The Federal Government has moved to protect our nation’s ‘critical infrastructure’ from cyber security risks. But how does that affect your business, and what should you do about it?
Here at Content Security, we’re fielding questions from our clients about the Security of Critical Infrastructure Act 2018 (Clth) (SOCI Act) amendments. While the Act came into effect on 2 April 2022, some provisions were delayed.
If your business is required to comply with the new rules, you must have notified the government about:
- The ownership and operating details of identified critical infrastructure assets (by 8 July 2022).
As well, from 8 October 2022, you must report:
– Your entity becoming aware of a cyber incident that ‘significantly’ impacts the availability of a critical infrastructure asset (report this within 12 hours).
– Or if that incident has a ‘relevant’ impact on such assets (report this within 72 hours).
Learn more about the criteria for ‘significant’ and ‘relevant’ here.
You must also notify third parties of a cyber incident if they support your critical infrastructure asset(s).
Minimum measures but maximum penalties
These new measures are minimum cyber security requirements that your management strategy should aim to exceed. Although the law sets a baseline, there are stiff penalties for not meeting them.
For example, responsible entities, as well as direct interest holders, face:
- Maximum penalties of $11,100 for individuals and $55,500 for companies for not reporting a cyber security incident to the Australian Signals Director in the set time frame
- The same penalties apply for not complying with an order to report critical infrastructure asset information or entity information to the directorate, and
- Fines of $44,400 for individuals and $222,000 for companies for not adopting and maintaining a risk-management program.
And, if you don’t report a cyber incident, the government has ‘last resort’ powers to step in. That includes authorising the Australian Signals Directorate to take action
Could your business be on the list?
Your next step is to identify if you have any critical infrastructure assets. Critical infrastructure is essential for everyday life and includes energy, communications, water, transport, health, food and grocery, banking and finance, and the Australian Government.
The SOCI Act has expanded its scope to 11 industry sectors, including 22 asset classes. You can see the complete list here.
Don’t assume you must comply with the SOCI regulations because your business operates in one or more of those sectors. What’s relevant is if your business meets the minimum threshold levels for the asset classes. We strongly advise you to seek legal advice because each business is unique.
Demystifying critical infrastructure assets
The SOCI act defines a critical infrastructure asset as:
- A system
- Network facility
- Computer device
- Computer program
- Computer data
- Premises, and
- “Any other thing” as the minister determines.
A small subset of Australia’s most critical assets may also be declared ‘Systems of National Significance’ and attract extra cyber security obligations. The Federal Government will identify and notify these owners/operators.
How we can help
If you determine that your organisation does own or is connected with critical infrastructure, you will need to develop and maintain a cyber security risk management plan. The Department of Home Affairs has issued these draft risk management program rules. Meanwhile, the Cyber and Infrastructure Security Centre has released this three-page summary. Cyber risk management is where we can assist you.
We support SMEs to large enterprises with their audit and governance needs for cyber security. Get in touch today.
Disclaimer: Content Security offers this information as guidance only. We urge you to seek professional advice about cybersecurity regulations in Australia, particularly if they could impact your business operations.