Last year, the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (Amendment Act) introduced amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SoCI Act) which extended the definition of critical infrastructure from 4 sectors (water, electricity, gas and ports) to 11 sectors being:
Critical Infrastructure Sectors
Together, these sectors cover 22 different ‘asset’ classes. An ‘asset’ broadly includes a system, network, facility, computer, computer device, computer program, data, premises and any other thing. Affected entities operating in critical infrastructure sectors are now required to upgrade their cybersecurity practices to comply with new mandatory cyber incident reporting obligations. Responsible entities and direct interest holders of critical infrastructure assets are also required to maintain a register of critical infrastructure assets containing specified information about the asset. These obligations will be ‘switched on’ by rules (which will soon follow).
It will be interesting to see how these laws will evolve in this ditigal age, particularly in relation to new and emerging markets (such as in space technology).
Implications for investors
Investors into Australia need to:
- review their current investment portfolio, to determine the extent that they have invested in any businesses in Australia that may be classified under any of the 11 sectors or 22 different asset classes (Critical Infrastructure Business) and develop a plan to manage those assets; and
- consider when planning on further investment into any companies or businesses in Australia, whether those investments may be classified as investing into a Critical Infrastructure Business.
These questions are particularly acute for overseas investors, who will face scrutiny when investing into a Critical Infrastructure Business - this is discussed in the Overseas Investors section below.
What do the changes brought by the Bill mean for you?
The Bill introduces:
- an additional positive security obligation for responsible entities of critical infrastructure to maintain a Risk Management Program (RMP); and
- enhanced cyber security obligations for entities responsible for assets most critical to the nation, being ‘systems of national significance’.
Risk Management Program
The Minister for Home Affairs may ‘activate’ the RMP obligation for particular critical infrastructure assets to mitigate against the potential hazards that may impact critical infrastructure. It is intended that the RMP would mitigate against hazards such as any prolonged attacks on electricity providers, cyber or terrorist attacks on data centres or failures in food and groceries and freight distribution chains.
The RMP would require responsible entities of particular (not all) critical infrastructure assets to manage the ‘material risk’ of any hazards occurring, which poses a risk of impacting the availability, integrity or confidentiality of the critical infrastructure asset. When considering if a risk is a ‘material risk’, a RMP should have regard to (amongst others):
- whether the hazard would cause the stoppage or major slowdown of a critical infrastructure asset’s functioning for an unmanageable period;
- the substantive loss of access to or deliberate or accidental manipulation of a component of a critical infrastructure asset such as the position, navigation and timing systems impacting provision of service and/or functioning of the asset;
- the relevant impact on the critical infrastructure asset resulting from the storage, transmission or processing of sensitive operational information outside Australia; and
- any other material risks as identified by the entity that go to the substance of the functioning of a critical infrastructure asset.
The Bill sets out the overarching RMP obligations with more prescriptive requirements to be contained in rules. The Draft Risk Management Program rules (Draft RMP Rules) are available for information purposes, noting that these are not the final legal rules.[1]
Feedback from public consultation has indicated that the industry would benefit from more detailed guidance on the application of the Draft RMP Rules. For example, there were some concerns that the Draft RMP Rules did not clearly set out the Government’s expectations when it comes to monitoring and reporting to the board/board committees.
The explanatory document clarifies that entities already subject to equivalent obligations will not have duplicate RMP imposed on them (for example, critical defence industry assets largely managed through existing frameworks and obligations under the Defence Industry Security Program). At this stage, it is unclear whether this would include businesses that are already required to comply with the GDPR (or equivalent international standards) who have equivalent obligations to secure personal information in accordance with, for example, Article 32 ‘Security of Processing’ of the GDPR.
Systems of national significance
Part 2C of the Bill sets out enhanced security obligations that relate to systems of ‘national significance’. These will be a smaller subset of critical infrastructure assets that are crucial to the nation by virtue of their interdependencies across sectors and cascading consequences of disruption to other critical infrastructure assets and critical infrastructure sectors.
