Australian Government introduces major amendments to the Security of Critical Infrastructure Act 2018 (Cth)

Aiming to bolster the security and resilience of critical infrastructures in Australia, the Australian Government introduced the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (“Bill”) on October 9, 2024. 

The Bill is a product of the 2023-2030 Australian Cyber Security Strategy and the ensuing consultation on the legislative reforms. Below are the key takeaways:

1. Critical infrastructure assets will cover data storage systems that hold business critical data

The Bill introduces a four-step test for data storage systems to be part of a critical infrastructure asset. A consequence of this is such data storage systems will be subject to other parts of the SOCI Act applicable to the critical infrastructure asset, including registration, risk management and incident notification requirements. A potential issue relates to how this new test interacts with the critical data storage or processing asset definitions in s 12F of the SOCI Act.

2. More management powers will be given to the regulators

The Secretary of the Department of Home Affairs (“Secretary”) and other relevant regulators will have the power to issue directions to vary responsible entities’ critical infrastructure risk management program (“CIRMP”) with one or more serious deficiencies, a term new to the SOCI Act. In addition, the Secretary will have wide last-resort consequence management powers under Ministerial authorisation, i.e., giving information-gathering directions, action directions, and intervention requests. Moreover, most of the consequence management powers will not be limited to serious cyber security incidents but will be available for serious incidents thereby widening the scope of powers significantly.

3. The rules around protected information are clarified

Relevant entities of critical infrastructure assets will be able to make a record of, use, or disclose protected information for the entity’s business, professional, commercial or financial affairs Also, protected information will have a new definition incorporating a harms-based assessment and covering confidential commercial information. Should these amendments proceed, affected entities will have to consider how to adapt information classification and security policies and processes to include the harms-based assessment.

4. Critical telecommunications assets’ security requirements will be consolidated into the SOCI Act

The Bill sets out the enhanced security obligations and notification obligations for responsible entities of critical telecommunications assets. The changes include significant obligations on designated entities to advise regulators of changes to infrastructure where it may have a material adverse impact on the entity’s capacity to comply with asset security requirements. This is of particular relevance as the changes also empower the Minister to direct the entity not to use or supply a carriage service where it may be prejudicial to security. In addition, the obligation to protect assets as far as reasonably practicable to do so will be extended from security risks to include all hazards. Given the complexity and significance of these changes, we will be providing a specific analysis of the telecommunications requirements in an upcoming post.

Next steps

The change of scope of critical infrastructure assets and greater powers to the regulators to vary a responsible entity’s CIRMP and share information, mean responsible entities for critical infrastructure assets should review the mapping of their assets and update and implement their CIRMP accordingly. For responsible entities of critical telecommunications assets, the Bill significantly alters the applicable legal instrument with changes large and small that require careful planning and robust readiness when the Bill is passed, which we expect may take place in the first quarter of 2025.