Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
2019-2020-2021-2022
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
HOUSE OF REPRESENTATIVES
SECURITY LEGISLATION AMENDMENT
(CRITICAL INFRASTRUCTURE PROTECTION) BILL 2022
EXPLANATORY MEMORANDUM
(Circulated by authority of the Minister for Home Affairs,
the Honourable Karen Andrews MP)
Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022
OUTLINE
The Australian Government is committed to protecting the essential services all Australians
rely on by uplifting the security and resilience of our critical infrastructure. As the threats and
risks to Australia's critical infrastructure evolve in light of COVID-19 and beyond, so too
must our approach to ensuring the ongoing security and resilience of these assets and the
essential services they deliver.
Critical infrastructure is increasingly interconnected and interdependent, delivering
efficiencies and economic benefits to operations. However, connectivity without proper
safeguards creates vulnerabilities that can deliberately or inadvertently cause disruption and
result in cascading consequences across our economy, security and sovereignty.
Threats ranging from natural hazards (including weather events) to human induced threats
(including interference, cyber attacks, espionage, chemical or oil spills, and trusted insiders)
all have the potential to significantly disrupt critical infrastructure. Recent incidents such as
compromises of the Australian parliamentary network, university networks and key corporate
entities, and the impacts of COVID-19 illustrate that threats to the operation of Australia's
critical infrastructure assets continue to be significant. Further, the interconnected nature of
our critical infrastructure means that compromise of one essential function can have a domino
effect that degrades or disrupts others.
The consequences of a prolonged and widespread failure in the energy sector, for example,
could be catastrophic to our economy, security and sovereignty, as well as the Australian way
of life, causing:
• shortages or destruction of essential medical supplies;
• instability in the supply of food and groceries;
• impacts to water supply and sanitation;
• impacts to telecommunication networks that are dependent on electricity;
• the inability of Australians to communicate easily with family and loved ones;
• disruptions to transport, traffic management systems and fuel;
• reduced services or shutdown of the banking, finance and retail sectors; and
• the inability for businesses and government services to function.
2
While Australia has not suffered a catastrophic attack on critical infrastructure, we are not
immune:
• over the last three years, we have seen several cyber attacks in Australia that have
targeted the Federal Parliamentary Network;
• malicious actors have taken advantage of the pressures COVID-19 has put on the
health sector by launching cyber attacks on health organisations and medical
research facilities; and
• key supply chain businesses transporting groceries and medical supplies have also
been targeted.
Accordingly, Government is seeking to introduce an enhanced regulatory framework for
Australian critical infrastructure assets, building on existing requirements in place under the
Security of Critical Infrastructure Act 2018 (the SOCI Act). The Security Legislation
Amendment (Critical Infrastructure) Act 2021 (the SLACI Act), which received the Royal
Assent on 2 December 2021, has implemented key elements of the framework by amending
the SOCI Act to introduce:
• mandatory cyber incident reporting (Part 2B of the SOCI Act); and
• government assistance to relevant entities for critical infrastructure sector assets in
response to significant cyber attacks that impact Australia's critical infrastructure
assets (Part 3A of the SOCI Act).
The 2021 Amendment Act implemented a number of recommendations the Parliamentary
Joint Committee on Intelligence and Security (PJCIS)'s Advisory Report on the Security
Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the
Security of Critical Infrastructure Act 2018 of September 2021 (the PJCIS report).
Recommendation 1 of the PJCIS report was that the Security Legislation Amendment
(Critical Infrastructure) Bill 2020 (the 2020 Bill) be split in two so that urgent elements of the
reforms, mandatory cyber incident reporting and government assistance, be implemented as
soon as possible. Government amendments to the 2020 Bill were moved, and that Bill
subsequently passed after the amendments were made and became the SLACI Act, in line
with this recommendation.
Recommendation 7 of the PJCIS report was that the remaining elements of the 2020 Bill be
subsequently re-introduced in a separate Bill. Accordingly, the Government seeks to
implement the remaining elements of the enhanced regulatory framework in a further bill, the
Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the Bill),
which gives effect to this framework by introducing:
• critical infrastructure risk management programs for critical infrastructure assets
(proposed Part 2A of the SOCI Act); and
3
• enhanced cyber security obligations for those assets most important to the nation,
described as systems of national significance (proposed Parts 2C and 6A of the
SOCI Act).
