Significant changes to the law with respect to security of critical infrastructure in Australia, including enhanced cybersecurity incident reporting requirements and the inclusion of further asset classes have been passed. On 22 November 2021, the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Bill) passed both houses of the federal parliament of Australia and will come into force after receiving assent, likely before the end of 2021. This legislation amends the Security of Critical Infrastructure Act 2018 (Cth) (Act) in four significant ways.
Expanded Scope of Application
The Bill expands the application of the Act from four asset classes (water, electricity, gas and ports) to eleven sectors covering 22 asset classes, potentially capturing a large swathe of Australian economic activity. An added dimension is that several of the new asset classes require further definition via the creation of sector-specific rules by the Minister for Home Affairs that will define the operational thresholds to classify critical infrastructure assets. Further rules are then needed to switch on the requirement to disclose operational and influence and control information to a confidential register managed by the Minister for Home Affairs.
A prelude to the content of these rules can be found on the Department of Home Affair’s Cyber and Infrastructure Security Centre website (here). By way of example, the draft rules set the electricity generation threshold at 30 MW for a critical electricity asset. This is in contrast with the critical aviation asset definition which does not have a threshold and relies upon the provision of an air service that is owned or operated by an aircraft operator.
Cybersecurity reporting requirements
The Bill will include two new cybersecurity incident reporting obligations where a cybersecurity incident affects or has affected a critical infrastructure asset. The reporting body to which reports are to be made is the relevant Commonwealth body, again to be defined in the rules, or if no body is appointed, the Australian Signals Directorate.
- Critical Cybersecurity Incidents must be reported within 12 hours of the responsible entity becoming aware of the event. An event is critical where it has a “significant impact” – defined as either where an asset being used in connection with the provision of essential goods or services is materially disrupted, affecting its availability, or again as the rules may define. If the first report is given orally, then a written report must be provided within 84 hours of that first report.
- Other Cybersecurity Incidents must be reported within 72 hours of becoming aware of the event and if done so orally, a further written report within 48 hours of the first report. Other events are those which have a “relevant impact” on the critical infrastructure asset, meaning that the availability, integrity, reliability or confidentiality of the asset have been affected.
Government Assistance Powers
The Bill introduces government powers to order private companies operating assets in the newly defined sectors to do, or refrain from doing, an act, require information disclosure, remove hardware equipment and even allow government agencies to take over the operation of assets. These powers are available across not only critical infrastructure assets themselves but also across connected operations and assets in the sector in the event of a significant cybersecurity incident affecting a critical infrastructure asset.
The powers, contained in Part 3A of the amended Act, have been hotly debated by industry and are subject to some oversight by the Parliamentary Joint Committee on Intelligence and Security, but such oversight is limited to the filing of a report. There is little to no recourse for private entities to challenge any such directions and little to no ability to claim compensation for any harm that may be caused by complying with a relevant direction. It remains to be seen when and how such powers will be used, but companies operating in the affected sectors will need to determine how to prepare for such a request, should it occur.
One of the lesser known impacts of the expansion of the definition of critical infrastructure assets is the consequential effect on the definition of “national security business” in the Foreign Acquisitions and Takeovers Act Regulations 2015. A national security business is defined to include responsible entities and direct interest holders as defined in the Act. By expanding the number of critical sectors and assets, the Bill consequently expands the scope of national security businesses to include new responsible entities and direct interest holders across a wide range of different industries.
This will have an immediate impact on foreign investments in entities that are involved in the operation of the ten asset classes that are already defined in the amending Bill (and do not require further rules). Investors will need to consider whether notification (either mandatory or voluntarily where the investment is potentially reviewable under the foreign investment laws) to the Foreign Investment Review Board will be required in order to receive an appropriate clearance for the investment. This obligation will apply for the remaining 12 asset classes once the rules defining these new critical infrastructure assets are finalised.
Once in force, many of the above changes require the relevant parts of the legislation to be “switched on” utilising the Minister’s rule making powers. For the purposes of designating the thresholds for critical infrastructure assets, the rules do not require the minister to consult with affected entities, and it is therefore reasonable to expect that the draft thresholds referred to above may be introduced shortly after the law comes into force. The changes to the register reporting obligations for newly included assets and enhanced cybersecurity reporting obligations both require rules to be made to switch on the obligations and this process will likely begin immediately after the law comes into force.
It is important that organisations understand the application of the law and benefits of making submissions. The rule making process requires a mandatory consultation process of at least 28 days from publication of the relevant rules, with the process for the cybersecurity incident reporting rules further requiring the minister to directly inform entities that may be specified in the rules and provide a written statement in response to any submissions made by that entity. This is a critical juncture for potentially affected organisations to ensure that the application of the registration and cybersecurity incident reporting requirements are appropriately framed and right-sized for your operations.
With only a 28 day window in which to respond, we recommend organisations that are potentially affected begin the work now to:
- understand the scope of application of the laws to your assets and operations.
- consider whether any mixed-use systems may benefit from segregation.
- ensure your policies and processes for escalation and reporting of cybersecurity incidents are able to meet the enhanced reporting obligations.
- be prepared to file submissions to the Minister to ensure that only those assets and operations that are genuinely critical infrastructure assets are included in any rules.
- to the extent any current investment plans involve assets in the expanded definition and may involve foreign investors, assess the potential impact of the changes to the “national security business” definition.
Please get in contact if you require help in understanding the potential impact of the new law on your operations.