24 November 2021
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SOCI Bill) has passed Parliament, amending the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).
The original SOCI Bill has been subject to extensive amendments over the past 12 months as a result of Parliamentary committees and consultation processes which have significantly altered the Parliament’s original draft.
Following the PJCIS recommendations, the original SOCI Bill was split into two amendments, Bill One (the SOCI Bill as passed by Parliament) and Bill Two (for which there is no timeframe for passing).
The PJCIS recommended splitting the bill into two to expedite the passing of government powers to address increasing security threats to Australia’s critical infrastructure and to enable further industry consultation on new security obligations and sector-specific rules.
Bill One, which will commence imminently, increases the scope of the SOCI Act and introduces new government powers deemed vital for maintaining the security of Australia’s critical infrastructure. The key amendments in Bill One include:
In accordance with the PJCIS recommendations, the remainder of the amendments proposed under the original SOCI Bill will be deferred to Bill Two to allow further consultation with industry on the scope of the proposed obligations and potential regulatory overlap. Bill Two is expected to include:
Responsible entities of critical infrastructure assets must ensure their cyber security and notification procedures are aligned with the new reporting obligations outlined in the SOCI Bill. Whilst entities in sectors which are currently subject to similar regulations (such as the telecommunications and financial services sectors) may be able to leverage existing cyber security and notification processes, this is a significant regulatory burden for entities in other sectors which are now deemed to be critical infrastructure. Operators of critical assets in industries not previously regulated will need to ensure they put in place appropriate cyber incident monitoring and reporting systems in order to comply.
Generally, the SOCI Bill assumes that all assets and systems of a responsible entity are critical infrastructure assets so as to be subject to the reporting obligations and government powers, unless excluded by the sector specific rules. These sector-specific rules are yet to be released, but are expected to more precisely specify the scope of assets to be captured by the regime. Consequently, the regulatory burden is likely to be high in the short-term, but may be wound back in the future.
For instance, ‘critical banking assets’ are defined to include all assets and systems of an authorised deposit taking institution that are deemed critical to the sector.
Similarly, ‘critical telecommunication assets’ capture all assets owned by a carriage service provider and used in connection with the supply of carriage services. This lack of refinement means that in many cases, responsible entities will need to assume that the obligations under the SOCI Bill apply to all of their assets and systems (not just those which may ordinarily be considered ‘critical’). In some instances, the SOCI Bill goes beyond assets owned by a responsible entity and captures a responsible entity’s supply chain, such as cloud storage or data processing providers. Responsible entities will need to review vendor contracts to ensure they contemplate compliance with the new government powers. This may include requiring vendors to provide assistance to responsible entities in responding to directions from the government and the ASD (for instance providing information on a cyber security incident or facilitating access to a critical asset).
The new government response powers go beyond the measures other members of the ‘Five Eyes’ alliance have implemented. Throughout the SOCI Bill’s consultation process, industry consistently voiced concerns with these powers, noting that they posed an additional risk to assets and systems. For instance, if not exercised with extreme caution and the relevant technical expertise, any intervention with an entity’s critical assets could have significant, unintended and detrimental ramifications for both the entity and third parties. Following the PJCIS recommendations, the Home Affairs Secretary is now required to provide the PJCIS with reports about incidents in response to which the new government powers have been exercised. However, this may be of little comfort to responsible entities given that there is no prescribed timing for the reporting and judicial review of any government direction or intervention remains unavailable under the SOCI Act.
The PJCIS recommended Bill Two be postponed due to the current uncertainty as to the application and requirements of the positive security obligations. The precise requirements were due to be prescribed in ‘sector-specific rules’, however these are yet to be developed.
It is unclear when Bill Two will be introduced to Parliament, however the Department of Home Affairs has already recommenced the consultation process, hosting a forum with industry to plan next steps. This consultation process presents a further opportunity for industry to gain clarity on the scope of the obligations to be imposed under Bill Two and to align these obligations with existing regulatory frameworks. For example, coordinating the risk management obligations imposed on the communications sector with the requirements already mandated by the Telecommunications Sector Security Reforms.
Organisations should assess the application of the legislation to their business, and if they are considered to be a responsible entity should participate in sector consultations to ensure that their obligations are clear and do not contradict, duplicate or cut across existing regulations.
Authors
Head of Technology, Media and Telecommunications
Partner
Senior Associate
Senior Associate
Tags
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.
Head of Technology, Media and Telecommunications