Mandatory cyber-incident reporting and other obligations: here’s what you need to know if you manage critical infrastructure 

As of 8 July 2022, entities with responsibility for certain critical infrastructure assets are now under an obligation to notify the Commonwealth Government’s Australian Cyber Security Centre (ACSC) of cyber security incidents. These notification obligations carry strict timeframes, being as little as 12 hours for the most critical incidents.

Amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SoCI Act) late in the term of the last Parliament have significantly expanded the scope of this legislation. These changes bring a much wider range of infrastructure and sectors within the scope of the SoCI Act, and introduce new powers and obligations, especially with respect to cyber security and foreign investment.

A number of key obligations in the amended SoCI Act were left to be enlivened by Ministerial rules. The enactment of the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 (Rules) on 6 April 2022 started a grace period prior the commencement of two key obligations. As a result:

• as of 8 July 2022, entities responsible for prescribed critical infrastructure assets are now required to notify the ACSC of cyber incidents; and
• ownership and operational information for certain critical infrastructure assets must be provided to the Register of Critical Infrastructure Assets by 8 October 2022.

Background

The SoCI Act provides a legal framework for dealing with the security of Australia’s critical infrastructure and essential services.

In its initial form, the SoCI Act was focussed on reducing the risk of sabotage, espionage or coercion in the gas, water, electricity and ports sectors.

Against the backdrop of increased cybersecurity risks and a deteriorating strategic environment, and as a key initiative of Australia’s Cyber Security Strategy 2020, the scope of the SoCI Act was significantly expanded by two tranches of legislation which passed late in the term of the last Parliament. This expansion significantly broadens both the scope of the infrastructure captured by the SoCI Act, and the relevant powers and obligations arising.

The expanded list of critical infrastructure assets now in the SoCI Act also has flow on effects to the Foreign Acquisitions and Takeovers Act 1975 (Cth) (FATA), as discussed further below.

Sectors and assets

Where the previous version of SoCI Act covered only four sectors, the amended version now covers eleven:

• Communications;
• Financial services and markets;
• Data storage or processing;
• Defence industry;
• Higher education and research;
• Energy;
• Food and grocery;
• Health care and medical;
• Space technology;
• Transport; and
• Water and sewerage.

Within these sectors there are specific critical infrastructure assets, each with bespoke definitions which set the threshold of criticality for that class of asset.

By way of example, within the health care and medical sector there is one designated class of critical infrastructure asset, being a critical hospital. A critical hospital is defined as a hospital that has an intensive care unit. Other assets within the health sector (such as pharmacies, GPs and hospitals without ICUs) are part of a critical sector, but are not themselves critical assets.

Most of the SoCI Act applies only to critical infrastructure assets, but some provisions relate to anything in a critical sector.

Powers and obligations

Amongst the key features of the amended SoCI Act are new abilities for the Commonwealth Government to assist in the event of cyber incidents affecting critical infrastructure.

The SoCI Act also introduces new obligations on entities responsible for certain critical infrastructure assets to:

• provide details of the asset for inclusion on a critical infrastructure asset register;
• notify the ACSC of cyber incidents; and
• maintain a risk management program addressing certain matters.

In addition, the SoCI Act allows the Minister to declare a critical infrastructure asset to be a System of National Significance (SoNS), enlivening enhanced cyber security obligations.

Government assistance

The amended SoCI Act provides the Commonwealth Government, via the Australian Signals Directorate (ASD), with the ability to take steps in the event that critical infrastructure becomes impacted by a cyber security incident.

Relevant incidents

Under the SoCI Act, ‘cyber security incident’ is broadly defined, and includes acts, events or circumstances involving unauthorised access to, or unauthorised modification of, computer data or computer programs, unauthorised impairment of electronic communication of a computer, or unauthorised impairment of the availability, reliability, security or operation of a computer, computer data or computer program.

These government assistance abilities can be enlivened by the Minister if:

1. there is a cyber security incident which is having a relevant impact on a critical infrastructure asset, by impacting (directly or indirectly):

1. the availability of the asset;
2. the integrity of the asset;
3. the reliability of the asset; or
4. the confidentiality of information about the asset, or any information or data stored by the asset;

2. there is a material risk that the incident is, has or will seriously prejudice Australia’s social or economic stability, defence or national security; and

3. there are no other regulatory systems to practically and effectively respond to incident, noting that these abilities are supposed to be measures of last resort.

We note that:

• the relevant cyber security incident need not be directly on the critical infrastructure asset – a cyber attack on a non-critical asset could enliven the abilities if it has a flow on effect which causes a relevant impact on a critical infrastructure asset; and
• once enlivened (by virtue of the impact on a critical infrastructure asset), the abilities may also be used with respect to non-critical assets in the sector.

