The Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act) received assent on 2 December 2021 and amends the Security of Critical Infrastructure Act 2018 (Cth) (SCI Act).
Cyber-attacks are becoming more frequent and serious. Given the interconnectedness of infrastructure assets across Australia, it is entirely appropriate that the Commonwealth Government seeks to protect and secure infrastructure assets, which could have material adverse effects on the Australian economy if they were compromised.
The issue for some is how that control is being achieved.
The SLACI Act has been one of the most contentious pieces of legislation tabled in the last year, mainly because of the potentially onerous obligations imposed on owners and operators of critical infrastructure.
This legislation was fast-tracked due to the perceived threats globally, and the Commonwealth Government now plans to bring in the remainder of its proposed regime this year via the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the Bill), which was introduced into Parliament on 10 February 2022.
Owners and operators of specific "critical infrastructure assets" should be aware that, subject to certain checks and balances, the Australian Security Directorate and the Australian Cyber Security Centre can now step in and take control of a company's systems if it is subject to a cyber-attack. This means a company could be compelled to install Government software on its networks, allow the Government to gain access to its networks, analyse its data and direct the company to do or not to do something.
If a company is caught by the legislation, the penalties for non-compliance can be significant. Owners and operations of critical infrastructure assets need to be ready.
The Commonwealth Government is still to bring into legislation the remainder of its critical infrastructure security regime via the Bill, meaning that this area of law is still a moving feast.
Critical infrastructure assets are defined in the SCI Act as "those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia's ability to conduct national defence and ensure national security".
The SCI Act initially applied this test to the electricity, gas, water and ports sectors. The list of assets has been significantly broadened by the SLACI Act.
Since 2018, owners and operators of critical infrastructure assets in the electricity, gas, water and ports sectors have had six months from the acquisition of the relevant assets, or the start of the asset operation, to register ownership and operational information on the Register of Critical Infrastructure Assets (Register).
The Register is designed to give Government a more detailed understanding of who owns and controls critical infrastructure.
The SLACI Act was progressed into law quite quickly due in part to the perceived growing threat of cyber-attacks on major infrastructure assets in Australia. Most of the obligations it contains commenced on the day following assent (i.e. 3 December 2021).
The SLACI Act widens the definition of what constitutes "critical infrastructure" so that, in addition to electricity, gas, water and ports, the industries captured by the legislation now also include:
communications
data storage and processing
financial services and markets
water and sewerage
energy
healthcare and medical
higher education and research
food and grocery
transport
space technology, and
defence.
In other words, large parts of the Australian economy are covered by the SLACI Act, including sectors that are not usually regarded as infrastructure for example banking and finance, insurance and supermarkets. For the newly captured industry sectors, there is likely to be a steep learning curve.
In addition to the application of Register (as noted above), the SLACI Act provides that "responsible entities" (i.e. relevant critical infrastructure owners and operators) must also comply with the following:
Mandatory cyber incident reporting to the Australian Signals Directorate and Australian Cyber Security Centre. "Critical cyber security incidents" must be reported orally or in writing within 12 hours of the owner or operator becoming aware of the incident. Other time limits apply for less serious incidents, but all timings are relatively short given the significant time and resources required to manage any security incident, even a minor one. The SLACI Act allows penalties of up to 250 penalty units ($52,500) per offence for companies that fail to report properly. These new reporting requirements need to be considered in the context of other reporting requirements that may apply to the same security incident—for example the requirement for APRA-regulated entities to notify APRA within 72 hours (see Prudential Standard CPS 234) and the obligations under the notifiable data breaches scheme in the Privacy Act for any personal information that may be affected.
The 'Government assistance measures' cyber incident response regime designed to work as a default mechanism where there is no other regulatory system to provide a response to a cyber incident impacting critical infrastructure.This is intended to enable "last resort" Government assistance powers to deal with serious cyber-attacks. In practice, this regime also increases the information gathering power of the Department of Home Affairs.
These new Government response powers include:
An information gathering direction, requiring the responsible entity to provide information on the cyber-attack.
