Business leaders and regulators have long thought of “critical infrastructure” as systems that deliver utilities such as water and electricity. No longer. As countries grapple with increased cyberattacks and other threats, many are considering an entirely new regulatory paradigm. Australia is no exception. In fact, it is among the first countries to consider expanding its infrastructure protection laws to cover a significant range of the sectors that make up the national economy. This is a significant expansion that will have implications for many organisations right across the economy.
Australia has had laws to protect its critical infrastructure since 2018, when the Commonwealth government introduced the Security of Critical Infrastructure Act 2018 (SOCI Act) to better protect about 200 of Australia’s most important electricity, gas, water and port assets. The government is now seeking to expand this legislation to cover more sectors of the economy and to increase its powers to understand situations and take action if problems occur. It is doing so by amending the SOCI Act via the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SOCI Bill), which will introduce new reporting and compliance obligations for companies. The bill is being reviewed by the Parliamentary Joint Committee on Intelligence and Security.
The 11 extra sectors that will be covered by the SOCI Act are:
Communications; financial services and markets; data storage and processing; defence; higher education and research; energy; food and grocery; healthcare and medical; space technology; transport; and water and sewerage.
The new reporting obligations for organisations responsible for certain critical infrastructure assets (as designated by regulatory rules) are expected to include:
- Disclosing operational and ownership information about the assets
- Developing and complying with critical infrastructure risk management programs
- Notifying the Australian Cyber Security Centre about cybersecurity incidents.
Businesses that operate “systems of national significance” may also be subject to more extensive reporting and compliance obligations.
As well as increasing the obligations on business organisations, the SOCI Bill expands the powers available to the Commonwealth to gather information and respond to cybersecurity incidents. These powers include measures the government may take to help organisations in critical infrastructure sectors respond to cyberattacks.
“The Commonwealth proposal will represent a significant expansion of government powers and obligations. Potentially impacted organisations, and the directors who sit on the boards of these organisations, will need to consider the implications and prepare accordingly.”
What’s the best response?
We recommend directors take a four-step approach to the new legislation:
- Notify your cloud provider if you own or operate a critical infrastructure asset. If the SOCI Bill is passed, the most important step will be to notify your cloud provider if you believe you own or operate a relevant asset.
Under the Bill, any organisation identified as the owner or operator of a critical infrastructure asset that provides business-critical data to a cloud provider will be required to put the provider on notice. The government may apply financial penalties if organisations fail to do so.
All affected organisations will need to identify the sector (or sectors) in which they conduct business — and which functions within these sectors involve the use of infrastructure classified as critical — to identify what should be considered business-critical data.
- Consider engaging with the rule-setting consultation process. How the SOCI Act is implemented in practice will be shaped by the rules that are set for each of the 11 sectors named in the Act. The rule-setting consultations provide an opportunity for organisations to ensure that any new obligations are clearly defined and do not overlap or conflict with other requirements. The consultations are also a forum for discussing how new approaches can leverage existing practices and standards within a sector, or in a specific area such as cybersecurity.
For these reasons, we recommend organisations learn more about the process and consider participating. Further information about the consultations is available on the Department of Home Affairs website (homeaffairs.gov.au).
- Seek to leverage cloud providers’ cybersecurity and compliance investments. Some organisations will automatically meet a significant proportion of the new reporting and risk management obligations imposed by the SOCI Bill because their regulated data is managed by a compliant cloud provider. This is because the relevant responsibilities have been passed to the provider, and they will in turn implement — or have already implemented — the systems and protocols to ensure compliance.
At this point, cloud providers cannot say definitively what compliance services they can provide because the legislation has not been finalised and enacted. However, that makes this the perfect time for organisations to reach out to their cloud providers and start the compliance conversation. For example, organisations should ask their cloud providers whether they are engaged with the legislative process, and what measures they have in place that likely will meet their obligations as an owner of critical infrastructure assets within the data storage or processing sector.
- Consider waiting for the regime to be finalised before making changes. Once the legislation is passed and an implementation time frame is set, potentially impacted entities should consider the implications of those measures on commercial arrangements with any suppliers of critical infrastructure–related services and obtain appropriate advice if necessary.
The Commonwealth proposal will represent a significant expansion of government powers and obligations. Potentially impacted organisations, and the directors who sit on the boards of these organisations, will need to consider the implications and prepare accordingly.
AICD position statement
A significant aspect of the SOCI Bill is new, wide- ranging government powers to intervene in the event of a cyber incident. The powers would be used in emergency circumstances and allow the Secretary of Home Affairs, upon approval by the Minister, to direct an entity to take a particular action. This could include directing an entity to shut down a service. The breadth of the directions provisions is considerable and may result in instances where complying with a direction could present a conflict with existing director duties.
The AICD has written to the government to recommend that the proposed immunity provisions in the SOCI Bill are broadened to ensure directors of impacted entities are protected. Comprehensive immunity will provide comfort to senior decision-makers of entities — including directors — that there is appropriate protection if complying with an obligation or direction under the Act results in a conflict with other duties.
Additional information on the government’s critical infrastructure measures.