Recently, Australia’s second largest telecommunications network experienced an outage that lasted 14 hours. Later that same week, a major port operator suffered a multi-day cyber security attack that left thousands of shipping containers trapped in the country’s ports. These incidents affected millions of Australian customers and substantially curtailed telecommunication and important freight operations.
Whilst the telecommunications network outage was not the result of a cyber attack, both events highlight the fragility of “critical infrastructure sectors” (which include communications and transport) and serve to reinforce the significance of the Security of Critical Infrastructure Act 2018 (“SOCI Act”).
Here’s how the SOCI Act aims to address and respond to cyber security incidents
The SOCI Act covers ““critical infrastructure sectors”, by creating a regulatory framework for protecting, strengthening and mitigating risks arising with respect to the critical infrastructure considered so paramount to Australia’s national security. Its purpose is to protect critical infrastructure assets by creating positive security obligations on asset owners and direct interest holders.
Currently, the SOCI Act applies to 11 critical infrastructure sectors, being:
- the communications sector;
- the data storage or processing sector;
- the financial services and markets sector;
- the water and sewerage sector;
- the energy sector;
- the health care and medical sector;
- the higher education and research sector;
- the food and grocery sector;
- the transport sector;
- the space technology sector;
- the defence industry sector.
These sectors are then subdivided into a total of 22 categories of assets. For example, the 5 asset classes falling within the transport sector are aviation, freight infrastructure, freight services, port and public transport.
The SOCI Act generally imposes obligations on “responsible entities” (those with ultimate operational responsibility for the asset) and “direct interest holders” (those holding interest in at least 10 per cent of the asset or holding interest in the asset that puts it in direct/indirect influence or control the asset – section 8). However, the definition of “responsible entities” and “direct interest holders” changes depending on the asset in question.
Whilst the SOCI Act’s obligations are broad-reaching, not all obligations apply to all critical infrastructure sectors or asset classes – even if an entity is captured by the SOCI Act, it may not be responsible for upholding all obligations contained in the SOCI Act. The specific obligations that a responsible entity or direct interest holder must comply with depends on the asset involved.
In this way, it can be difficult to determine whether an entity is required to comply with the SOCI Act and what the entity’s exact obligations are, leading to confusion or lack of clarify. When in doubt, it is prudent to seek advice on whether or how the SOCI Act could affect your organisation.
Upping the ante with positive security obligations
Following reforms in late 2021 and early 2022, the SOCI Act has moved away from its passive approach to impose requirements on entities to comply with positive security obligations (“PSOs”). Compliance with PSOs will only be mandatory once they have been “switched on” for the particular asset in question. Depending on the PSO in question, this occurs either via the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 or the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (Lin 23/006) 2023.
The essence of the PSOs relate to:
- Registration of critical infrastructure assets (providing details on asset ownership and operational information);
- Mandatory notification of a cyber security incident; and
- Development of a critical infrastructure risk management program.
Other SOCI Act obligations relate to:
- Notification of third-party providers who store or process “business critical data” for an asset; and
- Government powers in relation to current, past or imminent cyber security incidents (information gathering directions, intervention requests and directions).
Consequences of non-compliance – fines and international sanctions
An entity’s failure to comply with its obligations (including triggering a cyber security incident) under the SOCI Act may result in the entity facing significant penalties, depending on the entity’s form and level of non-compliance. For example, an entity that fails to adopt, maintain, comply with, or regularly review its risk management plan may face fines of 200 penalty units (currently $62,600) for each activity it has failed to comply with, and an entity that fails to notify the regulator when a cyber incident has occurred may face a fine of 50 penalty units (currently $15,650).
The ordinary regulator responsible for ensuring compliance is the Cyber and Infrastructure Security Centre that sits within the Department for Home Affairs (“the Department”). They have the usual range of enforcement powers, including civil penalties (fines), undertakings, injunctions and infringement notices. However, the Reserve Bank of Australia maintains regulatory oversight for the payment system asset class.
But, in recognition that not all cyber incidents originate on home soil, there are significant sanctions powers which can be exercised by the Minister for Foreign Affairs to target foreign players in certain circumstances.
Where an entity is considered to have caused, assisted with causing or been complicit in, in a “significant cyber incident”, the Minister for Foreign Affairs can impose targeted financial sanctions on that entity and specifically on individuals under the Significant Cyber Incidents Sanctions Regime. When an entity or individual is sanctioned, they may be subject to asset freezing rules and, where appropriate, travel bans.
Takeaway
If these recent cyber events are anything to go by, the government’s focus on protecting Australia’s critical infrastructure is likely to become a greater priority than ever. Increasing education and compliance with relevant regulations in this space is likely to be at the top of the agenda. Indeed, just last month the Cyber and Infrastructure Security Centre launched its inaugural Critical Infrastructure Security Month – a month-long event to promote awareness of Australia’s critical infrastructure framework. In preparation of further government attention, entities should be aware of and uphold their obligations. Those who suspect or are unclear whether the SOCI Act has any impact on their operations should seek advice early to avoid costly actions later.
This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.
© Moulis Legal 2024
