2021 is set to see further updates to the Security of Critical Infrastructure Act 2018, with the addition of 11 different sectors

With the increase in cyber-attacks worldwide, securing Australia’s critical infrastructure has never been so important. Ensuring there are safeguards in place for critical infrastructure and systems that control essential services, like transport, communication networks, and power and water distribution networks, is vital to protect the safety and economic well-being of Australia and its people.

It is for this reason that Government has heightened its focus on strengthening the security of Australia’s critical infrastructure, which has meant updates to the Security of Critical Infrastructure (SOCI) Act 2018.

What are these changes?

In aligning to the main objectives of Australia’s Cyber Security Strategy 2020, which heavily focuses on protecting Australia’s critical infrastructure providers from cyber threats, the recent updates to the SOCI Act have expanded its scope to include more sectors. While previously only covering the electricity, gas, water and port sectors, the new amendments encompass 11 additional sectors. These include:

• Communications
• Data storage and processing
• Defence
• Financial services and markets
• Food and grocery
• Higher education and research
• Healthcare and medical
• Transport
• Energy
• Space technology
• Water and sewerage.

How does this affect your business if you fall within one of these sectors?

These critical infrastructure sectors will need to follow a series of positive security obligations enhancing cyber security. Mandatory reporting requirements will need to be fulfilled, which include sector-specific requirements. Government will now be allowed to assist/intervene in response to any significant cyber threats posing a risk to that entity.

What are the positive security obligations?

This comprises three points:

1. Reporting operation and ownership information to Government to help them understand who has access to critical infrastructure assets, through the implementation of a Register of Critical Infrastructure Assets.
2. Adopting and maintaining a critical infrastructure risk management program to manage and mitigate risks, which must be reported annually. Further sector-specific rules will be developed.
3. Reporting cyber security incidents to the Australian Signals Directorate to gain a better understanding of the cyber security risks to critical infrastructure and aid in developing a proactive or reactive responsive cyber plan.

But what does this Government intervention mean?

While Government’s focus is to protect Australia’s national interests, it is not yet clear what this intervention will look like and what impact it will have on these sectors. Additionally, questions about what impact this assistance could have on operational companies that are not headquartered in Australia or operate on offshore markets remain to be answered.

What about industry-specific rules and non-compliance?

Workshops between Government and industry around sector-specific regulations will be held in early 2021. Businesses within these industries are invited to attend to discuss how these obligations will apply to their sector and how the obligations will interact with already existing regulations.

Expected to take effect mid-2021, all businesses are expected to work together with Government to protect critical infrastructure that all Australians rely on. Steep penalties will apply for failure to comply with these regulations once the bill passes: Civil penalties of between $11,000 and $44,000 per breach, or up to two years imprisonment for failing to act upon direction.

In the long run, the expectation is that all industries have a role to play in the development of Australia’s cyber security resilience. This is why it is vital that all businesses look at their cyber security protocols and plan for long-term regulatory compliance by putting an established security framework in place.

What can you do?

Deloitte, in its newsletter about The Impact of Cyber on ‘Critical Infrastructure’ in the next normal, points out cyber considerations for newly categorised critical and essential sectors:

• Regulations are not, and never have been, security frameworks. When reassessing cyber risk, it is critical to evaluate enterprise risk through a data security lens that adapts to an evolving threat landscape not a compliance lens that seeks only to meet regulatory requirements.
• Third parties (or fourth party subcontractors) with access to an organisation’s systems are a potential threat. Organisations must understand the potential risk from the business partners and implement technical and contractual controls to ensure they comply with cybersecurity policies.
• Newly critical organisations need to review and evolve their cyber incident monitoring, response and reporting capabilities. Doing this effectively will enable them to limit the impact of cyber-attacks, and to remain both secure and compliant.

If you are uncertain about how compliant your security is, or how these rules can affect you, please talk to us. We can provide insight into what frameworks need to be implemented and help you ensure that you fulfil all cyber security obligations.