These changes will be underpinned by enhancements to Government's existing education,
communication and engagement activities, under a refreshed Critical Infrastructure
Resilience Strategy and an expanded Trusted Information Sharing Network. This will include
a range of activities that will improve the collective understanding of risk between
Government and industry, and within and across industry sectors.
To counter the threats to critical infrastructure, an enhanced security framework is required
which takes a holistic approach to what is regarded as critical infrastructure and the risks that
need to be managed. Post incident consequence and response management alone is
inadequate to truly ensure the protection of Australian critical infrastructure. Prevention and
risk management is essential to truly make an impact on the security and resilience of
Australian critical infrastructure.
The reforms in the Bill seek to make risk management, preparedness, prevention and
resilience, business as usual for the owners and operators of critical infrastructure assets and
to improve information exchange between industry and government to build a more
comprehensive understanding of threats.
Owners and operators of critical infrastructure assets are best placed to understand and
manage the risks associated with their assets. The Government will continue to work closely
with industry through an enhanced partnership to establish baseline standards for, and support
the uplift of, security and resilience practices across critical infrastructure. These standards
appropriately balance security and regulatory impost and are designed to assist Government
to maintain a near-real time threat picture to assist entities in preventing and responding to
vulnerabilities and incidents.
The enhanced framework will uplift security and resilience in across Australia's critical
infrastructure assets. This framework, when combined with better identification and sharing
of threats, will ensure that Australia's critical infrastructure assets are more resilient and
secure. The Government will work in partnership with responsible entities of critical
infrastructure assets to ensure the new requirements build on and do not duplicate existing
regulatory frameworks.
The reforms
The Commonwealth needs to establish a clear, effective, consistent and proportionate
approach to ensuring the resilience of Australia's critical infrastructure. The amendments to
the SOCI Act will drive further uplift of the security and resilience of Australia's critical
infrastructure. Should a particularly serious cyber emergency occur, the intention of these
reforms is that Government has appropriate, pre-determined and transparent powers to ensure
reasonable and necessary action is taken to protect Australia's national interest.
4
Critical Infrastructure Risk Management Program
As outlined above, the SOCI Act currently contains two all-hazards positive security
obligations: mandatory cyber incident reporting (Part 2B) and critical infrastructure asset
register reporting (Part 2). The Bill creates an additional positive security obligation, for
responsible entities to adopt and maintain an critical infrastructure risk management program.
This measure is intended to embed preparation, prevention and mitigation activities into the
business as usual operating of critical infrastructure assets, ensuring that the resilience of
essential services is strengthened.
Importantly, and in alignment with the other positive security obligations, the obligation to
establish, maintain and comply with a critical infrastructure risk management program will
only apply if the Minister has made a disallowable legislative instrument (rules) specifying
that the obligation applies in relation to a critical infrastructure asset or class of critical
infrastructure assets. The rules will specify if the obligation is 'switched on' for a critical
infrastructure asset or class of critical infrastructure assets.
The critical infrastructure risk management program will require responsible entities of
specified critical infrastructure assets to:
• identify hazards for which there is a 'material risk' that the hazard impact their
business operations;
• minimise the material risks of those hazards occurring; and
• mitigate the impacts of hazards on the operation of their critical infrastructure
asset(s).
Responsible entities of critical infrastructure assets will be required to take an all-hazards
approach when establishing their critical infrastructure risk management program--including
consideration of both natural and human induced hazards. Required content of a critical
infrastructure risk management program will be specified by legislative instrument, referred
to as risk management program rules. Government has designed these rules in consultation
with industry throughout 2021 and early 2022 in order to create a compliance framework that
minimises duplication and regulatory burden.
Recommendation 9 of the PJCIS report outlined that any rules to be designed in relation to
the critical infrastructure risk management program obligation be co-designed, agreed and
finalised to the extent possible before the re-introduction of the obligation and made available
as part of the explanatory material for the measures.
