Risk Management Program Rules to be published for mandatory consultation of at least 28 days. Additionally, the draft Security of Critical Infrastructure (Application) Rules 2021 (Draft Application Rules) proposing the activation of the mandatory cyber incident reporting and Register reporting obligations under the SOCI Act are likely to be registered imminently; consultation ended on 1 February 2022, and the Minister has the discretion to register the Draft Application Rules. Also of note are new rules, namely the registration of the Security of Critical Infrastructure (Australian National University) Rules on 15 March 2022, which prescribes certain assets owned or operated by the Australian National University to be critical infrastructure assets. Given that the purpose of the rule making power under the SOCI Act is to provide adequate flexibility to ensure the obligations and measures continue to apply to the most appropriate entities, businesses will have to stay alert to the release of new rules which may affect them and any opportunities to consult on them.
The passing of the SLACIP Act marks the end of a difficult legislative process but also the beginning of the much more difficult challenge of preparing for and implementing the extensive new obligations under the SOCI Act. There is some reassurance on the path forward from the SOCI Act regulator, the Cyber and Infrastructure Security Centre (CISC), which has stated that they are committed to continuing to proactively engage with critical infrastructure providers to protect Australia’s critical infrastructure from all hazards. The CISC has also flagged that in the coming weeks and months they will release further industry guidance material to support the implementation of the critical infrastructure reforms. As the curtain falls on the primary legislation, affected entities will now have to turn their attention to the next stage: taking proactive steps to comply with their new obligations and seeing how Government’s exercise of its sweeping new powers plays out.
Authors: Lesley Sutton, Nikhil Shah, Claire Harris and Dal Lim