26 Jun Information Sharing, Cyber Risk, and Security of Critical Infrastructure Legal Compliance

Author: Helaine Leggat

Cyber security framework 

The Critical Infrastructure Risk Management Program Rules (LIN 23/006) 2023 (CIRMP Rules) under the Security of Critical Infrastructure Act 2018 (SOCI) specify cyber security frameworks and requirements.

A responsible entity must submit an annual report that has been approved by their board to the regulator. The annual report will provide assurance that a Critical Infrastructure Risk Management Plan (CIRMP) is in place and that the entity is taking steps to manage material risks posed by hazards to Critical Infrastructure (CI) assets.

With the diversity, sophistication, and volume of cyber-attacks growing each day, it is imperative that Australia’s CI entities strengthen their cyber risk management posture, particularly in view of providing assurances sufficient to the annual report.

Cyber security is now an obligation – one of the costs of doing business (and not just for tangible reasons such as the $110m cost to Latitude, but also the intangibles such as reputation and inability to accord with Environmental, Social, and Corporate Governance (ESG) expectations). Added to this is the increased enforcement activity of regulators.  Among others, Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496[1] where the Australian Federal Court issued a fine of $750,000 as a result of RI Advice Group’s failure to have documentation and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage risk.

Collective Defence

To manage risk and to have any chance of successfully defending themselves, enterprises must accept and adopt a philosophy of collective defence. Cyber information sharing is at the core of any collective defence strategy. Cyber security cannot be addressed solely as a technical issue and must be managed as a material business risk.

How do Information Sharing and Analysis Centres play a part in managing material risks to Critical Infrastructure assets?

The Australian Government has responded to increased cyber threats by introducing legislative and regulatory reforms to the nation’s Critical Infrastructure (CI) sectors, recognising that Cyber Threat Intelligence (CTI) sharing and collective cyber defence are fundamental to improved risk management. To ensure the right level of cybersecurity, cooperation between the public and private sectors is absolutely crucial.

Information Sharing and Analysis Centres (ISACs) create a platform for such cooperation in terms of sharing information about root causes, incidents and threats, as well as sharing experience, knowledge and analysis.

In summary, cyber security is now an obligation and must be managed as a material business risk, demanding collective defence and cyber information sharing, as well as cooperation between the public and private sectors where an ISAC can create the platform for such cooperation.

The ISAC model has been proven effective over the last two decades as sector-specific US ISACs expanded globally. In Australia, the Critical Infrastructure Information Sharing and Analysis Centre (CI-ISAC) has evolved the standard ISAC model to operationalise the world’s first cross-sectoral ISAC, focussed on providing enabling capabilities and structures to support the collective defence of Australian Critical Infrastructure. It is thanks to the relatively small size of the CI sector in Australia that a single cross-sector ISAC is possible. The entire Australian CI sector is smaller than a single-sector ISAC in the US.

The strength and utility of an ISAC is directly related to the number of members it has brought together and the diversity of insights and knowledge that these members bring to the ISAC’s intelligence sharing platform.  A cross-sector CI cyber threat sharing model with the scale and diversity brought together under SOCI enables diverse, rich and contextualised risk assessments and response.

Cyber Security Framework 

Critical Infrastructure Risk Management Program Rules (LIN 23/006) 2023 (CIRMP Rules) specify cyber security frameworks and requirements.  A responsible entity must submit an annual report that has been approved by their board (or other governing body) to the relevant regulator. The annual report will provide assurance that a CIRMP is in place and that the entity is taking steps to manage material risks posed by the hazard to the CI asset.

Annual Report

Entities subject to SOCI must provide an annual report within 90 days of the end of the Australian financial year. The first annual report is for the 2023-2024 Australian financial year. As the report must be submitted within 90 days after the end of each financial year the entity had a CIRMP in place, the first annual report must be submitted between 30 June 2024 and 28 September 2024.

The benefits of collective defence will greatly enhance the quality of any CIRMP and the integrity of the annual report.

Critical Infrastructure Information Sharing and Analysis Centre Australia

Membership of CI-ISAC Australia is that fundamental cyber risk mitigation measure – addressing cyber security weakness that simply cannot be risk-accepted by Australian CI entities and their executives.

CI-ISAC has been established in Australia to harness the collective insights of all CI sectors to provide an information sharing capability to enable collective cyber defence for its members. CI-ISAC is building a robust, highly-trusted intelligence sharing community and cyber capabilities for critical infrastructure operators within and across all sectors. CI-ISAC is a not-for-profit entity that represents an opportunity for industry to self-organise and uplift their own cyber defences in a trusted, sustainable manner. CI-ISAC is purpose driven with a vision that is in harmony with the Commonwealth objective to make Australia the most cyber secure nation by 2030.

CI-ISAC Australia is the only data sovereign cyber intelligence sharing community focused on owners and operators of Australia’s Critical Infrastructure and material suppliers. The community’s mission is to help ensure the cyber resilience and continuity of Australia’s Critical Infrastructure by supporting entities to share information and provide central supporting capabilities to protect against malicious cyber acts. As a not-for-profit, member-driven and supported organisation, CI-ISAC serves its members and in turn all Australians by building a trusted, self-sustaining cyber community. Innovative technology, resiliency resources and industry peer-to-peer networks are leveraged to anticipate, mitigate, and respond to cyber threats.

Here to help

CI-ISAC has achieved a first-tranche of members. Threat intelligence sharing is underway. Together with CI-ISAC we invite all of Australia’s Critical Infrastructure owners and operators to join this growing community.

[1] https://download.asic.gov.au/media/zhodijpp/22-104mr-2022-fca-496.pdf