The Security Legislation Amendment (Critical Infrastructure) Act 2021 was submitted and enacted on 2 December 2021, and a new set of amendments will be submitted in early 2022, to form a second Bill. A draft version of the Bill discusses three main requirements:
- Risk Management Programs
- Enhanced Cybersecurity Obligations
- Declarations of Systems of National Significance
Risk Management Programs
This section states that any entity responsible for one or more critical infrastructures must have, and comply with, a Risk Management Program. The purpose of this program focuses on:
- Identifying each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset;
- Minimizing or eliminating any material risk of such hazard occurring; and
- Mitigating the relevant impact of such a hazard on the asset.
The responsible entity must submit a report each year related to this program for the critical infrastructure, which should be approved by the board or council of this entity.
A more in-depth discussion of the rules, penalties and annual reporting requirements can be discussed with our team.
Enhanced Cybersecurity Obligations
This section sets out enhanced cybersecurity obligations that relate to systems of national significance. The entity responsible for a system of national significance may be subject to statutory incident response planning obligations, and may even be required to undertake a cybersecurity exercise, or a vulnerability assessment.
If a computer is a system of national significance, or is needed to operate a system of national significance, the responsible entity of the system may be required to:
- Give the Australian Signals Directorate (ASD) periodic reports of system information; or
- Give ASD event-based reports of system information; or
- Install software that transmits system information to ASD.
For more information about the statutory incident response planning obligations, cybersecurity exercises, the vulnerability assessment requirements, or any of the reports for the system information and the special software for transmitting system information, our professional team can offer you expert advice.
Declarations of Systems of National Significance
The draft of the Bill states that the Minister may privately declare a critical infrastructure asset to be a “system of national significance”. This can only be done by notifying each reporting entity for an asset that is a declared system of national significance.
If a reporting entity for an asset that is a declared system of national significance ceases to exist, or becomes aware of another reporting entity for the asset, the entity must notify the Secretary of the ASD.
If your critical infrastructure asset is declared to be a system of national significance, be aware that new measures and procedures are required in order to comply with the new obligations, and this is where our team can step in to ensure all of your organisation’s reporting and compliance requirements are met.
Author: Mahdi Kobeissi, Cybersecurity Consultant