Changes to critical infrastructure laws may mean more onerous reporting obligations to your sector

Why is the current legislation being amended?

The Security of Critical Infrastructure Act 2018 (Cth) (the SCIA Act) establishes a risk management framework for ‘critical infrastructure assets’ (CIA).

In response to the ever evolving threats to cyber security (see for example, the Colonial Pipeline Co. hack in May 2021 which, because of a compromised password, shut down Colonial Pipeline’s 2.5-million-barrels-of-fuel-per-day-gas-pipeline which runs from Texas to New York and in the end forced Colonial Pipeline to pay a US$4.4 million ransom), the Department of Home Affairs introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (the Draft Bill), into Parliament. The Draft Bill  seeks to implement more onerous reporting obligations for CIAs and provides the Government with additional powers to respond to cyber-attacks that impact critical infrastructure sectors.

What sectors are covered by the Draft Bill?

Currently, the SCIA Act only applies to the gas, water, electricity and port sectors; the Draft Bill will expand the application of the SCIA Act to the following sectors:

• Communications (eg carriers, carriage service providers, intermediaries like mobile service retailers and commercial broadcasters);
• Financial (eg banks and insurance providers);
• Data Storage and Processing;
• Defence;
• Higher Education and Research;
• Energy (eg organisations involved in the production, distribution and supply of electricity, gas or fuel);
• Food and Grocery (eg supermarkets and food and grocery wholesalers);
• Health Care and Medical;
• Space Technology;
• Transport (eg commercial freight, public transport operators and operators of road and rail networks); and
• Water and Sewerage.

What assets are considered ‘critical infrastructure assets

This varies from sector to sector but typically includes infrastructure that is critical to the sector’s operation and is of high value or has or could have an impact on a large portion of the population.

For example, ‘critical defence infrastructure assets’ include assets supplied to the Department of Defence or the Australian Defence Force that consist of or enable a critical defence capability. ‘Critical electricity infrastructure assets’ include electrical generation assets and assets that make up a network, system or interconnector for the transmission or distribution of electricity.

The exact scope of the definition of CIA in each sector will be determined through industry consultation.

Who is responsible for compliance?

‘Responsible entities’ of CIAs are generally the owners or operators, noting that the terminology varies between sectors. This could extend to both public and private sector entities. The responsible entity will be charged with ensuring compliance with the Draft Bill.

Additionally, ‘relevant entities’ of CIAs (responsible entities, direct interest holders who hold direct or joint interest of at least 10% in a CIA, operators and/or managed service providers) may be required to disclose information to the Government that could assist with determining whether any powers under the Draft Bill should be exercised.

What are the new obligations?

The new obligations include:

• maintaining a risk management plan in line with sector-specific rules (which will be co-developed with industry);
• providing a signed annual written report attesting to the risk management program setting out information about hazards and their impact on the particular CIA;
• providing information on cyber security incidents to the Australian Signals Directorate (ASD) within 12 hours for critical incidents and 24 hours for all other incidents; and
• providing CIA ownership and operational information to the Register of Critical Infrastructure Assets (consistent with existing obligations under the SCIA Act). For example, if there is a change in ownership or the CIA is moved to a different location, the Register must be updated. Direct interest holders and responsible entities will be responsible for providing this information.

These obligations will not automatically apply, but can be ‘switched on’ by the Minister for Home Affairs (Minister), where for example, the existing framework does not adequately cover the obligations.

‘Systems of national significance’

Some CIAs may be designated ‘systems of national significance’ by the Minister (having regard to, amongst other things, the interdependencies between the CIA and other CIAs and the level of attractiveness of the CIA to malicious actors).

CIAs that are designated systems of national significance may be subject to additional security obligations including requirements to:

• adopt incident response plans;
• undertake cyber security exercises and vulnerability assessments; and
• provide the ASD with access to system information.

Foreign Investment Review Board (FIRB)

The Draft Bill will amend foreign investment rules including mandatory notification requirements with no threshold value for a ‘notifiable national security action’ such as investing in, or starting, a ‘national security business’ (s81(1) of the Foreign Acquisitions and Takeovers Act 1975).

A ‘national security business’ includes responsible entities for, or direct interest holders in, a CIA. Given the Draft Bill’s proposed expansion across  additional sectors, this will substantially increase the number of entities that will be required to report to FIRB.

As a result, if, for example, a foreign company enters into a joint venture with an Australian entity to construct a major toll road (therefore falling within the proposed definition of a CIA), the investment will need to be reported to FIRB regardless of  the monetary value of the project.

Government powers

The Draft Bill proposes new powers for the Government where:

1. a cyber-security incident has occurred or is imminent;
2. the cyber-security incident impacts or is likely to impact on the availability, integrity, reliability or confidentiality of a CIA;
3. there is a material risk that the incident could seriously prejudice Australia’s economic and social stability, defence or national security; and
4. the Minister is satisfied there are no other applicable regulations that appropriately address the cyber-security incident.

The Minister may authorise the Secretary of Home affairs to give a direction to relevant CIA responsible entities, including:

• information gathering: to provide specific information regarding a cyber-security incident needed to determine whether powers should be exercised. The two reporting entities that may be required to provide information are the direct interest holders and responsible entities of CIAs;
• action directions: to direct the entity to do an authorised act or thing to respond to an incident; and
• intervention requests: to direct the entity to do a specific act or thing including to alter, remove or disconnect parts of a CIA.

Why is it important you comply with the new obligations?

Failure to comply with the obligations under the Draft Bill may attract civil penalties of between $11,100 and $44,400 per breach.

The Draft Bill was introduced into Parliament on 10 December 2020 and the Department of Home Affairs is currently going through a sector-by-sector consultation in order to co-develop sector-specific elements of the Draft Bill.  Given the high level of sector involvement, it is unclear when the Draft Bill will be passed by Parliament.

How can HWLE help you?

If you would like to further understand how these proposed changes will likely impact your business, please contact a member of our team.

This article was written by Marko Misko, Partner, Kevin Lock, Special Counsel and Eleanor Ng, Solicitor.