Important aspects of the Act

Critical infrastructure Risk Management Program

Perhaps most notably, the Act has introduced the requirement for entities responsible for one or more critical infrastructure assets to create and maintain an Risk Management Program ('RMP'), unless an exemption applies.

The Act specifies that the purpose of the RMP is to do the following for each of those assets (Section 30AA of the Act):

• identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset;
• so far as it is reasonably practicable to do so, minimise or eliminate any material risk of such a hazard occurring; and
• so far as it is reasonably practicable to do so, mitigate the relevant impact of such a hazard on the asset.

In this regard, the Act clarifies that an RMP is a written program that applies to a particular entity that is the responsible entity for one or more critical infrastructure assets, and the purpose of which is to do the following for each of those assets (Section 30AH(1) of the Act):

• identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset;
• minimise or eliminate any material risk of such a hazard occurring, so far as it is reasonably practicable to do so;
• mitigate the relevant impact of such a hazard on the asset, so far as it is reasonably practicable to do so; and
• comply with such requirements (if any) as are specified in the rules.

Furthermore, the Act stipulates that a responsible entity must give an annual report relating to its RMP. If the entity has a board, council, or other governing body, the annual report must be approved by the board, council, or other governing body (Section 30AA of the Act).

In addition, the Act outlines the following responsibilities of these entities, among other things:

• if an entity is the responsible entity for one or more critical infrastructure assets, and the entity has adopted a critical infrastructure risk management program that applies to the entity, the entity must review the program on a regular basis (Section 30AE of the Act); and
• if an entity is the responsible entity for one or more critical infrastructure assets, and the entity has adopted a critical infrastructure risk management program that applies to the entity, the entity must take all reasonable steps to ensure that the program is up to date (Section 30AF of the Act).

Systems of National Significance

In addition to the RMP, Part 2C of the Act describes enhanced security obligations that relate to Systems of National Significance ('SoNS'). In determining whether or not an asset should be classified as a SoNS, the following must be considered:

• the consequences that would arise for the social or economic stability of Australia or its people, or the defence or national security for Australia, if a hazard were to occur that had a significant relevant impact on the asset; and

• if the Minister for Home Affairs ('the Minister') is aware of one or more interdependencies between the asset and one or more other critical infrastructure assets, the nature and extent of those interdependencies; and
• any other matters (if any) as relevant.

Division 2 of Part 6A of the Act sets out the process in which the Minister can declare a critical infrastructure asset to be a SoNS. Notably, the Minister will need to provide the responsible entity of the asset with notice of the proposed declaration, including the reasons for making the declaration. Further to this, unless a shorter period of time has been specified, an entity subject to a declaration will have 28 days to make submissions to the Minister about the same.

Enhanced cybersecurity obligations

Notably, the Part 2C of the Act outlines that, once an asset has been designated a SoNS, the Secretary for the Department of Home Affairs ('the Secretary') may require the responsible entity for the asset to comply with one, or multiple, of the enhanced cybersecurity obligations ('ECSOs') introduced by the Act. In this regard, the Act outlines the following four main ECSOs:

• Statutory incident response planning obligations: if the Secretary decides that the statutory incident response planning obligations are applicable, the entity must adopt, maintain, and comply with an incident response plan ('IRP') regarding its assets. It must also provide a copy of the IRP to the Secretary (Division 2, Part 2C of the Act).

• The requirement to undertake cybersecurity exercises: these are intended to test the relevant ability and preparedness of said entity to respond to cyber incidents that could have an impact, and its ability to mitigate for the impacts of cyber incidents on the system (Division 3, Part 2C of the Act).
• The requirement to undertake vulnerability assessments: the Secretary may require the responsible entities to complete a vulnerability assessment in respect of the relevant asset. In this regard, the assessment tests the vulnerability of such assets to cyber incidents (Division 4, Part 2C of the Act).
• The provision of access by the Australian Signals Directorate ('ASD') to system information: if a computer is a SoNS, or is needed to operate a SoNS, the relevant entity for such a system may be required to give the ASD periodic or event-based reports of system information, or install software that transmits system information to the ASD (Division 5, Part 2C of the Act).

Moreover, further requirements relating to the above ECSOs may be specified in rules to be released by the Minister, which are yet to be published.

