The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SOCI Bill) has passed Parliament, amending the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).
The original SOCI Bill has been subject to extensive amendments over the past 12 months as a result of Parliamentary committees and consultation processes which have significantly altered the Parliament’s original draft.
A tale of two Bills
Following the PJCIS recommendations, the original SOCI Bill was split into two amendments, Bill One (the SOCI Bill as passed by Parliament) and Bill Two (for which there is no timeframe for passing).
The PJCIS recommended splitting the bill into two to expedite the passing of government powers to address increasing security threats to Australia’s critical infrastructure and to enable further industry consultation on new security obligations and sector-specific rules.
Bill One, which will commence imminently, increases the scope of the SOCI Act and introduces new government powers deemed vital for maintaining the security of Australia’s critical infrastructure. The key amendments in Bill One include:
- The expansion of the sectors regulated. The businesses and industries which fall within the SOCI Act have been significantly expanded. Government no longer deems critical infrastructure to be limited to the original four sectors of electricity, gas, ports and water. The SOCI Act now applies to 11 broadly framed sectors which cover large portions of the economy, including sectors that are not traditionally considered to be infrastructure (for instance, financial services, banks and markets, supermarkets, data storage or processing, communications, education and transport).
- New reporting and notification obligations. Responsible entities (i.e. owners and operators of critical infrastructure assets) must notify the Australian Signals Directorate (ASD) of cyber security incidents which have a ‘significant impact’ on an asset within 12 hours. Non-compliance carries civil penalties. A ‘significant impact’ is an incident which has materially disrupted the availability of essential goods or services provided using the asset (or as otherwise specified in sector-specific rules). All other cyber security incidents must be reported within 72 hours. This will have significant implications for the way cyber security teams conduct investigations and report on cyber incidents.
- New government response powers. The SOCI Bill has introduced extensive government powers in responding to cyber security incidents:
- an information gathering direction, requiring a responsible entity to provide information in relation to a cyber security incident (for instance, the impact of the incident on the asset);
- an action direction, whereby the Home Affairs Minister can direct an entity to do, or refrain from doing, any action deemed reasonably necessary, proportionate and technically feasible, but only if the entity is unwilling or unable to resolve a cyber security incident; and
- step-in rights (termed ‘intervention requests’), which provide the ASD a ‘last resort’ power to take control of an asset where an entity is unwilling or unable to resolve a cyber security incident.
In accordance with the PJCIS recommendations, the remainder of the amendments proposed under the original SOCI Bill will be deferred to Bill Two to allow further consultation with industry on the scope of the proposed obligations and potential regulatory overlap. Bill Two is expected to include:
- New positive security obligations on responsible entities. These include a requirement to adopt risk management programs for critical infrastructure assets. Some entities have existing security obligations, for instance, APRA-regulated entities are already required to provide risk management declarations in accordance with CPS 220 and undertake systematic testing of information security controls under CPS 234. As such, these proposed amendments have left many regulated entities concerned that they will be subject to multiple cyber security regimes with inconsistent obligations.
- A regime for the declaration of, and obligations relating to, systems deemed to be of national significance (SONS). As currently proposed, responsible entities of SONS will be subject to additional obligations, including maintaining incident response plans, undertaking cyber security exercises and (in some circumstances) allowing the installation of ASD’s reporting software.
Key takeaways and next steps – Bill One
Responsible entities of critical infrastructure assets must ensure their cyber security and notification procedures are aligned with the new reporting obligations outlined in the SOCI Bill. Whilst entities in sectors which are currently subject to similar regulations (such as the telecommunications and financial services sectors) may be able to leverage existing cyber security and notification processes, this is a significant regulatory burden for entities in other sectors which are now deemed to be critical infrastructure. Operators of critical assets in industries not previously regulated will need to ensure they put in place appropriate cyber incident monitoring and reporting systems in order to comply.
Generally, the SOCI Bill assumes that all assets and systems of a responsible entity are critical infrastructure assets so as to be subject to the reporting obligations and government powers, unless excluded by the sector specific rules. These sector-specific rules are yet to be released, but are expected to more precisely specify the scope of assets to be captured by the regime. Consequently, the regulatory burden is likely to be high in the short-term, but may be wound back in the future.
For instance, ‘critical banking assets’ are defined to include all assets and systems of an authorised deposit taking institution that are deemed critical to the sector.
Similarly, ‘critical telecommunication assets’ capture all assets owned by a carriage service provider and used in connection with the supply of carriage services. This lack of refinement means that in many cases, responsible entities will need to assume that the obligations under the SOCI Bill apply to all of their assets and systems (not just those which may ordinarily be considered ‘critical’). In some instances, the SOCI Bill goes beyond assets owned by a responsible entity and captures a responsible entity’s supply chain, such as cloud storage or data processing providers. Responsible entities will need to review vendor contracts to ensure they contemplate compliance with the new government powers. This may include requiring vendors to provide assistance to responsible entities in responding to directions from the government and the ASD (for instance providing information on a cyber security incident or facilitating access to a critical asset).
The new government response powers go beyond the measures other members of the ‘Five Eyes’ alliance have implemented. Throughout the SOCI Bill’s consultation process, industry consistently voiced concerns with these powers, noting that they posed an additional risk to assets and systems. For instance, if not exercised with extreme caution and the relevant technical expertise, any intervention with an entity’s critical assets could have significant, unintended and detrimental ramifications for both the entity and third parties. Following the PJCIS recommendations, the Home Affairs Secretary is now required to provide the PJCIS with reports about incidents in response to which the new government powers have been exercised. However, this may be of little comfort to responsible entities given that there is no prescribed timing for the reporting and judicial review of any government direction or intervention remains unavailable under the SOCI Act.
Key takeaways and next steps – Bill Two
The PJCIS recommended Bill Two be postponed due to the current uncertainty as to the application and requirements of the positive security obligations. The precise requirements were due to be prescribed in ‘sector-specific rules’, however these are yet to be developed.
It is unclear when Bill Two will be introduced to Parliament, however the Department of Home Affairs has already recommenced the consultation process, hosting a forum with industry to plan next steps. This consultation process presents a further opportunity for industry to gain clarity on the scope of the obligations to be imposed under Bill Two and to align these obligations with existing regulatory frameworks. For example, coordinating the risk management obligations imposed on the communications sector with the requirements already mandated by the Telecommunications Sector Security Reforms.
Organisations should assess the application of the legislation to their business, and if they are considered to be a responsible entity should participate in sector consultations to ensure that their obligations are clear and do not contradict, duplicate or cut across existing regulations.