How to prepare for upcoming Security of Critical Infrastructure obligations
Reporting processes and the management of cyber security incidents are high priorities for entities which own or are responsible for critical infrastructure assets.
With a wider range of assets now covered by the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) – including those in communications, energy, healthcare and medical, financial services and markets, higher education and research, data storage and processing, transport, water and sewerage, food and grocery, defence and space technology – many will be wondering where to start to ensure compliance with their new reporting and cyber security obligations, especially as many of those obligations started from 8 July 2022. In this article we will set out the high priorities, and the important steps you should be taking now.
Critical asset register reporting
Under the amended SOCI Act, entities that are deemed to be a “reporting entity” for a critical infrastructure asset will be required to provide information to the Secretary of the Department of Home Affairs for inclusion in a critical asset register.
Reporting entities include each “responsible entity” and each “direct interest holder” in the critical infrastructure asset. A responsible entity is generally one that owns or operates the asset or is otherwise prescribed in the rules. A direct interest holder is an entity (other than a moneylender) who together with any associates of that entity:
- holds an interest of at least 10% in the asset; or
- has an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.
Civil penalties apply for a failure to report the required information. However, the current potential fines are relatively low – with each contravention attracting a fine of 50 penalty units (currently, $11,100).
The information which responsible entities must report includes:
- the location of, and area serviced by, the asset (together with details of the responsible entity);
- a description of the arrangements under which each operator operates the asset;
- a description of the arrangements under which certain data relating to the asset is maintained. The relevant kinds of data include information maintained by a third party about:
- systems needed to operate the asset;
- risk management and business continuity for the asset; and
- research and development related to the asset.
The description of the arrangements under which such data is maintained must also include details of the entity and the address where the data is held (notably, to the extent practicable, the address where computers or servers holding the data are located – regardless of whether those servers form part of a cloud service).
Direct interest holders will be required to report interest and control information (including company details and details of parent companies or other entities in a position to directly or indirectly influence or control the interest holder). Where an organisation is both a responsible entity for, and a direct interest holder of, an asset it must provide both operational information, and interest and control information. Further, where multiple entities within a group are reporting entities, organisations will need to coordinate to ensure that interest and control information is accurately and consistently reported.
The SOCI Act does not specify the precise information that must be provided concerning the arrangements under which a critical infrastructure asset is operated. However, the scope of information required is potentially very broad, and it remains to be seen whether it will be narrowed by guidance issued by the Minister in future. Organisations should be aware that certain information falling within this scope (such as information regarding third party contracts related to the management of an asset) may also be subject to confidentiality restrictions to which the organisation is already subject.
To prepare
- Review the SOCI Act and rules and conduct an internal audit of assets you own or operate to confirm whether you hold any “critical infrastructure assets”.
- If required to comply, prepare the relevant information for reporting on those assets, and co-ordinate a unified response from its company group (if applicable).Update your internal compliance processes to ensure ongoing compliance.
- Before lodging any reports, confirm whether the information is subject to any contractual confidentiality obligations or other restrictions on disclosure (for example requirements to provide notice of the requirement to disclose to a third party) and take any required action in a timely fashion to ensure the information can be reported.
- Review existing contracts relating to the management and operation of your critical infrastructure assets to ensure that service providers will assist you in complying with your obligations under the SOCI Act.
Last date for compliance: 8 October 2022.
Cyber security incident reporting (compliance)
The reforms introduce obligations for responsible entities for critical infrastructure assets to notify the Commonwealth if they become aware of cyber security incidents having an impact on the asset:
- within 12 hours after becoming aware of the impact, if the cyber security incident has had, or is having, a significant impact (whether direct or indirect) on the availability of the asset; or
- within 72 hours after becoming aware of the impact, if the cyber security incident has had, or is likely to have, a relevant impact on the asset (including an impact on the availability, integrity or reliability of the asset or the confidentiality of information about the asset or stored in the asset).
A “cyber security incident” involves any of the following:
- unauthorised access to, or modification of, computer data or a computer program;
- unauthorised impairment of electronic communication to or from a computer; or
- unauthorised impairment of the availability, reliability, security or operation of a computer, computer data, or a computer program.
Entities that store or process “business critical data” on behalf of a State or Federal Government agency or body, or responsible entities for critical infrastructure assets, may themselves be considered responsible entities of a critical data storage or processing asset and subject to the SOCI Act. As such, a single security incident may trigger reporting requirements both for the owner or operator of a critical infrastructure asset and its contracted service providers. This outcome may lead to the possibility of a service provider notifying of the relevant incident before the affected customer, and divergence between the content of the notification submitted by each.