In accordance with recommendation 9, the rules proposed to be made to specify the required
content of a critical infrastructure risk management program are included with this
Explanatory Memorandum (see further concerning new section 30AH Act at paragraph 193
of Attachment A). The legislative instrument has been drafted after consulting with industry
in late 2021 and early 2022.
5
Enhanced cyber security obligations for systems of national significance
The Bill also recognises those assets that are the most critical to the security, economy and
sovereignty of Australia. These 'systems of national significance' will bear additional cyber
obligations, recognising the deteriorating cyber threat environment we currently face.
The enhanced cyber security obligations in the Bill will support the development of a
bespoke, outcomes-focused partnership between Government and Australia's 'systems of
national significance'. These are a significantly smaller subset of critical infrastructure assets
that are crucial to the nation, by virtue of their interdependencies across sectors and
consequences of cascading disruption to other critical infrastructure assets and sectors.
Under the enhanced cyber security obligations, the Secretary of Home Affairs may require
the responsible entity for a system of national significance to undertake one or more cyber
security activities outlined in new Part 2C of the SOCI Act. These include the development of
cyber security incident response plans, cyber security exercises to build cyber preparedness,
vulnerability assessments to identify vulnerabilities for remediation, and the provision of
system information to build Australia's situational awareness.
The enhanced cyber security obligations will support the sharing of near-real time threat
information to provide industry with a more mature understanding of emerging cyber security
threats, and the capability to reduce the risks of a significant cyber attack against Australia's
most critical assets. The obligations that would apply to Systems of National Significance
will give Australians confidence that there are well tested plans in place to recover from and
prevent a cyber security attack.
The Bill will also establish a mechanism by which the Minister can personally and privately
declare a critical infrastructure asset to be a 'system of national significance' (new Part 6A of
the SOCI Act).
Detailed notes on the clauses of the Bill is included at Attachment A.
Other measures in the Bill
In addition to the primary measures outlined above, the Bill also contains other amendments
to the SOCI Act in response to PJCIS recommendation 7 (and the principles referred to in
paragraph 3.49 of the PJCIS report), feedback received from stakeholders and to improve the
efficacy and efficiency of the statutory framework.
• Recognition of the Digital Transformation Agency's Hosting Certificate
Framework (HCF) as a risk-management process similar to the critical
infrastructure risk management program--by excluding responsible entities from
the critical infrastructure risk management program obligation when an asset, or
part of an asset, they are responsible for is 'certified strategic' under the HCF
(new Part 2AA of the SOCI Act).
6
• The Bill makes amendments to various definitions of types of critical
infrastructure assets in response to stakeholder feedback.
• Changes are made to the provisions governing the use and disclosure, and making
records, of protected information to enable greater information sharing between
responsible entities and Commonwealth, State and Territory regulatory agencies,
notably including a specific provision enabling the Commonwealth Ombudsman
to use and disclose, and make records, of protected information (by amendment to
Part 4 of the SOCI Act).
• The ability of rules specifying requirements in relation to critical infrastructure
risk management programs to incorporate documents by reference is enhanced to
ensure that such programs are aligned to international standards or to align with
existing best-practice in the Commonwealth and other jurisdictions.
• Clarifying certain consultation requirements of the Minister, including a right of
reply for impacted stakeholders and for that reply to be considered before the
Minister's decision can be made.
• Expanding the scope of immunities from prosecution or suit available to
responsible entities, their employees, contractors and other agents, where they
take actions under the government assistance measures in Part 3A of the
SOCI Act.
• Clarifying the exception from reporting obligations in Part 2 of the SOCI Act for
moneylenders until they enforce their security in relation to a critical
infrastructure asset, and extending the exception to custodial or depository service
providers unless.
FINANCIAL IMPACT
The Bill does not impose any new expenditure and the overall financial impact is low.
