National security
Australia’s geo-political situation has changed dramatically, and this is evident in the critical infrastructure, foreign interference and FIRB legislation passed over the past 2 years. At the same time, Australia has identified a need for much greater critical asset self-sufficiency through the COVID period. This is leading to stronger intervention by government and regulators in deals and capital flows.
New critical infrastructure legislation requires owners to provide “interest and control information” (i.e. basic details of any entity which has an ownership interest or the ability to control a relevant asset, along with the extent of that entity’s ownership or control over the asset) and “operational information” (e.g. the asset’s location, a description of the area the asset services, basic information about entities responsible for the operation of the asset and the arrangements in place with each operator) in relation to relevant critical infrastructure assets.
Similarly, the recent Australian payments system review recommended that the federal Treasurer be given new powers to intervene in the payments system – based on national interest considerations such as cyber security or consumer protection.
Cyber Security
The Security Legislation Amendment (Critical Infrastructure) Act 2021, passed in December 2021, and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, passed in March 2022, substantially expanded the scope of the existing critical infrastructure regime under the Security of Critical Infrastructure Act 2018, by focusing on cyber security threats to a far broader range of critical infrastructure assets.
In addition to building on the obligations already present under the existing critical infrastructure regime, which required entities owning and operating critical infrastructure assets to provide information to the Government’s Register of Critical Infrastructure Assets and to respond to Ministerial directions, the legislation passed in December 2021 introduced three main obligations on such entities:
- a requirement to notify cyber incidents impacting the critical infrastructure assets to the Australian Signals Directorate (in some cases, within 12 hours);
- a requirement to notify their data storage and processing service providers that they are managing “business critical data”; and
- the possibility of Government assistance and intervention measures being taken, including a “last resort” intervention request authorising the ASD to take positive actions to help defend the asset.
In March 2022, the second package of reforms introduced further onerous obligations on certain entities including:
- a requirement to establish, maintain and comply with a written risk management program (with grace periods applying for some assets); and
- an ability for the Government to privately declare certain critical infrastructure assets as being “Systems of National Significance”, subjecting the responsible entity for those assets to enhanced cyber security obligations, if required by the Secretary of Home Affairs, e.g. a need to develop incident response plans, providing access to system information and undertake cyber security exercises.
ESG/stakeholder governance
Many prominent ESG or corporate purpose initiatives and investigations have noted these issues are sharpest in organisations with systemic importance. By definition, this will capture critical infrastructure assets and will colour all Board and investment decisions around those assets.
Political and social agendas shape these trends – look no further than Australia’s recent run of Royal Commissions around critical assets (financial services, aged and disability care being the most obvious). What this will mean in practice is that:
- there will be an increasing trend towards legislating and regulating stakeholder governance or purpose - in the same way as anti-bribery and anti-money laundering issues have moved from “social concerns” to hard legislative requirements, so will other aspects of stakeholder concerns in these politically charged sectors;
- only certain categories of investors will have the ability to receive approvals to participate in auctions in these spaces, and the impact on stakeholders will be a critical component of regulatory engagement on these deals; and
- listed company and financial sponsor acquirers will have an increasing focus on ESG in their investment and divestment decision-making. Their advisers need to be able to speak the language and reflect those issues in diligence and transaction execution.