The grace period for Reporting Entities to report prescribed information in respect of Critical Infrastructure Assets (CIAs) expires on 8 October 2022.
New reforms brought about by the Security of Critical Infrastructure Act 2018 (Cth) (SoCI Act) and the accompanying Rules have created significant additional compliance obligations for many corporate entities and State Government bodies in all Australian States and Territories.
Is your organisation required to comply with the reporting requirements of the SoCI Act?
The SoCI Act may oblige your organisation to report certain information to the Secretary of the Department of Home Affairs, and to keep that information up-to-date (Reporting Requirements), if your organisation is a Reporting Entity (Responsible Entity or a Direct Interest Holder) in respect of a CIA.
In ascertaining whether your organisation is subject to the Reporting Requirements, the first question to ask is whether it owns, operates, controls, manages or has other significant involvement with a CIA. Under the SoCI Act, there are 22 different classes of CIA, as follows:
|critical telecommunications asset||critical broadcasting asset||critical domain name system|
|critical data storage or processing asset||critical banking asset||critical superannuation asset|
|critical insurance asset||critical financial market infrastructure asset||critical water asset|
|critical electricity asset||critical gas asset||critical energy market operator asset|
|critical liquid fuel asset||critical hospital||critical education asset|
|critical food and grocery asset||critical port||critical freight infrastructure asset|
|critical freight services asset||critical public transport asset||critical aviation asset|
|critical defence industry asset|
Each of these classes of CIA has a specific definition under the Act. A number of these classes of CIA are defined by reference to objective criteria, such as a ‘critical public transport asset’ which is defined as a public transport network or system that is managed by a single entity and is capable of handling at least five million passenger journeys per month.
As mentioned above, ‘Responsible Entities’ and ‘Direct Interest Holders’ are Reporting Entities for the purposes of the SoCI Act and are subject to the Reporting Requirements.
The SoCI Act identifies the Responsible Entity for each of the classes of CIA referred to above. The test to be applied in identifying the Responsible Entity is different for each class of CIA. In most cases, the Responsible Entity is the entity that has operational control of the asset.
A Direct Interest Holder is defined in the SoCI Act as being a party that (together with that party’s associates) holds an interest of at least 10% in the CIA or holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset. Parties that only have an interest in a CIA due to a moneylending arrangement are deemed not to be Direct Interest Holders.
If you are concerned that any assets owned, operated, managed or controlled by your organisation may be CIAs for the purposes of the SoCI Act, we recommend that you seek legal advice as soon as possible.
What does your organisation need to do, to comply with the Reporting Requirements?
Responsible Entities of CIAs must report operational information to the Secretary of the Department of Home Affairs to be entered into the Critical Infrastructure Register. They must ensure that the information is kept up-to-date, i.e. must report if information previously provided becomes inaccurate or incomplete, or if another entity becomes a reporting entity in respect of the CIA.
Direct Interest Holders of CIAs must provide interest and control information to the Secretary of the Department of Home Affairs and must also comply with the obligation to keep reported information up-to-date, referred to above.
There is a penalty of 50 penalty units (currently $55,500 for a corporation) for each non-compliance with these requirements.
For the classes of CIA that have already had these obligations ‘switched on’, Reporting Entities must provide the required information by no later than 8 October 2022. Once this information is provided (whether on or before 8 October 2022), the obligation to keep the information up-to-date is enlivened.
Other obligations under the Security of Critical Infrastructure Act
The particular obligations that will apply to your organisation and its assets will largely depend on:
- whether the assets are categorised as Critical Infrastructure Sector Assets, Critical Infrastructure Assets, or a Systems of National Significance (these terms are explained below); and
- the class that your asset falls into (e.g. whether it an critical public transport asset, critical freight asset, etc) and whether the regulations have ‘switched on’ particular obligations for that class of assets.
Below is an example of how the various obligations under the SoCI Act will apply to the assets in a Critical Infrastructure Sector.
The SoCI Act identifies 11 sectors of the economy as Critical Infrastructure Sectors (CIS) which have been deemed as crucial sectors of the Australia economy. The Critical Infrastructure Sectors are:
- data storage or processing;
- financial services and markets;
- water and sewerage;
- health care and medical;
- higher education and research;
- food and grocery;
- space technology; and
- defence industry.
A Critical Infrastructure Sector Asset (CISA) is any asset which relates to a CIS.
While many assets will be captured by this definition, it is not expected that the SoCI Act will have a significant impact on these assets. CISAs are only subject to action and information gathering directions in response to cyber security incidents. Additionally, the Rules or the Minister may declare a CISA to also be a CIA, in which case the more onerous positive security obligations will apply.
Directions given by the Minister
The SoCI Act also empowers the Minister for Home Affairs to issue or approve the issuance of a direction to a Responsible Entity, Direct Interest Holder or Operator of a CIA or CISA to take (or refrain from taking) certain actions in limited prescribed circumstances. Contravention of such a direction may constitute a criminal offence with a maximum penalty of two years’ imprisonment and 120 penalty units (currently $26,640 for an individual and $133,200 for a corporation).
What’s coming next?
Currently, the Commonwealth government is developing Rules, in consultation with the relevant industries, for the implementation of Critical Infrastructure Risk Management Programs.
In general, once these obligations have been ‘switched on’, Responsible Entities for CIAs will be required to adopt, maintain, comply with, review and update a critical infrastructure risk management program in respect of the CIA. A critical infrastructure risk management program is a written document the purpose of which is:
- to identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the CIA;
- to minimise or eliminate any material risk of such a hazard occurring; and
- to mitigate the relevant impact of such a hazard on the asset.
Once ‘switched on’, there will be a penalty of 200 penalty units (currently $222,000 for a corporation) for each non-compliance with these obligations.
The Responsible Entity must also produce an annual report relating to its critical infrastructure risk management program, with a penalty of 150 penalty units (currently $166,500 for a corporation) for non-compliance.
This article was written by Alex Ottaway, Special Counsel and Michael Graziano, Solicitor.