Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024: Strengthening critical infrastructure legislation

Cyber reforms: Cyber Security Legislative Package 2024

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (Cth) (SOCI Bill) will amend the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) to give effect to the legislative reforms outlined under Shield 4 of the 2023-2030 Australian Cyber Security Strategy to:

• clarify the scope of critical infrastructure regulation;
• strengthen cyber security obligations and compliance for critical infrastructure;
• uplift the cyber security of the Commonwealth Government; and
• pressure-test Australia's critical infrastructure to identify vulnerabilities.

In this update, we cover:

• Expanded definition of data storage systems that hold business-critical data
• Broadened government power to manage the consequences of impacts of incidents in critical infrastructure assets
• New definition of protected information
• Direction to vary critical infrastructure risk management program
• Security regulation for critical telecommunications assets
• Declaration of systems of national significance
• Key takeaways

Expanded definition of data storage systems that hold business-critical data

The first proposed change under the SOCI Bill seeks to recognise data storage systems that hold business critical data as part of critical infrastructure assets.

Summary

Schedule 1 of the SOCI Bill expands the types of assets regulated as critical infrastructure assets under the SOCI Act to include data storage systems that hold business-critical data in circumstances where:

• the responsible entity for the critical infrastructure asset owns or operates the data storage system;
• the data storage system is used, or is to be used, in connection with the critical infrastructure asset;
• business critical data is stored, or is processed in or by, the data storage system; and
• a hazard (which has a material risk of impacting the data storage system) also has a material risk of having a relevant impact on the critical infrastructure asset.

Implications

Expanding the types of assets to be regulated as critical infrastructure assets (to include data storage systems that hold critical data) will likely bring more organisations within the scope of the SOCI Act. In light of this, businesses will need to review their data storage systems and consider whether they would be regulated in respect of critical infrastructure assets and business critical data. Any risk mitigation procedures developed by businesses for critical infrastructure assets will need to be extended to said data storage systems.

Broadened government power to manage the consequences of impacts of incidents in critical infrastructure assets

The second proposed change under the SOCI Bill broadens the existing directions powers under the SOCI Act to allow the government to assist in coordinating responses to serious incidents with a relevant impact to one or more critical infrastructure assets.

Currently, the power under the SOCI Act is limited to circumstances where a cyber security incident has occurred. The broadened power enables the government to act in response to incidents from all types of hazards and manage the consequences of those incidents, rather than just direct impacts.

Summary

Schedule 2 of the SOCI Bill broadens the power of the government to respond to serious incidents that have had, are having, or are likely to have relevant impacts on critical infrastructure assets. "Serious incident" is an undefined term in the SOCI Act and is intended to take on its ordinary meaning. In response to serious incidents, the Minister may:

• authorise the Secretary to give information-gathering directions to relevant entities for the assets, which requires the relevant entities to give information to the Secretary;
• authorise the Secretary to give action directions to relevant entities for the assets, which requires the relevant entities to do, or refrain from doing, a specified act or thing;
• if the incident is a cyber security incident, authorise the Secretary to give intervention requests to the authorised agency to do one or more specified acts or things in relation to the assets.

Implications

While the power provides the government with the ability to act, it only does so in situations where no other framework offers a practical and effective response. Before authorising the Secretary to make a direction, the Minister must be satisfied that no other regulatory system or option within the Commonwealth, State or Territory could be used to provide a practical and effective response to the incident.

As such, this power enables the government to respond to "serious incidents" only and is considered a "last resort" in that the government only has the power to act in situations where no other framework offers a practical and effective response.

Businesses should consider their existing frameworks to assess whether they are sufficient in responding to serious incidents that have relevant impacts on critical infrastructure assets.

New definition of protected information

The SOCI Bill amends the definition of "protected information" under the SOCI Act to include a document or information in circumstances where disclosure of that document or information could cause harm or pose a risk towards either the security of the asset, commercial interests, or the socio-economic stability, national security or defence of Australia.

The purpose of this amendment is to resolve the limitations created by the current definition of "protected information" for the use or disclosure of information in the course of ordinary business or mitigating relevant risk effectively.

