07/06/2022

This article considers the impact of the critical infrastructure reforms on RSE licensees both as infrastructure investors and as owners, or operators, of critical superannuation assets. 

The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) (SLACIP Act) received Royal Assent on 1 April 2022. It made a second and final round of amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).  The SOCI Act provides a framework for managing risks relating to critical infrastructure assets.  For more information about the SLACIP Act generally and the background to it, please see Gilbert + Tobin’s article “The curtain falls - Final reforms to Australia’s critical infrastructure laws”. 

The purposes of this article are to:

  • provide information about the obligations that RSE licensees may have under the SOCI Act, now that its scope has been greatly expanded; and
  • set out the questions that a prudent trustee needs to ask to determine whether those obligations apply. 

As the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 (Application Rules) were also made in April, now is an excellent time for RSE licensees to come to grips with the legislation and what it means for them and the members of their funds. 

What obligations do RSE licensees have under the SOCI Act?

An RSE licensee will have obligations under the SOCI Act if it is:

  1. a “direct interest holder” of a “critical infrastructure asset”; or
  2. a “responsible entity” of a “critical infrastructure asset”.

These terms, and their application to RSE licensees, are explained below.

What is a critical infrastructure asset?

Critical infrastructure asset has the meaning given by section 9 of the SOCI Act. 

Under subsection 9(1), an asset is a critical infrastructure asset if it is:

  • in one of the 22 specified categories of critical infrastructure assets e.g. a critical telecommunications asset;
  • an asset declared under section 51 to be a critical infrastructure asset; or
  • an asset prescribed by the rules for the purposes of paragraph 9(1)(f).

However, an asset is not a critical infrastructure asset if, or to the extent to which, the asset is located outside Australia.

There is a definition in the SOCI Act for each of the 22 specified categories of critical infrastructure assets.  The rules may also prescribe that a specified asset within a category is not a critical infrastructure asset. 

In our view, it would be prudent for an RSE licensee to review its portfolio holdings and determine whether each investment is in a critical infrastructure asset by tracking through the relevant definition and the rules.  Where a critical infrastructure asset is identified, consideration can then be given to whether the RSE licensee is a direct interest holder, or a responsible entity, of the critical infrastructure asset.

What is a critical superannuation asset?

One type of critical infrastructure asset that will be of particular interest to RSE licensees is critical superannuation assets. 

An asset is a critical superannuation asset if:

  • it is owned or operated by an RSE licensee that, in accordance with subsection 12J(2), is critical to the security and reliability of the financial services and markets sector; and
  • it is used in connection with the operation of a superannuation fund.

Rule 14 of the Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021 (Definitions Rules) provides for paragraph 12J(2)(b) that a registrable superannuation entity is critical to the security and reliability of the financial services and markets sector if it holds assets over $20 billion.

Where a fund has over $20 billion in assets, we suggest that the RSE licensee analyse what assets it owns or operates that are used in connection with the operation of the fund.  For example, one important asset that is owned by an RSE licensee and used in connection with the operation of a superannuation fund is fund data.       

When will an RSE licensee be a direct interest holder of a critical infrastructure asset?

Under subsection 8(1) of the SOCI Act, an entity is a “direct interest holder” in relation to an asset if the entity:

  • together with any associates of the entity, holds an interest of at least 10% in the asset (including if any of the interests are held jointly with one or more other entities); or
  • holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.

Section 8B of the SOCI Act sets out the meaning of “associate”.  It is important to identify all of an RSE licensee’s associates when assessing whether the RSE licensee is a direct interest holder, since an RSE licensee will be a direct interest holder if it, together with its associates, holds an interest of at least 10% in a critical infrastructure asset. 

An RSE licensee will also be a direct interest holder in relation to a critical infrastructure asset if the RSE licensee holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.  Despite the quite lengthy explanations of “influence or control” in subsections 8A(1) and (2), subsection 8A(3) provides that section 8A does not limit when an entity is in a position to directly or indirectly influence or control an asset or other entity. 