In determining whether an ‘asset’ is of national significance, the Minister must have regard to:
- the consequences that would arise for the social or economic stability of Australia or its people, or the defence or national security for Australia, if a hazard were to occur that had a significant relevant impact on the asset; and
- if the Minister is aware of one or more interdependencies between the asset and one or more other critical infrastructure assets—the nature and extent of those interdependencies; and
- any other matters (if any) as the Minister considers relevant.
Division 2 of Part 6A of the Bill sets out the process in which the Minister for Home Affairs can declare a critical infrastructure asset to be a system of ‘national significance’. Importantly, the Minister will need to provide the responsible entity of the asset with notice of the proposed declaration, including reasons for making the declaration. An entity subject to a declaration will be provided with 28 days to make submissions to the Minister about the proposed declaration (unless a shorter period is specified).
The enhanced cyber security obligations also introduce:
- statutory incident response planning obligations;
- the requirement to undertake a cyber security exercise to test response preparedness, mitigation and response capabilities;
- the requirement to undertake vulnerability assessment; and
- the requirement to provide system information (which does not include personal information within the meaning of the Privacy Act 1988 (Cth)) to identify whether there has been any compromise to a national security system.
As part of these obligations, the Bill also contemplates a framework for the use and disclosure of ‘protected information’ if that information relates to the entity and is disclosed to a prescribed person or entity for the purposes of enabling compliance with the SoCI Act.
Industry feedback
On 4 February 2022, the Department of Home Affairs (Department), in conjunction with the Cyber and Infrastructure Security Centre (Centre), held its fourth town hall to address industry feedback on the Bill.
Feedback broadly conveyed (amongst others):
- there is an overall need for the Department to publish more detailed guidance to assist relevant entities to comply with their new obligations;
- greater clarity is required about which assets will be declared systems of national significance and to refine certain sector and asset definitions;
- with respect to the use and disclosure of protected information, businesses were concerned about the balance between the protection of commercially sensitive business information and the ability to co-operate with the Government; and
- concerns were also expressed about the cost to the industry to implement these reforms, particularly when it comes to developing co-designed sector specific rules.
The Department emphasised that the present focus was on industry education (as opposed to enforcement). Nonetheless, we highlight that non-compliance with the new laws does give rise to financial penalties.
Overseas investors
FIRB application
The Foreign Acquisitions and Takeovers Act 1975 (Cth) requires mandatory notification to the Foreign Investment Review Board (FIRB) of a proposed “direct investment” in a “national security business” by an overseas investor. Overseas investors include Australian domiciled investors with a substantial proportion of overseas backers.
Relevantly to this article, a national security business is now defined to include responsible entities of critical infrastructure and critical infrastructure assets within the meaning of the SoCl Act. The rationale for this is that foreign investment carries risks related to potential access and control of these critical assets.
This means that where an overseas investor takes a material interest in a Critical Infrastructure Business, it will need FIRB approval for the investment.
No Monetary thresholds
Foreign investors acquiring a direct interest in a Critical Infrastructure Business are required to notify FIRB, regardless of the monetary value of the transaction.
Tracing
Consideration of underlying Australian assets is relevant even where the primary transaction occurs overseas.
Under the FIRB tracing rules, a parent company is deemed to have the interests held by its subsdiaries in which it holds 20% or more of the equity. This means that an acquisition of an overseas target that has Australian subsidiaries with interests in critical infrastructure assets may require FIRB approval. For example, if the investor intends to acquire a company based in the United Kingdom, whose subsidiary has a significant interest in a critical infrastructure asset in Australia, then FIRB approval would be necessary to acquire the UK company.
Next steps
Although your business may be captured by the reforms to the SoCI Act, not all of the new obligations may apply to you. For those impacted by the changes, we recommend you update existing policies to appropriately address the new mandatory reporting (and other positive security obligation) requirements.
[1] https://www.homeaffairs.gov.au/reports-and-pubs/files/risk-management-program-rules.pdf