Supplementary factsheets – key information to know

Upon the Act taking effect, the Government outlined that it recognises that engagement and education will be crucial to the success of these reforms. In this regard, the Government published the following four factsheets:

• 'The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022' ('Factsheet One');
• 'Risk Management Program' ('Factsheet Two');
• 'Systems of National Significance/Enhanced Cyber Security Obligations' ('Factsheet Three'); and
• 'Use and Disclosure of Protected Information' ('Factsheet Four').

Moreover, the Government stated that these factsheets will be supplemented by additional, more detailed guidance material developed with industry, which have not yet been released at the time of writing. The information from the abovementioned factsheets includes the following, among other things:

Factsheet One

Meaning a Critical Infrastructure Asset

Factsheet One states that the specific meaning of these assets can be found in Sections 5, 9, and 10-12KA of the Security of Critical Infrastructure Act 2018 ('the SOCI Act'), and the Security of Critical Infrastructure (Definitions) Rules 2021. As such, Factsheet One clarifies that the meaning of an asset includes a system, network, facility, computer, computer device, computer program, computer data, and premises.

Further, Factsheet One specifies that an asset may be prescribed as a critical infrastructure asset under Section 9 if certain thresholds are met, including that the asset relates to a critical infrastructure sector. In this regard, Factsheet One adds that the Minister may also privately declare an asset under Section 51 of the SOCI Act to be a critical infrastructure asset if certain thresholds are met.

In addition, Factsheet One confirms that the Minister must consult with the responsible entity for that asset before an asset is declared and notify the responsible entity within 30 days after making the declaration.

Responsibility for complying

Depending on the obligation, Factsheet One explains that the responsibility for complying with the framework will sit with either the responsible entity or Direct Interest Holders, who are defined as follows:

• a responsible entity is the body with ultimate operational responsibility for the asset; and
• the term direct interest holder refers to entities that hold a direct or joint interest of at least 10% in a critical infrastructure asset, or who hold an interest and are in a position to directly or indirectly influence or control the asset.

Factsheet Two

Material risk

Factsheet Two defines a 'material risk' to a critical infrastructure asset as including the risk of impairment, stoppage, loss of access to, or interference with the asset. Further to this, Factsheet Two specifies that it also includes a risk to the asset of the impact resulting from sending information outside Australia and a risk associated with remote access to the asset. Moreover, Factsheet Two highlights that entities will have a responsibility to take an 'all-hazards' approach when identifying these risks and must have regard of the likelihood of a hazard occurring, in addition to the relevant impact of the hazard on an asset if the hazard were to occur.

Relevant impact

Factsheet Two defines a 'relevant impact' as an impact on the availability, integrity, and reliability of the asset, and the impact on the confidentiality of information about the asset, information stored in the asset, if any, and, if the asset is computer data, the computer data. Moreover, Factsheet Two specifies that the relevant impact may be direct or indirect; however, it must be more serious than a reduction in the quality of service being provided.

Meaning of 'so far as it is reasonably practicable'

This requirement is clarified by Factsheet Two as seeking for responsible entities to do what was at a particular time, reasonably able to be done to address those risks. Moreover, factsheet two elaborates that the expectation is not for responsible entities to eliminate risk entirely but to reduce to the extent it is reasonably able to be done the likelihood and consequences of material risks. As such, it clarifies that there is no expectation that entities pursue risk mitigation measures that are disproportionate relative to the likelihood and consequences of a particular risk.

Factsheet Three

ECSOs

Under the ECSOs, the Secretary may require the responsible entity for a SoNS to undertake one or more prescribed cybersecurity activities. The Secretary must have regard to the cost, the reasonableness and proportionality of the prescribed activity and any other matters the Secretary considers relevant in deciding whether an entity should be required to undertake ECSOs.

Further to this, the responsible entity of a SoNS may be required to adopt, maintain, and comply with an IRP. An IRP is a written plan detailing how an entity will respond to cybersecurity incidents that affect its systems. These obligations will assist entities to articulate 'what to do' and 'who to call' in the event of a cyber incident. This response plan must be provided to the Secretary as soon as practicable after the adoption.

Vulnerability assessments

The responsible entity of a SoNS may be required to undertake a vulnerability assessment in relation to the SoNS within a specified period. The assessment may be conducted against all or one or more types of specified cybersecurity incidents. A vulnerability assessment is a cybersecurity evaluation of a critical infrastructure asset's systems. This can include (but is not limited to) evaluating the governance, risk, and change management processes for an organisation, as well as a technical verification of systems cybersecurity controls and system architecture. The Secretary of the Department may require that a Departmental officer perform this vulnerability assessment.