Summary

Schedule 3 of the SOCI Bill introduces a new definition of "protected information", which includes a harms-based assessment and a non-exhaustive list of "relevant information".

The amended definition means that a document or information is considered "protected information" if its disclosure could cause harm or pose a risk to the security of the asset, commercial interests or socioeconomic stability, national security or defence of Australia.

Implications

In determining what is protected information under the SOCI Act, businesses will need to assess whether they hold any "relevant information" that would be considered "protected information" based on a harms-based assessment of the potential negative impacts or harms that would eventuate, should that information be disclosed.

Direction to vary critical infrastructure risk management program

The SOCI Bill introduces a power for the Department of Home Affairs and relevant Commonwealth regulators to direct an entity to address serious deficiencies within an existing critical infrastructure risk management plan.

Summary

Schedule 4 of the SOCI Bill introduces a compliance "review and remedy" power, which allows "relevant officials" (in effect, the Secretary of the Department or the relevant Commonwealth regulator) to give the responsible entity a written direction to vary the entity’s risk management plan to address a serious deficiency.

The term "serious deficiency" is defined as a deficiency that poses a material risk to Australia’s national security, defence or socio-economic stability. The responsible entity must include a receipt of any directions in their annual reports, as well as details regarding the use of the direction within existing government reporting.

Implications

Currently, where a risk management plan is deficient, the Department or relevant regulator have no ability to take action or compel the entity to address these deficiencies. This ultimately leads to poorer critical infrastructure security outcomes.

Businesses are advised to undertake a review of their risk management plan as part of their risk management processes, ahead of the introduction of this new power.

Security regulation for critical telecommunications assets

The SOCI Bill aligns key security obligations from the Telecommunications Act 1997 (Cth) (Telecommunications Act) to the SOCI Act, which maintains the government's ability to oversee and intervene to ensure national security outcomes while clarifying security obligations within a single regulatory framework.

Summary

Schedule 5 of the SOCI Bill introduces three key enhanced security obligations for critical telecommunications assets that integrate existing obligations from the Telecommunications Act and the SOCI Act:

• A "protect your asset" obligation, which requires the protection of assets for security purposes and from all hazards, identified by the entity, as far as it is reasonably practicable to do so.
• A notification obligation, which requires responsible entities to notify the Home Affairs Secretary of security risks incurred by network changes or planned changes to the critical telecommunications asset or network.
• The power to introduce a Telecommunications Security and Risk Management Program that requires the management of risks in compliance through subordinate legislation.

Implications

Although telecommunications providers have security obligations under the Telecommunications Act and the SOCI Act, not all obligations under the SOCI Act apply uniformly across specified sectors and asset classes.

The proposed amendments will bring appropriate elements of the Telecommunications Sector Security Reforms (TSSR), including security and notification obligations, from Part 14 of the Telecommunications Act into the SOCI Act. This will align the key obligations under the Telecommunications Act and SOCI Act to regulate Australia's most critical assets via the entities that own, operate and influence them by imposing uplifted obligations on those entities, including businesses operating telecommunications assets.

The changes will provide much-needed clarity and alignment on the security obligations of telecommunications providers with other critical infrastructure providers, including imposing specific requirements such as establishing a risk management program.

Declaration of systems of national significance

Finally, the SOCI Bill addresses two administrative requirements concerning Systems of National Significance (SoNS).

Summary

Schedule 6 of the SOCI Bill removes the requirement:

• for the Minister to notify direct interest holders when a declaration of an asset as a SoNS occurs; and
• for direct interest holders to advise the Secretary of all instances when direct interest holders cease to be responsible for a critical infrastructure asset.

Implications

Removing the obligation for direct interest holders to report obligations associated with SoNS will reduce the administrative burden without compromising security, and avoids the risk of incorrect or inappropriate information disclosures.

Key takeaways

The changes proposed by the SOCI Bill seek to ensure optimal protection of critical infrastructure assets and the business-critical information associated with them by imposing enhanced risk management obligations on businesses. The proposed changes will also provide the government with measures to respond to serious incidents that impact Australia's critical infrastructure.

For more information on the legal aspects of the Bill and how to prepare for impending changes, please contact our team of experienced cyber practitioners.