For each investment that is identified as a critical infrastructure asset, the RSE licensee will need to carefully analyse whether it is a direct interest holder in relation to the asset due to:

  • together with any associates of the RSE licensee, holding an interest of at least 10% in the asset (including if any of the interests are held jointly with one or more other entities); or
  • holding an interest in the asset that puts the RSE licensee in a position to directly or indirectly influence or control the asset.

What obligations apply to an RSE licensee that is a direct interest holder in relation to a critical infrastructure asset?

Where an RSE licensee is a direct interest holder in relation to a critical infrastructure asset, an obligation under Part 2 of the SOCI Act may apply, requiring the RSE licensee to provide to the Secretary of the Department of Home Affairs the “interest and control information” relating to itself and to the asset, as defined in section 6. 

The legislation is structured in such a way that the obligation on direct interest holders to provide interest and control information applies only to the following critical infrastructure assets:

  • critical water, electricity or gas assets, and critical ports; and
  • critical infrastructure assets which are specified in a rule or declaration by the Minister for Home Affairs.

Currently, the Application Rules, which commenced on 8 April 2022, do not activate Part 2 obligations for critical superannuation assets, but activate Part 2 for an additional 13 classes of assets.

However, rule 4(3) of the Application Rules provides a grace period, such that Part 2 does not apply in respect of a critical infrastructure asset (unless it was already covered immediately before the commencement of section 18A) during the period beginning when the asset became a critical infrastructure asset and ending at the later of:

  1. 6 months after the commencement of the rules on 8 April 2022; and
  2. 6 months after the asset became a critical infrastructure asset.

The obligation to provide “interest and control information” is ongoing, meaning that subsequent changes to the interest and control information will also need to be notified to the Secretary.

An RSE licensee that is a direct interest holder in relation to a critical infrastructure asset only has positive obligations under Part 2B of the SOCI Act.  However, under Parts 3, 3A and 4, an RSE license may be issued with directions or required to provide certain information or documents.

Additional obligations apply in relation to critical infrastructure assets which are also “systems of national significance”.  These are particularly important assets which are privately declared by the Minister and notified to the entity under section 52B.  The list of assets comprising systems of national significance is kept secret to protect those assets. 

Will an RSE licensee be a responsible entity of a critical infrastructure asset? 

The definition of “responsible entity” is sector-specific.  For instance, in general terms, the responsible entity for a critical water, electricity or gas asset is the entity which holds the licence, approval or authorisation to provide the service to be delivered by the asset.  By way of further example, for a critical aviation asset that is used by an airport operator in connection with the operation of an airport, the responsible entity is the airport operator.  Leaving aside “critical superannuation assets”, we expect that it would be rare for an RSE licensee to be the responsible entity of a critical infrastructure asset. 

Section 12L(6) provides that the responsible entity for a critical superannuation asset is the RSE licensee which owns or operates the asset, unless another entity is prescribed by the rules in relation to the asset. 

What obligations apply to an RSE licensee that is a responsible entity of a critical superannuation infrastructure asset?

The responsible entity for a critical infrastructure asset may have obligations under Parts 2, 2A and 2B of the SOCI Act.  However, similarly to direct interest holder obligations (explained above), the legislation is structured in such a way that the responsible entity obligations only apply if activated by the rules.  The obligations in Part 2 have not been activated for critical superannuation assets and the obligations in Part 2A have not yet been activated for any assets.

Importantly, the Application Rules activate the obligations in Part 2B in respect of critical superannuation assets.  However, rule 5(5) of the Application Rules provides a grace period, such that Part 2B does not apply during the period beginning when the asset became a critical infrastructure asset and ending at the later of:

  1. 3 months after the commencement of the rules on 8 April 2022; and
  2. 3 months after the asset became a critical infrastructure asset.