“Business critical data” is broadly defined to include, among other things, personal data, information relating to any systems needed to operate a critical asset, and information relating to risk management and business continuity in relation to a critical infrastructure asset. For example, the following entities may be required to comply with the cyber security incident reporting obligations:
- a contracted service provider that provides a system needed to operate critical infrastructure to a responsible entity (such as a POS system needed to operate a designated supermarket’s retail operations) and processes information regarding that system; or
- a cloud hosting provider that stores business continuity plans on behalf of a responsible entity.
If a responsible entity becomes aware that a provider’s data storage or processing service provided on a commercial basis relates to business critical data, that responsible entity must also take reasonable steps as soon as practicable after becoming aware to inform the service provider that:
- it is providing a data storage or processing service on a commercial basis; and
- such service relates to business critical data of the responsible entity.
Civil penalties also apply for failures to report cyber security incidents or comply with associated obligations (with a fine of 50 penalty units for each contravention).
To prepare
- Review and update your data breach or security incident response plans and processes to allow for reporting of incidents to the Commonwealth within the required timeframes.Test the updated plans and processes and conduct updated training to ensure that individuals involved in implementing plans are aware of the changes.
- Review your contracts with any entities who store or process business critical data for you, and consider including a regime to address compliance with the notification requirements. This could include, for example:
- informing that entity it is storing or processing your business critical data;
- ensuring that a contracted data processing or storage provider does not notify the Commonwealth of a cyber security incident involving your data without first making you aware of the issue; and
- consulting with you on the content of the notification.
- If you are a responsible entity, notify any third parties who store or process business critical data on your behalf.
- If you store or process business critical data on behalf of a responsible entity, be aware that you may yourself be a responsible entity and required to comply with obligations under the SOCI Act.
Date for compliance: These powers are now in force as of 8 July 2022.
Management of cyber incidents by the Australian Signals Directorate
The Minister may issue directions to the responsible entity regarding management of a cyber security incident or request that the Australian Signals Directorate (ASD) intervene and assist in management of a cyber security incident. The Minister may issue these directions where a cyber security incident has had, is having, or is likely to have:
- a “relevant impact” on a critical infrastructure asset; and
- the incident has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice Australia's defence, national security, or social or economic stability.
Responsible entities must comply with these directions.
As yet, there is no guidance regarding what “seriously prejudice” means in this context. However, it is likely that the impact of an incident would be considered on a national basis, and require a significant and wide-spread impact.
To prepare
- If you hold cyber risk insurance, review its terms and confirm whether insurance coverage may be impacted by the ASD’s involvement in the management of a cyber incident.
- Review existing contracts relating to the management and operation of your critical infrastructure assets to ensure that service providers must comply with any directions issued by the organisation or a relevant government authority (such as ASD) in relation to the management of cyber incidents.
Date for compliance: These powers are now in force. They may, however, be exercised more frequently by the Minister as the incident reporting obligations commenced on 8 July 2022 and the Minister becomes aware of incidents as they occur.
Risk management program and enhanced cyber security obligations
Responsible entities will be required to implement and comply with a critical infrastructure risk management program. Responsible entities for assets declared by the Minister to be of national significance will also be required to comply with additional cyber security requirements. The relevant Ministerial Rules, which will specify the affected organisations or classes of assets and deadlines for compliance, have not yet been released for consultation and hence introduced.
Under a draft version of the Ministerial Rules, responsible entities would be required to (among other things) ensure that their risk management programs:
- include details of how cyber and information security threats are mitigated; and
- require them to comply with an external information security standard such as the Australian Cyber Security Centre’s Essential Eight, ISO 27001, NIST or an equivalent standard.
There are fines of 200 penalty units or $44,400 for failure to:
- adopt, maintain, review, update or comply with a critical infrastructure risk management program; or
- comply with enhanced cyber security obligations.
To prepare
If you own or operate critical infrastructure assets, you should continue to monitor the SOCI Act reforms and updated rules to confirm you are impacted by these obligations. If you are impacted:
- When preparing to develop a Risk Management Program, consider and identify:
- any relevant hazards that may have a relevant impact on a critical infrastructure asset; and
- ooptions to minimise or eliminate any material risk of such a hazard or mitigate the relevant impact of that hazard.
- Consider the need for any adjustments to current contracts, business processes and procedures to ensure future compliance, including any Risk Management Program.
- Engage with contractors on how the contractor will comply with the SOCI Act, the organisation’s Risk Management Program and enhanced cyber-security requirements, assist the organisation in complying with and addressing any risks related to the SOCI Act, its Risk Management Program and enhanced cyber-security requirements.
Last date for compliance: To be determined based on Ministerial Rules.