A detailed Regulation Impact Statement to assess the high level regulatory impact to industry
of uplifting the security and resilience of Australia's critical infrastructure assets was
included in the Explanatory Memorandum for the 2020 Bill as introduced in the House of
Representatives on 10 December 2020--including the measures to create a critical
infrastructure risk management program obligation and the enhanced cyber security
measures. Please refer to that document for detail in relation to those measures in this Bill.
7
STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS
A Statement of Compatibility with Human Rights has been completed in relation to the Bill.
It has been assessed that the amendments are compatible with Australia's human rights
obligations. The Statement of Compatibility with Human Rights is at Attachment B.
8
COMMON ABBREVIATIONS AND ACRONYMS
Abbreviation or acronym Meaning
2020 Bill Security Legislation Amendment (Critical Infrastructure) Bill 2020,
as introduced in the House of Representatives on
10 December 2020
Acts Interpretation Act Acts Interpretation Act 1901
ASD Australian Signals Directorate
ASIO Australian Security Intelligence Organisation
ASIO Act Australian Security Intelligence Organisation Act 1979
ATSA Aviation Transport Security Act 2004
AusCheck Act AusCheck Act 2007
Corporations Act Corporations Act 2001
Criminal Code Criminal Code Act 1995
DISP Defence Industry Security Program
Department Department of Home Affairs
Draft Part 2A instrument Exposure draft of the instrument proposed to be made after 'co-
design' under paragraph 30AH(1)(c) and section 30AKA of the
SOCI Act--see Attachment C to this Explanatory Memorandum
HCF Hosting certificate framework
Intelligence Services Act Intelligence Services Act 2001
Legislation Act Legislation Act 2003
Minister Minister for Home Affairs
MTOFSA Maritime Transport and Offshore Facilities Security Act 2003
Part 2A asset A critical infrastructure asset to which Part 2A of the SOCI Act
applies (in accordance with new section 30AB)
PJCIS Parliamentary Joint Committee on Intelligence and Security
PJCIS report Advisory report on the Security Legislation Amendment (Critical
Infrastructure) Bill 2020 and Statutory Review of the Security of
Critical Infrastructure Act 2018 (September 2021)
9
Abbreviation or acronym Meaning
Privacy Act Privacy Act 1988
Secretary Secretary of the Department of Home Affairs
SLACI Act Security Legislation Amendment (Critical Infrastructure) Act 2021
SOCI Act Security of Critical Infrastructure Act 2018
Telecommunications Act Telecommunications Act 1997
TIA Act Telecommunications (Interception and Access) Act 1979
10
Attachment A
Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022
NOTES ON CLAUSES
Section 1 Short title
1. Section 1 of the Bill provides that the short title of the Act is the Security Legislation
Amendment (Critical Infrastructure Protection) Act 2022.
Section 2 Commencement
2. Section 2 of the Bill sets out the times at which the Act commences once passed by
the Parliament.
3. Subsection (1) provides that each provision of the Bill specified in column 1 of the
table commences, or is taken to have commenced, in accordance with column 2 of the table.
Any other statement in column 2 has effect according to its terms. The table provides that
sections 1 to 3 of the Bill and anything not otherwise covered by the table commences the
day the Act receives the Royal Assent (item 1). This is the only item in the table, the entire
Bill including the amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act)
in Schedule 1 commences the day after the Act receives the Royal Assent.
4. A note explains that this table relates only to the provisions of this Bill as originally
enacted. It will not be amended to deal with any later amendments.
5. Subsection (2) provides that any information in column 3 of the table is not part of the
Bill. Information may be inserted in this column, or information in it may be edited, in any
published version of this Bill. This enables the Office of Parliamentary Counsel will insert
the date of commencement into Column 3 of the table in subsection (1) once the Royal
Assent is received.
Section 3 Schedules
6. Section 3 of the Bill provides that legislation that is specified in a Schedule to the Bill
is amended or repealed as set out in the applicable items in the Schedule concerned. In
addition, this clause provides that any other item in a Schedule to this Act has effect
according to its terms.
