Critical information: Are you ready for the Security of Critical Infrastructure Act's January reporting deadline – Part 2

By Stuart Cosgriff, Daniel Heywood
07 Feb 2019
Reporting requirements for entities involved in the operation of critical infrastructure assets in Australia were due by 11 January 2019.

On 11 July 2018, the Security of Critical Infrastructure Act 2018 along with the Security of Critical Infrastructure Rules 2018 came into force to introduce three measures aimed at safeguarding our critical infrastructure from national security risk.

Entities affected by this Act (Reporting Entities) were required to report and provide information to the Secretary of the Department of Home Affairs by 11 January 2019 and will need to understand and meet their ongoing reporting obligations. Failure to meet the obligations under the Act could result in civil penalties. In part 1 we discussed the reporting requirements. In this article we discuss an approach to obtaining and analysing the information that must be reported.

If you believe you or your business might be affected by this new legislation, you will need to understand and be aware of the following:

  • The type of reporting entity you or your business may be (ie. Responsible entity or a Direct Interest Holder).
  • If there are other personnel or entities within your business that might be reporting entities.
  • What information is required to be reported by each reporting entity by 11 January 2019.
  • How information is to be reported by 11 January 2019.
  • What ongoing reporting obligations there are for each reporting entity.

Responding to the reporting obligations

Set out below is our three step approach to report and provide information to the Secretary of the Department of Home Affairs:

  1. Identify reporting entities and "interest and control".
  2. Collate and validate reporting information for initial and ongoing reporting.
  3. Implement or design a framework or process for ongoing monitoring and reporting.

1. Identification of reporting entities and interest and control

The identification of reporting entities and those entities of interest and control can be challenging.  By undertaking business intelligence procedures and interviewing relevant personnel, you can:

  • assess your business to identify if there are any entities or personnel affected by the critical infrastructure legislation;
  • identify the types of reporting entities within your business;
  • identify if a reporting entity has additional reporting requirements for their data maintenance arrangements;
  • identify direct interest holders must report on 'interest and control' information including about the influence or control exerted by higher entities; and
  • summarise and outline the reporting obligations for each reporting entity identified in your business.

Sources of information may include:

  • Interviews with relevant personnel

And the procurement of:

  • Company registers including country specific company registers that can be used to verify information such as legal entity names and ownership structure
  • Company and directorship reports that can be used to identify entity ownership and any potential related parties, associates, ultimate beneficiaries or controlling entities
  • Title and licence searches including property and water license searches that can be used to identify and validate any asset holdings and licenses
  • Compliance databases including sanctions lists (e.g. Politically Exposed Persons) that provide information about a specific entity's reputational and ethical track record
  • Adverse media searches drawing from global media databases to identify if companies and/or their directors have been publically involved with unethical behaviour
  • Other relevant business documents such as business contracts, service level agreements, and other documents that can be used to provide further clarity on business relationships and arrangements

2. Collate and validate information

Data collected should be migrated to a structured database and critically analysed. This process includes a verification of company documents against external and independent sources of information. The preliminary analysis will verify:

  • what operational assets and data maintenance arrangements the business has, including what kind of data is held;
  • who has control or influence over the business, its assets and data arrangements;
  • where the assets or data sit (eg. the database containing critical water metering information is sitting outside Australia in another country);
  • who is the responsible entity and direct interest holder(s) in the business;
  • what information each identified reporting entity needs to report to the Secretary Each of our reports are customised to your needs and can include visual representations of relationships to other persons, entities, asset interest or other countries. Complementing our FTS offering, we are able to work closely with our legal teams to report your information to the Secretary on your behalf, and retain a copy of all reported information on our secured database.

3. Reporting

The final report should be presented as a standalone document, with supporting information attached to the report. Reports may be customised to your needs and can include visual representations of relationships to other persons, entities, asset interest or other countries.

Image of Geospatial Mapping and Organisational Network Analysis

Finally all of the data collected should be quarantined and securely stored for future reference if required. A copy of the final submission may be drawn upon to respond to Secretary of the Department of Home Affairs inquiries.

To talk to an expert and find out how we can help, please contact Stuart Cosgriff on 02 9353 4337 or Daniel Heywood on 03 926 6249.

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.