27 May Critical Infrastructure Compliance Deadlines

Author: Helaine Leggat

In previous articles we looked at similarities in the increasing protection afforded to critical infrastructure in Europe and Australia and also at changes in the Australian agencies and authorities responsible for the Security of Critical Infrastructure Act 2018 (SOCI).

In this article we consider the imminent compliance deadlines and critical dates under SOCI, namely August 2023, August 2024, and 30 June 2024 and 28 September 2024.

Compliance Requirements

Under SOCI there are various positive security obligations that apply to certain classes of critical infrastructure assets:

1. Mandatory cyber incident reporting whereby cybersecurity incidents are to be reported to the Australian Cyber Security Centre (ACSC) within 12 hours of an organisation becoming aware of a ‘significant impact’ event, or within 72 hours with regards to a ‘relevant impact’ event;
2. The provision of ownership and operational information into the registry of critical infrastructure assets containing operational information and responsibilities as well as direct interest holdings; and
3. An obligation to have and comply with a critical infrastructure risk management program.

Critical Infrastructure Risk Management Program

The risk management programme obligations were enacted on 17 February 2023 when the Minister of Home Affairs, the Hon. Clare O’Neil MP signed the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules (LIN 23/006) 2023 (CIRMP Rules). The CIRMP Rules specify cyber security frameworks and relevant requirements.

17 February 2023 marks the beginning of the grace period for CI assets that are currently operational. Further details on the period to comply include:

• A 6-month transition period for responsible entities to adopt a written CIRMP (August 2023);
• An additional 12-month period to assist responsible organisations in achieving compliance with the cyber security framework identified in their written CIRMP (August 2024); and
• If a responsible organisation’s asset becomes a CI asset after the Rules commence, the responsible entity must meet CIRMP requirements within 6 months of the day the asset became a CI asset.

Cyber Security Framework 

A responsible entity must submit an annual report that has been approved by their board (or other governing body) to the relevant regulator. The annual report will provide assurance that a CIRMP is in place and that the entity is taking steps to manage material risks posed by the hazard to the CI asset.

Entities must provide an annual report within 90 days of the end of the Australian financial year. If an entity is a responsible entity for a CI asset for all or part of the Australian financial year, they will be required to submit an annual report.

The first annual report is for the 2023-2024 Australian financial year. As the report must be submitted within 90 days after the end of each financial year the entity had a CIRMP in place, the first annual report must be submitted between 30 June 2024 and 28 September 2024.[1]

Annual Report

The SOCI Act requires the annual report to be in an approved form and to include the following:

• A declaration that the CIRMP is up to date at the end of the Australian financial year;
• Whether a hazard occurred that had a significant relevant impact on an asset during the year;
• Whether any variations to the CIRMP were made during the year;
• Whether the program was effective in mitigating any significant relevant impact that a hazard may have had on an asset during the year; and
• An attestation that the information contained within the annual report was approved by the board or governing body of the entity.

Penalties

SOCI sets a baseline of minimum cyber security requirements and a clear strategy is required on how to adhere to the compliance requirements as significant penalties apply for failing to do so. These include:

• Maximum penalties of $11,000 for individuals and $55,000 for organisations for not reporting a cyber security incident to the Australian Signal Directorate in the set timeframes;
• Maximum penalties of $11,000 for individuals and $55,000 for not complying with an order to report critical infrastructure asset information or entity information; and
• Fines of $44,000 for individuals and $220,000 for organisations for not adopting and maintaining a risk management program.

Here to help

Compliance with SOCI requires a detailed knowledge of law, cybersecurity and corporate governance in relation not only theoretical aspects of compliance, but also to the implementation of policy and controls within an organisation as they apply to people, process and technology (significantly wrt IT/OT). If you need assistance, we have multi-disciplinary expertise and experience – we are here to help.

In next month’s article we will examine how Information Sharing and Analysis Centres play a part in securing critical infrastructure.

[1] While not required, the Cyber and Infrastructure Security Centre (CISC) strongly encourages entities to voluntarily submit an annual report for the 2022-2023 Australian financial year, to provide a ‘pulse-check’ on how you are implementing the CIRMP. The CISC does not expect this voluntary report to be overly complex or detailed – rather, it provides an opportunity to reflect on progress in enhancing risk management procedures.