Online security

Significant reform of Australia’s cybersecurity laws with the adoption of critical infrastructure reforms


The changes to the Critical Infrastructure Security (Cth) Act of 2018 make business managers personally responsible for a cyber breach, which requires a highly proactive cybersecurity strategy.

Around the world, there has been an alarming increase in the number of threats to critical infrastructure. In response, the first part of the planned government changes to Bill 2021 amending the Security Legislation (Critical Infrastructure) has now been passed and entered into force on December 2, 2021 (the Act).

For more information regarding the split of Bill 2021 amending security legislation (critical infrastructure) into two bills, please see our article here.

The law amends the old law of 2018 on the security of critical infrastructure (Cth) (Previous act), which governs the risks of espionage, sabotage and coercion to national security presented by foreign interference on our critical national infrastructure, and significantly increases the ability of the federal government to enforce obligations for ‘d’ assets. critical infrastructure ”. Not only will the federal government have unprecedented powers to intervene in the security response of private organizations, but corporate directors will be held personally responsible for a cyber breach, forcing executives to be very proactive in their cybersecurity strategy. .

Significant changes to critical infrastructure laws

The law broadens the definition of “critical infrastructure sector”. The main change is that the previous law only covered certain assets in the gas, electricity, water and seaports sectors, while the law now expands the definition to additionally cover 11 sectors that were deemed “critical”. As a reminder, the 11 sectors are:

  • communication,
  • data storage or processing,
  • financial services and markets,
  • water and sanitation,
  • energy,
  • sanitary and medical,
  • higher education and research,
  • food and groceries,
  • transport,
  • space technology; and
  • the defense industry sector.

The meaning of “critical infrastructure assetHas been extended to include 22 different classes. This notion of “critical infrastructure asset” covers a much wider range than the previous law. This change will expand the range of entities with mandatory reporting obligations and subject to legal requirements, which the Australian government says will help address security threats to our critical infrastructure.

New mandatory notification of cybersecurity incidents

Part 3A of the law introduces new mandatory cyber incident reporting obligations that will be imposed on entities responsible for “critical infrastructure assets”. The objective of this obligation is to promote a deep understanding of the threats to critical infrastructure and to facilitate proactive cyber feedback options.

Under this new mandatory reporting system, a responsible entity must report a “critical cybersecurity incident” within 12 hours of becoming aware that the incident has had or is having a “significant impact” on the availability of the network. ‘active. If an incident had a significant impact on the availability of vital products or services delivered using the asset, it will be considered to have a “significant impact”.

In addition, responsible entities are also required to report any other cyber event that has occurred, is occurring or is imminent within 72 hours of becoming aware that the incident has had, has or is likely to have a relevant impact on the asset.

Notifications to the registry of critical infrastructure assets

As a result of the change in legislation, more entities are now responsible for “critical infrastructure assets” and are required to provide information to the government’s Registry of Critical Infrastructure Assets. If a reporting entity violates the reporting obligations, it faces a civil penalty of up to $ 11,100 (50 penalty units) per day of violation, or $ 55,500 (250 penalty units) if it is a company. The implementation of these substantial penalties means that administrators will now have a much greater liability for cyber breaches. It is therefore essential for companies to develop proactive and comprehensive response policies to cyber incidents.

Broad powers of government of last resort

The law will also introduce “government assistance and intervention measures”. This regime gives the Australian government “powers of last resort” in cases where there is no regulatory mechanism to give a result to a cyber incident that affects a critical infrastructure asset that contains a significant risk that the incident carries seriously. harm or is likely to cause serious harm:

  • the social or economic stability of Australia or its people;
  • defense of Australia; Where
  • Australia’s national security.

The law allows the Minister of the Interior to authorize the Minister of the Interior to order an entity to do certain things in response to incidents, provided that the entity has been consulted and the Minister is satisfied that the The entity is unwilling or unable to take all reasonable steps to respond to the incident and the investigation is reasonably necessary, proportionate and technically feasible.

Alternatively, the minister can authorize a directive on the collection of information or, after consulting the Prime Minister and the Minister of Defense, ask the government to intervene to take action itself, for example by using the capabilities and the resources of the Australian Cyber ​​Security Center of the Australian Signals Directorate.

The implications for operators and owners of applicable critical infrastructure assets

The law dramatically expands the scope of what was previously considered “critical infrastructure,” and entities must revise their cyber attack response procedures to ensure compliance with mandatory reporting obligations. If you believe that your organization may be an entity covered by the Act, you should ensure that you have procedures in place to meet the criteria for providing information for the Registry of Critical Infrastructure Assets and that you are configured to comply. mandatory notification requirements.

The steps required to align compliance with the requirements of the Act may be nominal for some entities that are already governed by existing cybersecurity legislative or regulatory regimes. However, newly covered entities will need to take steps to ensure compliance.

The law represents a crucial development in the field of cybersecurity. Please contact us if you need assistance in ensuring your organization’s compliance with the new requirements.