Security of critical infrastructure update

14 July 2022

Suzy Cairney
Partner
Sparke Helmore Lawyers

Suzy Cairney
Partner
Sparke Helmore Lawyers
t: +61 7 3016 5009

With over 25 years’ experience in Australia and overseas, Suzy is a skilful major projects lawyer. She was born in Scotland, and after a few years travelling the world, she now calls Queensland home. Suzy is a recognised Legal Influencer for Infrastructure – Australasia (Lexology Content Marketing Awards for Q1 2019). She also serves on the Board of Professional Engineers Queensland, the Board of the Infrastructure Association of Queensland (and past Deputy Chair) and the Queensland Committee of Redkite.

All.Corporate & Commercial.Mining & Resources

In response to the increasing seriousness and frequency of cyber-attacks, and as a result of recent changes to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), the mandatory reporting of cyber security incidents affecting critical infrastructure assets has now commenced. This legislation and its speedy implementation are designed to allow the Commonwealth Government to protect and secure infrastructure assets that could have material adverse effects of the Australian economy if compromised.

In our previous article, we reported on the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act), which was the first tranche of legislation to amend the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth), which was the second tranche. The reporting of cyber security incidents became mandatory through the first tranche of amendments, and has now become effective, following the expiry of a transition period.

The expanded definitions of what constitutes “critical infrastructure” and the mandatory cyber security notification requirements in the SLACI Act have been ‘switched on’ by the application rules^[1] which took effect on 8 April 2022.

Entities should by now be aware of whether they are caught by this legislation.

What’s new?

The cyber security reporting obligations imposed by the SLACI Act commenced on 8 July 2022^[2]. Affected organisations in the following sectors must be ready to comply with these obligations now:

Communications
Data storage or processing
Financial services and markets
The water and sewerage
Energy
Healthcare and medial
Higher education and research
Food and grocery
Transport
Space technology
Defence industry

Each responsible entity must notify the relevant Commonwealth body if it becomes aware of a cyber security incident.

If the cyber security incident has had a significant impact on the critical infrastructure asset- as soon as practicable and in any event, within 12 hours after the entity becomes aware that the cyber security incident has occurred, is occurred or is imminent.^[3]

If the cyber security incident has had a relevant impact on the critical infrastructure asset- As soon as practicable, and in any event, within 72 hours after the entity becomes aware that the cyber security incident has occurred, is occurring or is imminent.^[4]

A “cyber security incident” could be any of the following:

unauthorised access to, or modification of, computer data or a computer program
unauthorised impairment of electronic communication to or from a computer, or
unauthorised impairment of the availability, reliability, security or operation of a computer, computer data, or a computer program.

A "significant impact" is generally where the cyber security incident materially disrupts the availability of essential goods or services, which will be a question of fact and degree in each case.

A "relevant impact" includes any other impact on the availability, integrity, reliability, or confidentiality of the critical infrastructure asset.

Additionally, the Minister for Home Affairs now has various powers to respond to serious cyber security incidents. These powers are detailed in our previous article, and include the ability to give a direction to a responsible entity to do, or refrain from doing, a specified act or thing. This is a broad power and it will be interesting to see how it is used in practice.

Next steps

Responsible entities of critical infrastructure assets should by now have considered and integrated the provisions described in this article into their risk management frameworks, disaster management plans and training programs for relevant staff. It would also be prudent to open dialogue with the Department of Home Affairs if you have not already done so, to better understand what assistance it can provide and what its expectations are.

Further information and assistance can be found at https://www.cyber.gov.au/.

If we can help you with preparing or implementing systems, policies and procedures for this legislation, please contact Suzy Cairney of our construction team at Suzy.Cairney@sparke.com.au.

^{[1] Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 issued by Minister for Home Affairs under section 61 of the SOCI Act. The reporting obligations extend to: critical broadcasting assets; critical domain name systems; critical data storage or processing assets; critical financial market infrastructure assets that are a payment system; critical food and grocery assets; critical hospitals; critical freight infrastructure assets; critical freight services assets; critical public transport assets; critical liquid fuel assets; critical energy market operator assets; and critical electricity assets and critical gas assets that were not critical infrastructure assets before the commencement of s18A of the SOCI Act.}

^{[2] Three months after the commencement of the rules.}

^{[3] SOCI Act, s30BC(1)(d).}

^{[4] SOCI Act, s30BD(1)(d).}

20-03-2024 | Modernising the WorkCover Scheme – what this means for third party insurers?

01-03-2024 | AI providing opportunity for insurance industry to transform itself by embracing change

08-02-2024 | Timeframes to be imposed for making initial and reviewable decisions under the SRC Act from 1 April 2024

23-01-2024 | Western Australia announces landmark reforms to building laws

22-01-2024 | Closing Loopholes Part 1 - Commonwealth Wage Theft Laws

20-12-2023 | In the Loop - Same Job, Same Pay measures

Media room