Abilities

Once enlivened, Government assistance may take the form of:

• an information gathering direction, requiring the entity to provide information ‘that may assist with determining whether a power under this Act should be exercised in relation to the incident and the asset‘;
• an action direction, requiring the entity to do an authorised act or thing (or refrain from doing an act) to respond to the incident, if the entity is unwilling or unable to take all responsible steps itself; or
• an intervention request, authorising the ASD to intervene.

These intervention requests have proven to be one of the most contentious elements of the amendments to the SoCI Act, as they can authorise the ASD to:

• access or modify a computer or computer device;
• undertake an analysis of a computer, program, data or device;
• install a computer program on a computer if it is necessary to undertake an analysis;
• access, add, restore, copy, alter or delete a computer program or data held in a computer or computer device;
• alter the functioning of a computer or computer device;
• connect or disconnect a computer or a computer device from a network; and/or
• remove a computer or a computer device from premises.

The Commonwealth’s Cyber and Infrastructure Security Centre notes that this is ‘a last resort option, within a last resort regime, and will only be used in extraordinary circumstances’. A range of safeguards apply before an intervention request can be issued, including the approval of three separate Ministers.

Mandatory cyber-incident notification

Entities responsible for critical infrastructure assets of kinds listed in the Rules are now required to notify the ACSC if and when cyber security incidents occur, within tight timeframes.

Cyber security incidents

There are two types of cyber security incidents that are notifiable under Part 2B of the SoCI Act. These are:

• critical cyber security incidents, where the responsible entity for a prescribed critical infrastructure asset becomes aware that a cyber security incident has occurred or is occurring, and that the cyber incident has had, or is having a significant impact on the availability of the asset because:
  • the asset is used in connection with the provision of essential goods or services; and
  • the incident has materially disrupted the availability of those essential goods or services; or
• other cyber security incidents, where the responsible entity for a prescribed critical infrastructure asset becomes aware that a cyber security incident has occurred, is occurring or is imminent, and that the incident has had, is having, or is likely to have, a relevant impact on the asset.

The law requires the responsible entity to report cyber security incidents to the Australian Cyber Security Centre within 12 hours of becoming aware of a critical cyber security incident, or 72 hours for other cyber security incidents.

These notifications are in addition to any other notifications the entity may be required to make at law. Most significantly, this may involve providing notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals, if the cyber incident constitutes a notifiable data breach under the Privacy Act 1988 (Cth).

Prescribed critical infrastructure assets under this part

The following classes of critical infrastructure assets are prescribed for the purpose of mandatory cyber-incident notification under Part 2B of the SoCI Act:

• a critical broadcasting asset;
• a critical domain name system;
• a critical data storage or processing asset;
• a critical banking asset;
• a critical superannuation asset;
• a critical insurance asset;
• a critical financial market infrastructure asset;
• a critical food and grocery asset;
• a critical hospital;
• a critical education asset;
• a critical freight infrastructure asset;
• a critical freight services asset;
• a critical public transport asset;
• a critical liquid fuel asset;
• a critical energy market operator asset;
• certain critical aviation assets, including a list of designated airports and the screening and cargo services at those airports;
• a critical port;
• a critical electricity asset;
• a critical gas asset; and
• a critical water asset.

Entities responsible for these assets are now required to report any cyber security incidents within the timeframes noted above.

Mandatory register of critical infrastructure asset

Registration of ownership and operational information

The second component of the Rules will enliven Part 2 of the SoCI Act. This part requires the responsible entity for a prescribed critical infrastructure asset to provide ownership and operational information¹ to the Register of Critical Infrastructure Assets. This Register is managed by the Cyber and Infrastructure Security Centre (CISC).

The obligation in this part is twofold, including:

• an initial obligation to report information; and
• an ongoing obligation to report changes to that information and notify of certain events.

Prescribed critical infrastructure assets under this part

The following critical infrastructure assets must be registered with the Register of Critical Infrastructure Assets by no later than 8 October 2022:

• a critical broadcasting asset;
• a critical domain name system;
• a critical data storage or processing asset;
• a critical financial market infrastructure asset that is a payment system;
• a critical food and grocery asset;
• a critical hospital;
• a critical freight infrastructure asset;
• a critical freight services asset;
• a critical public transport asset;
• a critical liquid fuel asset;
• a critical energy market operator asset; and
• a critical electricity asset or critical gas asset not already caught by the previous version of the SoCI Act.