7. There is one Schedule to the Bill. Schedule 1 to the Bill makes amendments to the
SOCI Act to:
• make amendments to preliminary provisions and various definitions (items 4-45);
• make minor amendments to Part 2 concerning consultation requirements
(items 46-48);
11
• insert new Part 2A, which provides that specified critical infrastructure assets
must adopt and maintain a critical infrastructure risk management program
(item 49);
• insert new Part 2AA, which provides for annual reporting obligations for assets
that are exempt from the critical infrastructure risk management program
obligation (item 49);
• make minor amendments to Part 2B to concerning consultation requirements and
immunities (items 50-57);
• insert new Part 2C, to provide for a number of enhanced cyber security obligations
that may be applied in relation to systems of national significance (item 58);
• provide that directions made under Part 3A (facilitating government assistance to
industry in the event of a serious cyber security incident) prevail over the
requirements of a critical infrastructure risk management program (items 59, 61);
• amend immunity provisions in Part 3A (item 60, 62 and 63);
• amend provisions that authorise the use and disclosure of protected information to
facilitate information sharing between responsible entities and State, Territory and
Commonwealth government agencies (items 64-69);
• provide that the Minister's power to privately declare an asset as a critical
infrastructure asset includes a power to determine that new Part 2A applies to the
asset (item 70);
• creates a power for the Minister to privately declare a critical infrastructure asset
to be a system of national significance if specified criteria are met (new Part 6A,
item 71); and
• add additional information to the information required to be included in the annual
report on the SOCI Act, to reflect the new measures being inserted by the Bill
(items 72-74).
8. Schedule 1 to the Bill will also make amendments to the AusCheck Act 2007 (the
AusCheck Act) to enable amendments to the AusCheck scheme, as prescribed in the
AusCheck Regulations 2017 (the AusCheck Regulations), to provide for background checks
to be conducted if permitted by a critical infrastructure risk management program (item 1). A
technical amendment to the Criminal Code is also included (item 2).
12
Schedule 1--Security of critical infrastructure
AusCheck Act 2007
Item 1 Subsection 4(1)
9. Item 1 of Schedule 1 to the Bill inserts the definition of 'critical infrastructure risk
management program' into subsection 4(1) of the AusCheck Act, which has the meaning
given by the SOCI Act (see new section 30AH of the SOCI Act, from paragraph 193 below).
Item 2 After paragraph 8(1)(b)
10. Item 2 to Schedule 1 to the Bill inserts a provision in the AusCheck Act, which
provides that the AusCheck scheme prescribed in the AusCheck Regulations can provide for
the conduct and coordination of background checks of individuals if a critical infrastructure
management program permits such a check to be made.
11. The amendments in items 1 and 2 are required to facilitate the operation of new
subsection 30AH(4) of the SOCI Act (see from paragraph 214 below).
Criminal Code Act 1995
Item 3 Paragraph 476.6(8)(b) of the Criminal Code
12. Item 3 is a correction to update a reference in the Criminal Code to a provision of the
Australian Security Intelligence Organisation Act 1979.
Security of Critical Infrastructure Act 2018
Item 4 After paragraph 3(b))
13. Item 4 of Schedule 1 to the Bill amends the objects provision of the SOCI Act
(section 3), to insert paragraphs (c) and (d). These paragraphs highlight the introduction of
additional regulatory obligations in the SOCI Act, these being the critical infrastructure risk
management program and the enhanced cyber security obligations for systems of national
significance.
14. This amendment reflects the additional and broader purpose of the SOCI Act (as a
result of amendments in this Bill) which is to manage the threats posed by, and the impacts
of, a variety of hazards including those that are human induced and naturally occurring in
relation to critical infrastructure assets and systems of national significance.
Items 5-7 Section 4
15. Items 5-7 of Schedule 1 to the Bill amend the simplified outline in section 4 of the
SOCI Act, in particular the paragraph describing the framework. This section is designed to
assist the reader of the legislation in understanding the structure and content of the SOCI Act.
13
16. Item 5 inserts new paragraph (b), to describe the requirement for the responsible
entity for a critical infrastructure asset to have, and comply with, a critical infrastructure risk
management program (unless an exemption applies).
