In Brief: Cyber updates to the Critical Infrastructure Bill
by Jill T, on 02/06/2022 1:38:36 PM
After a lengthy traverse through the various stages of parliament, the final updates to the Security Legislation Amendment of the Critical Infrastructure Protection Act (SLACIP) passed at the end of March, 2022. This Act forms the final part of amendments made to the Security of Critical Infrastructure Act 2018 (SOCI).
These amendments introduced sweeping changes to cybersecurity requirements across critical infrastructure entities, as well as broadening the inclusion of what types of entities are considered to be critical infrastructure.
While the compliance aspects of the changes are considerable, given the ongoing increased cyber threats to this sector the updates have been broadly given the nod of approval from those in the cybersecurity community.
Below we've outlined the pertinent information in terms of who now needs to comply, the types of activities required, and what you can start doing now to ensure you're on track for compliance.
What entities does the SLACIP now affect?
Entities in the immediate commencement group include:
- Critical energy market operator assets
- Critical hospitals
- Critical data storage of processing assets
- Critical domain name systems
- Critical broadcasting assets
- Critical financial market infrastructure assets that are a critical payment system
- Critical liquid fuel assets
- Critical gas assets
- Crticial electricity assets
- Critical water and sewerage assets
Entities in the secondary commencement group include:
- Critical freight infrastructure assets
- Critical freight services assets
- Critical food and grocery assets
When are entities expected to be ready?
Given that we're still waiting for the Risk Management Program Rules to be released, entities in the immediate commencement group are likely looking at a 6 month grace period once the risk management framework has been released, with a period of eighteen months for those having to comply with specific parts of the cyber framework.
What happens if you don't comply?
Failure to comply with requirements changes based upon the specific failure and the type of entity, broken up into what's referred to as "penalty units".
These penalties are considerable, with fines for corporations reaching as much as $222,000 for corporations and $44,400 for non-corporate entities in the event that they fail to take reasonable steps to comply with the risk management program. Other penalty units attributed to failures to submit annual reports can mean a fine of $166,500 for corporations and $33,310 for non-corporate entities.
It's important to note that any entity or person who holds a 10% or above interest (labelled as a direct interest holder in the legislation) in a critical infrastructure asset may also be held liable for failure to comply.
A basic overview of what's necessary to comply
In terms of what a risk management program must contain, the rules are not overly descriptive. However, a risk management program must:
- Identify all hazards that present a material risk to the availability, integrity, reliability and confidentiality of its critical infrastructure asset;
- Mitigate risks to prevent incidents;
- Minimise the impact of realised incidents; and
- Implement effective governance and oversight procedures relating to security.
Additional reporting responsibilities will come into play, with mandatory incident notification timeframes where a significantly impacting incident must be reported within 12 hours, and a relevant impacting incdent must be reported within 72 hours.
Some entities will have to comply with enhanced cybersecurity obligations, these organisations will be contacted directly by the Department of Home Affairs. These enhanced cybersecurity obligations include:
- Developing and maintaining cybersecurity incident response plans
- Performance of vulnerability assessments
- Undertaking cybersecurity exercises
- Provision of access to system information.
What you can do now to be ready
While exact timing for compliance remains relatively unclear, it's important that entities who will be affected by the bill begin preparations. Specifically, all organisations can begin to consider budgetary requirements for the significant amount of costly work that will need to be completed to comply. Estimates by the Department of Home Affairs regarding the average cost required to have full compliance sit at around $9 million to start, with ongoing costs in the arena of $3 million.
- All organisations can begin to prepare asset inventory activities, including identification of owners, operators, and/or direct interest holders.
- Include response plans include processes for the quick identification of cyber incidents and their impact on assets.
- Preparing internal processes and procedures for compliance and reporting
- Look at third parties with a direct involvement in operations and ensure those entities are willing and able to comply with the new regulations.
Our governance, risk, and compliance team can assist Critical Infrastructure Organisations in line with the new legislation. Contact us to speak to a member of our knowledgeable team.