Significant reform to Australia's cyber security laws with passage of critical infrastructure reforms

By Lina Fischer, Joel Von Thien, Minnie Wu and Audrika Haque
23 Dec 2021
Amendments to the Security of Critical Infrastructure Act 2018 (Cth) make company directors personally accountable for a cyber breach, requiring a highly proactive cyber security strategy.

Around the world, there has been an alarming rise in the number of threats against critical infrastructure. In response, the first part of the Government's planned changes to the Security Legislation Amendment (Critical Infrastructure) Bill 2021 have now been passed and came into effect on 2 December 2021 (the Act).

For further information regarding the splitting of the Security Legislation Amendment (Critical Infrastructure) Bill 2021 into two Bills, please see our article here.

The Act amends the previous Security of Critical Infrastructure Act 2018 (Cth) (previous Act), which governs domestic security risks of espionage, sabotage and coercion presented by foreign interference on our national critical infrastructure, and significantly increases the capacity of the Federal Government to enforce obligations for "critical infrastructure" assets. Not only will the Federal Government have unprecedented powers to intervene in the security response of private organisations, but company directors will be held personally accountable for a cyber breach, requiring executives to be highly proactive in their cyber security strategy.

Significant amendments to the critical infrastructure laws

The Act expands the definition of "critical infrastructure sector". The key change is how the previous Act only covered certain assets in the gas, electricity, water, and maritime ports sectors whereas the Act now broadens the definition to additionally cover 11 sectors which have been deemed to be "critical". As a reminder, the 11 sectors are:

  • communications,
  • data storage or processing,
  • financial services and markets,
  • water and sewerage,
  • energy,
  • healthcare and medical,
  • higher education and research,
  • food and grocery,
  • transport,
  • space technology; and
  • the defence industry sector.

The meaning of "critical infrastructure asset" is broadened to incorporate 22 different classes. This notion of a "critical infrastructure asset" covers a much broader range than the previous Act. The effect of this change will be to expand the range of entities with mandatory reporting obligations and subject to the other requirements of the Act, which the Australian Government believes will assist in addressing security threats to our critical infrastructure.

New mandatory notification of cyber security incidents

Part 3A of the Act introduces new, mandatory reporting obligations relating to cyber incidents which will be imposed on those entities responsible for "critical infrastructure assets". The objective of this obligation is to promote an extensive understanding of the threats to critical infrastructure, and to facilitate proactive cyber feedback options.

Under this new mandatory reporting scheme, a responsible entity must report a "critical cyber security incident" within 12 hours of becoming cognisant that the incident has had, or is having, a "significant impact" on the availability of the asset. If an incident has materially impacted the availability of vital products or services provided using the asset, it will be held to have a "significant impact."

In addition, responsible entities are also required to report any other cyber events that have occurred, are occurring, or are imminent within 72 hours of becoming aware that the incident has had, is having, or is likely to have, a relevant impact on the asset.

Notifications to Register of Critical Infrastructure Assets

As a result of the amended legislation, more entities are now responsible for "critical infrastructure assets" and required to provide information to the Government's Register of Critical Infrastructure Assets. If a reporting entity violates the information provision duties, it faces a civil penalty of up to $11,100 (50 penalty units) per day of violation, or $55,500 (250 penalty units) if it is a corporation. The implementation of these substantial penalties mean that directors will now have far greater accountability for cyber breaches. It is therefore essential for businesses to develop proactive and comprehensive response policies in regard to cyber incidents.

Broad Government powers of last resort

The Act will also introduce "government assistance and intervention measures". This scheme gives the Australian Government "last resort powers" in instances where no regulatory mechanism exists to deliver an outcome to a cyber incident which affects a critical infrastructure asset which contains a material risk that the incident is seriously prejudicing, or is likely to seriously prejudice:

  • the social or economic stability of Australia or its people;
  • the defence of Australia; or
  • Australia’s national security.
  • The Act allows the Minister for Home Affairs to authorise the Secretary of Home Affairs to direct an entity to do certain things to respond to incidents, provided that the entity has been consulted and the Minister is satisfied that the entity is unwilling or unable to take all reasonable steps to respond to the incident and that the direction is reasonably necessary, proportionate and technically feasible.

    Alternatively, the Minister may authorise an information gathering directive or, having consulted the Prime Minister and Minister for Defence, have the Government intervene to take action itself e.g. by employing the capabilities and resources of the Australian Signals Directorate’s Australian Cyber Security Centre.  

    The implications for operators and owners of applicable critical infrastructure assets

    The Act significantly broadens the ambit of what was previously regarded as "critical infrastructure", and entities must revise their response procedures for cyber attacks to ensure compliance with the mandatory reporting obligations. If you think your organisation may be an entity covered by the Act you should ensure you have procedures to meet the information-provision criteria for the Register of Critical Infrastructure Assets and are set to comply with the mandatory notification requirements.

    The steps required to bring compliance in line with the Act's requirements may be nominal for certain entities that are already governed by existing legislative or regulatory cyber security regimes. However newly covered entities will need to take steps to ensure their compliance.

    The Act represents a crucial development in the cyber security sphere. Please get in touch if you require any assistance in ensuring your organisation's compliance with the new requirements.

    Disclaimer
    Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.