17. Item 6 inserts new paragraph (d), to describe that the SOCI Act may impose enhanced
cyber security obligations for critical infrastructure assets declared systems of national
significance.
18. Item 7 inserts an additional paragraph into the simplified outline explaining that the
Minister may privately declare a critical infrastructure asset to be a system of national
significance. Due to the criticality of assets declared to be systems of national significance, it
is integral this information is protected.
Items 8-26 Amendments to section 5
19. Items 8-26 of the Bill contain amendments to the definitions in section 5 of the SOCI
Act, including a number of assets that are types of 'critical infrastructure asset' in response to
stakeholder feedback. The amendments do not implement all feedback received, but it is
notable that section 9 of the SOCI Act provides that:
• an asset may be additionally prescribed to be a critical infrastructure asset in rules
made by the Minister (paragraph 9(1)(f)); and
• the rules may also prescribe that an asset is not a critical infrastructure asset
(subsection 9(2)).
20. This means that the various definitions can be expanded or narrowed by rules made
by the Minister under section 61 of the SOCI Act.
Item 8 Section 5 (definition of critical education asset)
21. Recommendation 7 and paragraph 3.49 of the PJCIS report indicated that the scope of
the definitions in the SOCI Act should be reviewed as part of consultation processes for this
Bill. This definition is being amended in accordance with this recommendation.
22. Item 8 of Schedule 1 to the Bill repeals and replaces the definition of 'critical
education asset' in section 5 of the SOCI Act.
23. The current definition of 'critical education asset' is 'a university that is owned or
operated by an entity that is registered in the Australian university category of the National
Register of Higher Education Providers' (emphasis added). The new definition provides that
a 'critical education asset' means an asset that is both:
• owned or operated by an entity that is registered in the Australian university
category of the National Register of Higher Education Providers (paragraph (a));
and
14
• used in connection with undertaking a program of research that is critical to a
critical infrastructure sector (other than the higher education and research sector),
the defence of Australia or national security (paragraph (b)).
24. The definition is being amended to address concerns raised by higher education
industry stakeholders that the current definition captures all of a university, including assets
that have no relationship to the security-sensitive research that a university may conduct
(reflected in new paragraph (b) of the definition). These assets are no longer captured as the
definition would newly apply to an asset owned by university used in connection with
security-sensitive research, rather than the entire university.
25. A note to the definition will inform readers that the rules may prescribe that a
specified critical education asset is not a critical infrastructure asset (see section 9).
Item 9 Section 5 (paragraph (c) of the definition of critical energy market
operator asset)
26. Item 9 of Schedule 1 of the Bill inserts 'or system' into paragraph (c) of the definition
of 'critical energy market operator asset', which is currently defined to be an asset that is all
of the following:
• owned or operated by certain specified corporations (paragraph (a));
• used in connection with the operation of an energy market or system
(paragraph (b)); and
• critical to ensuring the security and reliability of an energy market
(paragraph (c)).
27. Paragraph (b) of the definition applies to an 'energy market or system'. Paragraph (c)
of the definition only applies to an 'energy market'. The purpose of this amendment is to
ensure both paragraphs (b) and (c) of this definition consistently apply to an 'energy market
or system' in order to capture the correct assets as critical infrastructure assets.
Item 10 Section 5
28. Item 10 of Schedule 1 to the Bill provides a number of definitions for terms that
facilitate the amendments to the SOCI Act being made by the Bill. Some terms are defined by
reference to other acts. For terms defined in this manner it is intended that the term in the
SOCI Act has the meaning as it appears in the Acts referred to from time to time.
critical infrastructure risk management program
29. This term is defined by reference to new section 30AH of the SOCI Act (see from
paragraph 193 below).
15
Item 11 Section 5 (definition of critical telecommunications asset)
30. Item 11 of Schedule 1 to the Bill repeals and reinserts the definition of 'critical
telecommunications asset' in section 5 of the SOCI Act.
