As the dust settles on the suite of Security of Critical Infrastructure Act 2018 (SOCI Act) amendments that were finalised earlier this year, we provide some initial observations about how the regime impacts critical infrastructure entities and tips for entities that are newly captured under the legislation.
What is an 'asset' under the SOCI Act?
The definition of 'critical infrastructure asset' is sector-specific, and fundamentally relies on a broad definition of 'asset'.
One question that we have seen arise in relation to the SOCI Act's application is how to disentangle corporate assets to identify whether the legislation captures one or more of these assets. Entities should keep in mind that 'asset' is itself defined extremely broadly and can refer to networks, facilities or computer data, among other 'things'. This definition informs the further definitions of 'critical infrastructure asset' which may be relevant to your sector.
Given the granular detail in the various definitions of 'critical infrastructure asset', it is advisable to seek legal advice about the basic question of whether you have critical infrastructure assets in your purview and whether your relationship with those assets incurs particular obligations under the legislation.
Is it possible to be both the 'responsible entity' for and the 'direct interest holder' in a critical infrastructure asset?
Yes, it is. And if that is the case, you will need to meet the reporting requirements for both roles.
Entities that have dealt with or owned critical infrastructure assets for some time will likely be familiar with the obligation under the SOCI Act to report certain information to the Home Affairs Department's Register.
The information that your entity needs to provide will differ depending on whether you are a 'responsible entity' or a 'direct interest holder'. Whether you fall into one or both of these definitions depends on various sector-specific definitions provided under the Act.
For example, the 'responsible entity for a critical electricity asset' will be the entity that holds the licence, approval or authorisation (however described) to operate that asset and provide the service to be delivered by the asset (unless the rules prescribe otherwise). A 'direct interest holder of a critical electricity asset' will be any entity that, together with its associates, holds an interest of at least 10 per cent in the asset or holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.
Clearly, it is possible for a single corporate entity to hold the relevant lawful permission to operate an asset and also hold an interest in that asset. In those circumstances, the entity would need to make sure it is reporting the information that is required to be reported by responsible entities, as well as the information required to be reported by direct interest holders.
Much of the SOCI Act is still not 'switched on'
Many obligations and definitions under the SOCI Act depend on Ministerial rules to identify their scope. Some of these rules have been issued - the application of the reporting requirements and the application of the cyber-security notification obligations are defined in the Security of Critical Infrastructure (Application) Rules 2022. However, the application of the requirement to implement a critical infrastructure management program (CIRMP), arguably one of the more burdensome obligations, is not yet defined under Ministerial rules. That being so, it is a good idea for entities responsible for critical infrastructure assets to consider early what implementation of a CIRMP would look like for their business to prepare for the release of Ministerial rules on this obligation.
Our previous article outlining the CIRMP obligation and what this entails can be read here.
Responsible entities must notify critical data service providers that they hold critical business data
If you are a responsible entity for a critical infrastructure asset, and you use a data storage or processing service that is provided on a commercial basis by a third party, and that service relates to 'business critical data', you are currently under an obligation to notify that third party of this fact.
Penalties apply for non-compliance. The rationale for this obligation may be that those data service providers, having been notified of the nature of the data that they store, will then be in a position to comply with their obligations under the SOCI Act to report as a responsible entity for a 'critical data storage or processing asset'.
SOCI Act could impact your business even if you are not a responsible entity for, or a direct interest holder in, a critical infrastructure asset
The SOCI Act gives powers to the Commonwealth to react to certain security threats in prescribed circumstances by requiring an entity to provide certain information to the Commonwealth, to do or not do something, or, in more drastic circumstances, to have the Australian Signals Directorate (ASD) intervene in the affairs of an entity.
These Commonwealth powers may impact entities that do not have one of the prescribed relationships to a critical infrastructure asset under the SOCI Act. For example, a landlord that has leased their land to an entity that is operating a critical infrastructure asset on the land, and that - outside of the lessor or lessee relationship - has no further relationship to that asset, may be subject to information-gathering directions or intervention by ASD in the event of a cyber-attack on that critical infrastructure asset. While this is a technical possibility, how the Commonwealth will interpret and employ these powers in the event of a serious cyber-security incident is yet to be seen.
How we can help
Regardless of where your company is based, we can help you understand how these considerations impact your investment, ownership and operation of critical Australian infrastructure assets, and the increasingly complex regulatory environment around cyber and data security, privacy, safeguarding national interest and related ESG (environmental, social and governance) issues.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.