Under Part 2B, an RSE licensee needs to notify and provide a report to the Australian Signals Directorate (ASD) in relation to certain cyber security incidents occurring to a critical infrastructure asset.  Cyber security incidents which have significant impacts are required to be notified as soon as practicable and in any event within 12 hours, whereas other cyber security incidents which have, or are likely to have, relevant impacts are required to be notified as soon as practicable and in any event within 72 hours.

Except in relation to critical infrastructure assets which are also declared to be “systems of national significance” (to which enhanced cyber security obligations and additional reporting requirements apply, as discussed above), an RSE licensee that is a responsible entity for a critical superannuation asset only has positive obligations under Part 2B of the SOCI Act.  However, under Parts 3, 3A and 4, an RSE licensee may be issued with directions or required to provide certain information or documents.

What obligations apply to RSE licensees in relation to data storage or processing services?

If an RSE licensee is the responsible entity for a critical infrastructure asset and the RSE licensee becomes aware that a data storage or processing service is provided to it by another entity on a commercial basis and the service relates to business critical data, under subsection 12F(3) the RSE licensee must take reasonable steps to inform the other entity that it has become so aware as soon as practicable. 

Section 5 defines a data storage or processing service.   Business critical data is defined to include personal information that relates to at least 20,000 individuals. 

An RSE licensee needs to carefully consider whether a data storage or processing service is provided to it in relation to business critical data.   

Next Steps

We suggest that an RSE licensee ask the following questions to determine whether it has any obligations under the expanded SOCI Act:

  • Are any investments in critical infrastructure assets?
  • If so, is the RSE licensee a direct interest holder in relation to, or a responsible entity for, any critical infrastructure assets?
  • Does a registrable superannuation entity of which it is the RSE licensee hold assets over $20 billion?
  • Is so, what critical superannuation assets does the RSE licensee own or operate?
  • If the RSE licensee is the responsible entity for a critical infrastructure asset, is a data storage or processing service provided to the RSE licensee on a commercial basis in relation to business critical data?   

Civil penalties may apply for contravening obligations imposed under the SOCI regime.  Consequently, it is important for an RSE licensee to identify when those obligations apply.

In our view, a prudent RSE licensee will review the fund’s existing investments to determine whether it has an existing positive reporting obligation as a direct interest holder under Part 2 of the SOCI Act and will also adopt a guide for use within its business to identify situations in which it may have positive obligations in relation to its investments going forward.  In this respect, close attention should be paid to the wide operation of the terms “critical infrastructure asset” and “associate”.

Further, RSE licensees that hold assets over $20 billion should consider the new obligations which might apply as a result of the introduction of the new class of critical infrastructure assets known as “critical superannuation assets”. 

Moreover, a prudent RSE licensee will use the grace period to consider whether its existing policies, procedures and protocols in relation to cyber security incidents, and cyber security more generally, are sufficient to meet the requirements in Part 2B of the SOCI Act in respect of any critical superannuation assets. The same is also true for the RSE licensee’s third party and supplier contracts which may pose a risk for the RSE licensee’s own compliance with the SOCI Act if not updated to reflect the new requirements.  Existing arrangements are unlikely to address the need to notify the ASD, the short notification timeframes, and the specific notification requirements of the legislation, nor facilitate and reflect the need to comply with regulator directions should intervention powers be exercised.

G+T can advise on the application of the amended SOCI Act to RSE licensees as well as other entities, including assisting with registration as a direct interest holder or a responsible entity where required.  G+T can also assist with updating investment and cyber security documentation to comply with the SOCI Act.

KNOWLEDGE ARTICLES YOU MAY BE INTERESTED IN:

The curtain falls - Final reforms to Australia’s critical infrastructure laws
Expertise Area
Cyber Security
Infrastructure
Superannuation
Technology + Digital
Decarbonising Australia

DECARBONISING AUSTRALIA - SURVEY

Learn more
""

Visit Smart Counsel

Learn More