New federal government starts to flex its SOCI muscle

Following the federal election, the new Labour government and, in particular, the new Minister for Home Affairs Clare O’Neil have been taking their time to get to understand the Security of Critical Infrastructure regime and the priority activities. According to a recent press article, the Department has been busy declaring certain assets as Systems of National Significance (SoNS) across several sectors and while this first tranche of SoNS are evidently important to the Australian economy and national security, it is likely that further assets will be declared SoNS in the future. Note that a declaration as a SoNS is itself protected information and organisations should consider how to appropriately manage information relating to such a declaration (and other protected information) within their information governance framework.

In parallel, Home Affairs has issued some guidance in relation to the new cyber incident reporting requirements that went live on 8 July 2022. Understanding these obligations, and how they apply to your organisation’s assets and cyber-incident response process, remain priority activities for many responsible entities. In addition, the 8 October 2022 deadline for registering information on the department’s Critical Infrastructure register is fast approaching, with information sessions being scheduled during September.

Meanwhile, industry continues to await the anticipated publication of the draft Risk Management Program (RMP) rules. Two sets of rules, those determining which sectors and assets will be subject to the RMP requirements, and rules detailing mandatory considerations and the time line for compliance are expected.

A set of Draft RMP rules was published as an annex to the Explanatory Memorandum accompanying the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022. These Draft RMP rules included requirements for responsible entities as to which risks were to be considered material, as well as detailed requirements for four risk domains (Cyber, Supply Chain, Personnel and Natural Hazards). These rules are still to be published for the mandatory 28-day consultation process and are, as yet, not applicable. However, in a guidance document, Home Affairs encourages relevant organisations to begin the risk management uplift required given that for many entities, this will be a multi-year journey and the relevant risks are applicable today.