Critical Infrastructure Update: Risk management program obligations under the SOCI Act now ‘turned on’

In late 2021 and early 2022 the Australian Government significantly enhanced both what is caught as and the obligations that apply to critical infrastructure to address the increasing cyber threats facing Australia. However, many businesses in the new sectors now covered by the SOCI Act are not aware that they are now subject to the SOCI Act, what thresholds apply, what their new obligations under the SOCI Act are and to what those obligations apply

With industry consultation concluding in late November 2022 the Minister for Home Affairs has now registered the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (RMP Rules). These rules specify the critical infrastructure asset classes which are subject to the Risk Management Program obligations set out in the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). The RMP Rules also detail the specific requirements for a critical infrastructure risk management program (CIRMP).

This represents the last of the positive obligations under the SOCI Act to be ‘turned on’, with the obligations to (i) supply information towards maintaining a Register of Critical Infrastructure Assets and (ii) notify certain cyber security incidents both becoming live (or ‘turned on’) last year.

Which critical infrastructure assets are captured?

Similar to how the first two positive obligations under the SOCI Act were operationalised (i.e. ‘turned on’), the RMP Rules do not enliven the CIRMP obligations for all critical infrastructure assets. Instead, CIRMPs are only required for certain specified critical infrastructure asset classes, being:

• critical broadcasting assets;
• critical domain name systems;
• critical data storage or processing assets;
• critical electricity assets;
• critical energy market operator assets;
• critical gas assets;
• designated hospitals;
• critical food and grocery assets;
• critical freight infrastructure assets;
• critical freight services assets;
• critical liquid fuel assets;
• critical financial market infrastructure assets mentioned in paragraph 12D(1)(i) of the Act (assets owned or operated by an Australian corporation holding an Australian market licence and which are used in connection with the operation of a financial market critical to the security and reliability of the financial services and markets sector); and
• critical water assets.

These CIRMP obligations do not apply to the other critical infrastructure asset classes (i.e. those not included above).

What are the CIRMP requirements for responsible entities of the covered asset types?

The CIRMP obligations set out in Part 2A of the SOCI Act require the 'responsible entities’ (as defined for each relevant asset class in the SOCI Act) to adopt and maintain a critical infrastructure risk management program (i.e. CIRMP) with respect to their relevant assets. This is a written program applying to an entity with respect to one or more of its critical infrastructure assets that fall into the relevant asset classes (i.e. those listed above). Once a CIRMP is adopted the responsible entity must regularly review, update and comply with its CIRMP (as well as submit an annual report to either the relevant Commonwealth regulator or Secretary with respect to this).

The purpose of a CIRMP is stated to be, broadly, to identify hazards posing a material risk that, if such hazards occurred, would have a relevant impact on the given critical infrastructure asset/s. Further, a stated aim of a CIRMP is to minimise or eliminate (if possible) the chances of these hazards occurring and to mitigate the degree to which such hazards would impact the given critical infrastructure asset/s. The RMP Rules provide useful insight, examples and guidance as to how these requirements are to be put into practice.

‘Material risk’ and ‘hazards’: insight from the RMP Rules

The RMP Rules flesh out what amounts to a ‘material risk’ for the purposes of a CIRMP and also provide guidance on what is required of responsible entities for the relevant assets with regards to specific types of hazards.

Under the RMP Rules ‘material risk’ includes anything that causes a stoppage, major slowdown, interference or substantive loss of access to the critical infrastructure asset or one of its major functions or critical components. With respect to ‘hazards’, the RMP Rules require responsible entities to prepare their CIRMP considering ‘all hazards’. Therefore, instead of limiting the focus of your CIRMP to only the most relevant hazards (from the entity’s perspective), the CIRMP must also consider:

• Cyber and information security hazards;
• Personnel hazards;
• Supply chain hazards; and
• Physical security hazards and natural hazards.

As such, the RMP Rules represent a considerable shift (or uplift) to the comprehensive proactive preparation of responsible entities for the relevant assets. This is reinforced by the additional requirement that responsible entities will need to comply within 18 months with at least one of the following cyber security frameworks:

• Australian Standard AS ISO/IEC 27001:2015;
• Australian Signals Directorate’s Essential Eight Maturity Model (achieving maturity level one);
• National Institute of Standards and Technology (USA)’s Framework for Improving Critical Infrastructure Cybersecurity;
• Department of Energy (USA)’s Cybersecurity Capability Maturity Model (achieving maturity indicator level one); or
• Australian Energy Market Operator’s 2020-21 AESCSF Framework Core (achieving security profile one).

Timeline and penalties

There is a 6-month grace period (starting on 17 February 2023) in which responsible entities for the relevant assets can prepare and implement their CIRMP. At the end of this period (i.e. 17 August 2023) all responsible entities for the relevant assets must be compliant with the RMP Rules (unless exempted by rules made under the SOCI Act or by holding a hosting certification). During this grace period responsible entities will need to determine quickly if they are responsible for any relevant assets and, if so, what the relevant hazards are (and what material risk they pose) and prepare their CIRMP in relation to such.

Failure to adopt or maintain a CIRMP or failure to meet any of the attenuating obligations with respect to their CIRMP (with the exception of the annual reporting requirement) carries a penalty for companies of 1,000 penalty units ($275,000) per day of the contravention. If an entity fails to comply with (i.e. fully implement) its adopted CIRMP then the same penalties apply with respect to that failure (per day). Failure to meet the annual reporting requirement with respect to their CIRMP carries a penalty for companies of 750 penalty units ($206,250) per day of the contravention.

Our team has deep technology, industry and hands-on expertise with respect to assessing and advising companies on their SOCI Act obligations. If you are unsure of how to approach the new CIRMP obligations, or whether or not the RMP Rules extend these obligations to you, our team can provide market leading practical assistance. For further information on what SOCI obligations might apply to your organisation and how we can help, please see our ‘SOCI Compliance Health Check Brochure’ below. 

Download SOCI Compliance Health Check Brochure