Mandatory risk management programs

The SoCI Act also provides a framework, yet to be enlivened by regulations, which will require prescribed categories of critical infrastructure assets to have a risk management plan. A risk management program is a written program that identifies material risks, steps to minimise or eliminate risks, and mitigation strategy.

The SoCI Act also empowers the Minister for Home Affairs to introduce rules in respect of this program. Draft rules published by the former Minister propose that risk management plans must extend not just to cyber security issues, but to four key hazards, namely:

• cyber and information security hazards;
• personnel hazards;
• supply chain hazards; and
• physical and natural hazards.

A risk management program must be reviewed on a regular basis and updated as required.  There is also a requirement for a responsible entity under this part to submit an annual report outlining the assets and the risk management program in place.

Enhanced cyber security obligations for systems of national significance

A critical infrastructure asset can be declared as a System of National Significance or SoNS by the Minister if deemed critical to Australia’s social or economic stability, defence or national security, taking into account the degree to which it is interconnected with other infrastructure.

When a critical infrastructure asset is declared by the Minister to be a SoNS, the responsible entity becomes subject to the enhanced cyber security obligations under Part 2C of the SoCI Act.

As part of those enhanced cyber security obligations, the responsible entity for a critical infrastructure asset may be required to:

• maintain a cyber incident response plan, to be provided to the Government, and to be complied with by the entity should an incident arise;
• participate in cyber security exercises;
• undertake vulnerability assessments; and/or
• provide the ASD with certain information about its systems, or potentially allow the ASD to install software on its systems in order to report system information.

Declaration as a SoNS is protected information under the SoCI Act, and cannot be revealed.  We accordingly cannot provide any examples of assets that have been (or will be) designated a SoNS, but it is our understanding that the Minister has already commenced the process of notifying relevant entities of its intention to make those declarations.

Foreign investment in critical infrastructure

Along with amendments to the SoCI Act, the Foreign Investment Reform (Protecting Australia’s National Security) Act 2020 (Cth) forms part of a suite of national security legislation passed in recent years. This Act amended the FATA, so that the FATA now imports definitions associated with critical infrastructure from the SoCI Act.

Accordingly, when the sectors and assets covered by the SoCI Act were expanded, that flowed through to the FATA, and has implications for foreign purchasers of critical infrastructure assets or other assets in critical sectors.

Foreign investment in a responsible entity for, or a direct interest holder in relation to, a critical infrastructure asset is now generally subject to mandatory notification to the Foreign Investment Review Board (FIRB), and requires FIRB approval before proceeding. Where a monetary threshold might apply to any such transactions in other sectors, no minimum transaction value applies where a critical infrastructure asset is involved.

FIRB also has a call-in power, which gives it wide discretion to review other transactions not subject to mandatory notification where it has national security concerns. Investors seeking to avoid uncertainty in this respect can voluntarily notify FIRB of their transaction to avoid being called in. FIRB Guidance Note 8 provides advice as to when it encourages voluntary notification, which tends to align with the SoCI Act’s critical infrastructure sectors, but provides more specific details as to the criteria it considers may raise national security concerns and therefore where notification is encouraged.

By way of example, in the health sector, FIRB:

• would require notification of any investment in a critical hospital (being a hospital with an ICU), irrespective of the monetary amounts involved; and
• suggests in its guidance that foreign investment should also be voluntarily notified to FIRB if it involves:
  • a non-critical hospital;
  • a GP or specialist practice;
  • a diagnostic or treatment facility; or
  • a pathology provider,

  and the transaction would result in foreign persons holding sensitive personal information in relation to over 100,000 individuals.

Takeaways

Anyone operating in any of the eleven sectors listed above should take the opportunity to review the criteria for critical infrastructure assets in that sector, to confirm whether they may be captured by the SoCI Act.

If you are responsible for a critical infrastructure asset covered by the Rules then you must at least:

• have procedures in place to notify ACSC of any critical cyber incident within 12 hours, and any other cyber incident within 72 hours; and
• report ownership and operational information for your critical infrastructure asset to the CISC, for inclusion on the Register of Critical Infrastructure Assets, by no later than 8 October 2022;

​and you should continue to monitor for the commencement of risk management program obligations.

These steps of course are the minimum required by the SoCI Act, and should form part of an organisation’s broader cyber risk minimisation strategy.

¹Operational information has a specific definition under section 7 of the SoCI Act, including the expanded definition under rule 17 of the Security of Critical Infrastructure (Definition) Rules (LIN 21/039) 2021.

This article was written by Cam Steele, Partner, Daniel Kiley, Special Counsel and Paul Sigar, Solicitor.