The Minister for Cyber Security, Clare O'Neill MP, has announced the immediate commencement of the third and final preventative obligation under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), for owners of certain asset classes listed in the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules).

Responsible entities must adopt risk management programs

Responsible entities for the following critical infrastructure asset classes are now required to adopt, maintain and comply with a written "critical infrastructure risk management program" (CIRMP), aimed at managing, eliminating or mitigating the "material risks" of hazards which could impact the availability, integrity or reliability of their critical infrastructure asset:

  • broadcasting;
  • domain name systems;
  • data storage or processing;
  • electricity, gas and liquid fuels;
  • energy market operators;
  • financial market infrastructure;
  • food and grocery;
  • designated hospitals in each state and territory;
  • freight infrastructure and services; and
  • water.

Relevant hazards may include the risk of cyber security incursions, deliberate or accidental interference, natural disasters, impairment of or negligence by employees, and supply chain disruption.

Once an entity responsible for an asset has identified these hazards, the entity must take all reasonable steps to minimise, eliminate or mitigate the material risk of the hazards occurring, "material risk" including:

  • a stoppage or major slowdown of the asset's functions;
  • a substantive loss of access to, or manipulation of, a critical component of the asset;
  • interference with an asset's operational or information communication technology;
  • the transfer or storage of sensitive operational information outside Australia; or
  • unauthorised remote access to the asset.

Entities must meet cyber security baseline

An entity's CIRMP must also contain assurances about its cyber and information security processes and systems, which the entity has established to minimise, eliminate, or mitigate the risk of cyber threats materialising. Importantly, the CIRMP Rules specify that responsible entities' cyber and information security systems must meet particular baseline maturity obligations, like Australian Standard AS ISO/IEC 27001:2015 (Information Security), so that assets are sufficiently protected.

Entity reporting obligations

Responsible entities must submit an annual report that has been approved by a board, council, or other governing body to the relevant Commonwealth regulator for that critical infrastructure asset (or, if there is no such regulator, to the Secretary of the Department of Home Affairs). The annual report will provide assurance that a CIRMP is in place and outline the steps an entity is taking to manage the risks posed by any identified hazards, and ensures that senior management takes an appropriate level of responsibility for managing risk.

Entities must provide an annual report within 90 days of the end of each Australian financial year. If an entity is responsible for a critical infrastructure asset for all or part of that Australian financial year, they will be required to submit an annual report.

New CIRMP Rules have already begun

The CIRMP Rules have immediate effect from Friday, 17 February 2023. The following grace periods apply to the new obligations:

  • Responsible entities have 6 months to adopt a written CIRMP.
  • Responsible entities have 12 months to ensure their systems comply with the baseline cyber security maturity obligation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.