On 10 December 2020, the Commonwealth House of Representatives introduced an amendment Bill which, when passed, will significantly expand the scope and operation of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). On the 3rd of February 2021 the Senate Standing Committee for the Scrutiny of Bills published its comments which, if adopted, would not significantly change the scope or operation of the Bill.
The amended SOCI Act would bring a wide range of new areas under the umbrella of Australia’s critical infrastructure, including data processors, domain name systems, telecommunications providers, broadcasting services and more.
The amendments include a range of positive security obligations, which will impose on responsible entities for specified critical infrastructure assets:
- An obligation to provide information to a critical infrastructure register;
- An obligation to notify the Secretary of Home Affairs of certain notifiable incidents;
- An obligation to have, maintain and comply with critical infrastructure risk management programs;
- An obligation to notify the Australian Signals Directorate (ASD) of cyber security incidents in relation to critical infrastructure assets; and
- Enhanced cyber security obligations on particular assets which are deemed by the Commonwealth Minister for Home Affairs to be “systems of national significance”.
The amended SOCI Act will also include powers for the Minister to give directions in response to certain security incidents.
Switching on obligations
Importantly, the positive security obligations will apply once Rules are prescribed which ‘switch on’ each class of critical infrastructure asset. The new SOCI Act will require that these Rules be developed in consultation with industry. Alternatively, the Minister may privately make declarations to switch on particular security obligations where, in addition to other threshold requirements, publically announcing that a particular asset is critical infrastructure or that it is subject to certain requirements causes a security risk.
What businesses can do now
Businesses should conduct a review of their assets to determine which of them will likely be deemed as critical infrastructure assets. While it may be another 6 to 12 months before the Rules have ‘switched on’ any positive security obligations, many contracts which are entered into now will still be in effect when the positive security obligations become effective or a ministerial direction is given in relation to that asset.
Therefore, proactive businesses which suspect that they may become responsible for critical infrastructure assets should consider introducing clauses into their standard trading terms now that address what both parties must do to ensure compliance in the event that SOCI obligations come into effect.
This article was written by Jennifer Huby, Partner and Michael Graziano, Law Graduate.