An action direction, whereby the Home Affairs Minister can direct an entity to do or not do any action deemed reasonably necessary, proportionate and technically feasible, but only if the responsible entity is unwilling or unable to resolve the cyber security incident. It is unclear how the requirement for action direction will be established).
Provision for "intervention requests", which amount to step in rights enabling the Australian Signals Directorate to take control of an asset in limited circumstances.
The Bill is currently with the Parliamentary Joint Committee on Intelligence and Security for consultation.
In its current form the Bill does the following:
Requires entities to adopt risk management programs for critical infrastructure assets (there is some concern that some regulated entities might be subject to several cyber security regimes with inconsistent obligations, which is one reason for the on-going consultation). Sector-specific rules are to be developed in consultation with industry to provide entities with guidance on how to meet the obligations of the risk management program.
Introduces a regime for declaring some assets to be 'systems of national significance', which will be subject to additional obligations including maintaining incident response plans, carrying out cyber security exercises and even allowing ASD reporting software to be installed on their systems.
Allows for a set of Asset Definitions Rules and Asset Application Rules to be produced:
The Asset Definitions Rules came into effect as of 14 December 2021 and set thresholds and circumstances where an asset is a critical infrastructure asset, for example Aldi, Coles and Woolworths are critical to the food industry.
The consultation period for the draft Asset Application Rules ended on 1 February 2022. These Rules are meant to propose the asset classes to which one or both of the mandatory reporting of cyber-attacks obligation, and the obligation to provide information to the Register will apply.
The Bill assumes that all of a responsible entity's assets will be critical infrastructure assets, which is not always the case. However, until the sector-specific rules are released, the safest course is probably to assume the legislation applies to all of a responsible entity's assets.
Transport industry participants should be aware that transport is being deal with under a separate Bill, the Transport Security Amendment (Critical Infrastructure) Bill 2022. This is at least partly to shift the focus of the legislation as it applies to transport away from terrorism and towards addressing all possible hazards, including weather and natural disasters. (Note: The transport-specific Bill will be the subject of a separate article).
Industry generally has expressed concerned at the scope of these new Government powers, claiming they pose additional risks to assets and systems, especially where a Government intervention in an asset could have significant adverse effects on the responsible entity and maybe even the third parties it transacts business with.
Given the expanded remit of the legislation, owners and operators of "critical infrastructure assets" should consider:
Reviewing the status of your asset under the legislation as it is, and as it may shortly be, assuming the Bill is passed, to confirm whether the asset is likely to be a "critical infrastructure asset".
If you are already subject to a cyber security reporting regime under other legislation or regulations (for example, telecommunications or APRA), consider if and how this new regime might impact those obligations.
Adapt your cyber-attack response and recovery plans to ensure they can comply with the mandatory reporting obligations in the SLACI Act—those plans will need to be proactive and comprehensive in regard to cyber security incidents. The plans also should be continuously reviewed against the current legislative and regulatory requirements given the amount of law reform in this area (for example, proposed amendments to the Privacy Act 1988), increase in data sharing capabilities and requirements (for example, the introduction of the Consumer Data Right) and the everchanging technology in this space.
Update your training programs for directors, who now have far greater accountability for cyber breaches.
The requirements of the SLACI Act could have significant implications for the way in which cyber security teams investigate cyber-attack incidents, as well as how they report on them, which means your cyber security teams may need additional or updated training.
Owners and operators of critical infrastructure assets may have customers who are themselves owners or operators of critical infrastructure assets.You might need to consider whether some of the reporting information required to satisfy the mandatory reporting obligations needs to be passed down the contractual chain, to ensure you can comply.
If you have not already done so, it might be prudent to implement a training program so that all staff of affected entities are aware of what needs done and by when.
Because the SLACI Act has amended the critical infrastructure sectors, this is expected to widen the scope of "national security business" under the Foreign Acquisitions and Takeovers Act 1975, resulting in more transactions possibly being subject to FIRB approval. The costs and timings of FIRB Applications will therefore need to be considered in any purchase / sale transition involving "critical infrastructure assets".
Participate in the development of sector-specific rules to help refine the cope and content of the obligations for your industry.
----
Originally published on Sparke Helmore