Factsheet Four

Protected information

Factsheet Four states that protected information is information obtained in the course of exercising powers, or performing duties or functions under the Act. Importantly, Factsheet Four confirms that the phrase 'protected information' under the Act is different from the 'protected' security classification under the Australian Government's Protective Security Policy Framework.

Moreover, Factsheet Four states that the full definition can be found in Section 5 of the Act.

Why information is protected

In this regard, Factsheet Four clarifies that Information provided by critical infrastructure owners and operators to the Government, in accordance with the Act, may be commercial in confidence or sensitive information, relating to specific security procedures or systems used by the asset. As such, Factsheet Four states that it is essential this information is protected to ensure the protection of commercial information and to prevent malicious use of the information to exploit a security risk. As a result, Factsheet Four elaborates that the unauthorised use or disclosure of protection information may pose risks to Australia's national security, Australia's most critical assets, and the community who relies on the products and services provided by such assets.

Disclosure of protected information

Factsheet Four explains that the protected information framework is intended to allow a responsible entity to share protected information when it deems it is necessary within the parameters of the given framework. In light of this, Factsheet Four elaborates that each disclosure will therefore depend on the circumstances of that disclosure and, as such, it is a matter for each responsible entity to satisfy itself that the disclosure is permitted under the exemptions to the general prohibition. Moreover, Factsheet Four contains answers to a number of frequently asked questions regarding the disclosure of protected information.

Unauthorised use of protected information

Factsheet Four confirms that the unauthorised use or disclosure of protected information attracts an offence that is punishable by imprisonment for two years, or 120 penalty units, or both.

Exceptions

Factsheet Four confirms that, as long as the entity can identify a relevant purpose under one of the exceptions in Part 4 and, where required, discloses to one of the specified entities, an entity is authorised to disclose that information. In this regard, Factsheet Four confirms the following exceptions when a disclosure is:

• in performance of functions or duties: an entity may make a record, use, or disclose protected information for the purposes of exercising the entity's powers, or performing functions or duties, under the Act (Section 41(a) of the Act);
• for compliance purposes: an entity may make a record of, use, or disclose protected information for the purposes of ensuring compliance with the Act (Section 41(b) of the Act);
• secondary use and disclosure: an entity may make a record of, use, or disclose protected information if the information was obtained in accordance with the authorised disclosure provisions in the Act (Sections 41- 43D), and the secondary use or disclosure was for the purposes for which the information was disclosed in the first instance (Section 44 of the Act);
• in good faith and in purported compliance: if an entity makes a record of, uses, or discloses protected information but does so in good faith and in purported compliance with Sections 41-43D of the Act or a notification provision (Section 46(3) of the Act), then the entity has not committed an offence under Section 45 of the Act;
• with the consent of the entity: an entity may use or disclose protected information with the express or implied consent of the entity to which the protected information relates (Section 46(4)(c) of the Act);
• to the entity: an entity may disclose protected information if it is to the entity to which the protected information relates (Section 46(4)(a) of the Act);
• required or authorised by law: the offence provision for the unauthorised use or disclosure of protected information does not apply if the making of the record, use, or disclosure is required or authorised under:
  • a Commonwealth law; or
  • a law of a State or Territory and is specified in a rule made under the Act (Section 46(1) of the Act);
• to a Government entity: an entity may also disclose protected information if it relates to themselves, and is for the purposes of enabling or assisting a second entity to exercise their powers or perform their functions or duties (Section 43E(1) of the Act);
• with the Secretary's consent: an entity may seek the consent of the Secretary (or specified delegates) of the Department to disclose certain protected information that relates to the requesting entity (Subsection 43E(2) of the Act); and
• by the Secretary: the Secretary has additional powers to disclose protected information to certain persons for certain reasons (see Sections 42, 43-43B, and 42A of the Act).

Conclusion

In conclusion, although many Australian businesses may be caught by the reforms, it will be important to evaluate which the new obligations apply. Finally, the Risk Management Program Rules are still subject to further public consultation of at least 28 days, following which they will be finalised.

Chanelle Nazareth Privacy Analyst
[email protected]