Tell me in 30 seconds
Responsible entities of critical infrastructure assets who are subject to the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (Rules) must comply with a designated cyber security framework (or an equivalent framework) by 18 August 2024. The first annual reports on responsible entities’ critical infrastructure risk management programs (CIRMPs) are also due by 28 September 2024. Against this backdrop, the Cyber and Infrastructure Security Centre (CISC) has recently announced that it will adopt a firmer compliance regulatory posture with respect to the Security of Critical Infrastructure Act 2018 (SOCI Act), with compliance activities to start in the next financial year.
Recap of the CIRMP obligations
The Rules commenced on 17 February 2023 and apply to the responsible entities of the following critical infrastructure assets:
- critical broadcasting assets;
- critical domain name systems;
- critical data storage or processing assets;
- critical electricity assets;
- critical energy market operator assets;
- critical gas assets;
- certain designated hospitals;
- critical food and grocery assets;
- critical freight infrastructure assets;
- critical freight services assets;
- critical liquid fuel assets;
- certain critical payment system assets; and
- critical water assets.
The responsible entities of these assets were required to adopt, maintain and comply with a CIRMP by 18 August 2023. The CIRMP is an ‘all-hazards’ risk management program and must, for each critical infrastructure asset the responsible entity is responsible for:
- identify each hazard where there is a material risk that the occurrence of the hazard could have an impact on the availability, integrity, reliability or confidentiality of the critical infrastructure asset;
- minimise or eliminate any material risk of such a hazard occurring (to the extent reasonably practicable to do so); and
- mitigate the relevant impact of such a hazard on the asset (again, to the extent reasonably practicable to do so).
Compliance with a designated cyber security framework required by 18 August 2024
The Rules require responsible entities to establish and maintain a system or process in their CIRMPs to comply with either:
- one of the cyber security frameworks designated in the Rules, as in force from time to time; or
- a framework that is equivalent to one of the designated frameworks,
by 18 August 2024.
The designated frameworks (and the required level of compliance) are set out below:
FRAMEWORK
|
REQUIRED LEVEL OF COMPLIANCE
|
Example
uses 2
|
Australian Standard AS ISO/IEC 27001:2015 |
- |
|
Essential Eight Maturity Model published by the Australian Signals Directorate |
Maturity level one |
|
Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology of the United States of America |
- |
|
Cybersecurity Capability Maturity Model published by the Department of Energy of the United States of America |
Maturity Indicator Level 1 |
|
The 2020‑21 AESCSF Framework Core published by Australian Energy Market Operator Limited (ACN 072 010 327) |
Security Profile 1 |
|
Importantly, this is not intended to be a static obligation - responsible entities that choose to comply with one of the cyber security frameworks above must ensure that their CIRMPs are updated regularly to incorporate any changes or updates to the relevant framework.
First annual report on CIRMPs due by 28 September 2024
The Rules also require responsible entities to submit an annual report on their CIRMPs to the Department of Home Affairs, within 90 days of the end of each financial year (ie by 28 September each year). The report must:
- state whether the CIRMP was up to date at the end of the financial year; and
- if a hazard had a significant relevant impact on the critical infrastructure asset during the relevant period:
- identify the hazard;
- evaluate the effectiveness of the CIRMP in mitigating the significant relevant impact of the hazard on the asset; and
- if the CIRMP was varied during the financial year as a result of the occurrence of the hazard—outline the variation.
Importantly, this report involves an attestation by the board of the responsible entity confirming that the information contained within the annual report has been approved by the board.
Accordingly, in preparing their annual reports responsible entities should consider the steps required to ensure that directors have the information needed to discharge their directors’ duties in connection with the approval of the annual report. It will also be important to:
- ensure the board has approved the CIRMP as part of the responsible entity’s normal governance arrangements, to enable the board to approve the statements relating to the CIRMP in the annual report;
- if any of the responsible entity’s SOCI obligations have been delegated to other entities within the corporate group, consider whether there may be additional steps required to ensure that the directors of the responsible entity can discharge its directors’ duties in connection with the approval of the annual report; and
- if the responsible entity has a holding company (eg the listed entity within the corporate group), ensure that the board of the holding company has some visibility / oversight over the annual report so that the directors of that board can discharge their directors’ duties.
CISC to commence compliance activities in FY24-25
Since the recent reforms to the SOCI Act, the CISC has been predominantly focussed on raising awareness of the reforms and educating the owners and operators of critical infrastructure assets of their obligations under the SOCI Act. Enforcement action has generally been reserved for egregious cases of non-compliance (for example, where non-compliance is repeated and intentional).
However, the CISC has recently announced that in FY24-25, it will aim to balance this collaborative approach with compliance activities, particularly in relation to:
- the Register of Critical Infrastructure Assets reporting obligation;
- the mandatory cyber security incident notification obligation;
- the CIRMP obligations; and
- notification obligations in relation to data storage or processing providers.
The compliance activities are unlikely to extend to the enhanced cyber security obligations, with the CISC stating that it will continue to partner with the responsible entities for systems of national significance in relation to those obligations.
This change in regulatory posture is intended to drive a further uplift in compliance by the responsible entities and direct interest holders of critical infrastructure assets. The CISC will undertake a limited series of trial audits in the third and fourth quarters of FY23-24, which will be followed by more regular compliance audit activities in the next financial year. It is also worth noting that the CISC has been granted a number of investigation and enforcement powers under the SOCI Act, including enforceable undertakings, injunctions, civil penalties and, in very limited situations, criminal prosecutions.
What does this all mean for you?
Given the increasing focus of the CISC on ensuring and enforcing compliance with the SOCI Act, it is important that responsible entities and direct interest holders of critical infrastructure assets are aware of the SOCI Act obligations that apply to them, and have put in place systems, processes and procedures to satisfy those obligations (including, for those responsible entities who are subject to the CIRMP obligations, compliance with a designated cyber security framework (or equivalent framework) and submission of the CIRMP annual report by the relevant deadlines).
Responsible entities and direct interest holders should also be aware of the proposed amendments to the SOCI Act as part of the Government’s 2023-2030 Cyber Security Strategy, which include expanding the scope to cover data storage systems that store business critical data and a new ‘last resort’ consequence management power for the Minister of Home Affairs. See our previous alert for a summary of the key proposals.