The Australian government’s expanded ‘critical infrastructure’ laws – Does it affect you?

Minimum measures but maximum penalties

These new measures are minimum cyber security requirements that your management strategy should aim to exceed. Although the law sets a baseline, there are stiff penalties for not meeting them.

For example, responsible entities, as well as direct interest holders, face:

• Maximum penalties of $11,100 for individuals and $55,500 for companies for not reporting a cyber security incident to the Australian Signals Director in the set time frame
• The same penalties apply for not complying with an order to report critical infrastructure asset information or entity information to the directorate, and
• Fines of $44,400 for individuals and $222,000 for companies for not adopting and maintaining a risk-management program.

And, if you don’t report a cyber incident, the government has ‘last resort’ powers to step in. That includes authorising the Australian Signals Directorate to take action

Could your business be on the list?

Your next step is to identify if you have any critical infrastructure assets. Critical infrastructure is essential for everyday life and includes energy, communications, water, transport, health, food and grocery, banking and finance, and the Australian Government.

The SOCI Act has expanded its scope to 11 industry sectors, including 22 asset classes.  You can see the complete list here.

Don’t assume you must comply with the SOCI regulations because your business operates in one or more of those sectors. What’s relevant is if your business meets the minimum threshold levels for the asset classes. We strongly advise you to seek legal advice because each business is unique.

Demystifying critical infrastructure assets

 The SOCI act defines a critical infrastructure asset as:

• A system
• Network facility
• Computer
• Computer device
• Computer program
• Computer data
• Premises, and
• “Any other thing” as the minister determines.

A small subset of Australia’s most critical assets may also be declared ‘Systems of National Significance’ and attract extra cyber security obligations. The Federal Government will identify and notify these owners/operators.

How we can help

If you determine that your organisation does own or is connected with critical infrastructure, you will need to develop and maintain a cyber security risk management plan. The Department of Home Affairs has issued these draft risk management program rules. Meanwhile, the Cyber and Infrastructure Security Centre has released this three-page summary. Cyber risk management is where we can assist you.

We support SMEs to large enterprises with their audit and governance needs for cyber security. Get in touch today.  

Disclaimer: Content Security offers this information as guidance only. We urge you to seek professional advice about cybersecurity regulations in Australia, particularly if they could impact your business operations.