31. Under the new definition, an asset will be a 'critical telecommunications asset' when
it is either:
• a 'telecommunications network' that is owned or operated by a 'carrier' or
'carriage service provider' and used to supply a 'carriage service'
(paragraph (a)); or
• a 'facility' that is owned or operated by a 'carrier' or 'carriage service
provider' and used to supply a 'carriage service' (paragraph (b)).
32. The terms 'telecommunications network', 'facility', 'carrier', 'carriage service
provider' and 'carriage service' are all defined to take their meaning from the
Telecommunications Act 1997 (Telecommunications Act).
33. The new definition removes the reference to 'any other asset' and replaces it with the
term 'facility'. Under section 7 of the Telecommunications Act, 'facility' means:
• any part of the infrastructure of a telecommunications network; or
• any line, equipment, apparatus, tower, mast, antenna, tunnel, duct, hole, pit,
pole or other structure or thing used, or for use, in or in connection with a
telecommunications network.
34. The purpose of item 11 is to align the definition of 'critical telecommunications asset'
with the provisions of the Telecommunications Act.
35. A note to the definition provides that the rules may prescribe that a specified critical
telecommunications asset is not a critical infrastructure asset (see section 9).
Item 12 Section 5
36. Item 12 of Schedule 1 to the Bill inserts definitions of 'custodial or depository
services' and 'cyber security exercise' in section 5 of the SOCI Act.
custodial or depository services
37. This term is defined to have the same meaning as in the Corporations Act 2001
(Corporations Act). At the time the Bill is introduced, a descriptive definition of 'custodial or
depository services' is provided in section 766E of that Act.
16
cyber security exercise
38. This term is defined by reference to new section 30CN of the SOCI Act (see from
paragraph 389 below).
Item 13 Section 5 (definition of data storage or processing service)
39. Recommendation 7 and paragraph 3.49 of the PJCIS report indicated that the scope of
the definitions in the SOCI Act should be reviewed as part of consultation processes for this
Bill. This definition is being amended in accordance with this recommendation.
40. Item 13 of Schedule 1 to the Bill repeals and replaces the definition of 'data storage or
processing service'. The current definition of this term includes a service that enables end-
users to back-up data (paragraph (a)) or a data processing service (paragraph (b)).
41. New paragraph (a) of the definition retains the current reference to a service that
enables end-users to store or back-up data. Paragraph (a) now also includes a requirement
that the service is provided on a commercial basis--which excludes other services that are
not provided on a commercial basis, or provided supplementary to a different commercial
service.
42. New paragraph (b) of the definition retains the current reference to a data processing
service, but now also includes a requirement that the service involves one or more computers
and is provided on a commercial basis and excludes any manual data processing services that
were not intended to be captured in the current definition.
43. New paragraph (c) of the definition provides that a 'data storage or processing
service' also includes a service specified in the rules. This rule-making power will,
importantly, allow the Minister to make rules specifying additional services as data storage or
processing services so that technical advancements in this field, which are occurring rapidly,
can also be reflected in the SOCI Act.
44. The new definition also provides that the rules may prescribe that a specified service
is not a 'data storage or processing service', which provides for the Minister to carve-out a
service from the definition is required.
Item 14 Section 5
45. Item 14 of Schedule 1 to the Bill inserts a number of definitions for terms that
facilitate the amendments to the SOCI Act being made by the Bill.
designated officer
46. This term is defined by reference to new section 30DQ of the SOCI Act (see from
paragraph 400).
17
evaluation report
47. This term is defined by reference to new section 30CS of the SOCI Act (see from
paragraph 415).
external auditor
48. Means a person authorised under the new section 30CT of the SOCI Act to be an
external auditor for the purposes of the SOCI Act (see from paragraph 419).
Item 15 Section 5 (definition of higher education and research sector)
49. Recommendation 7 and paragraph 3.49 of the PJCIS report indicated that the scope of
the definitions in the SOCI Act should be reviewed as part of consultation processes for this
Bill. The definition of 'higher education and research sector' is being amended in accordance
with this recommendation.
50. Item 15 of Schedule 1 to the Bill repeals the existing definition of 'higher education
and research sector' and substitutes a new definition. The definition will be amended to mean
the sector of the Australian economy that is involved in undertaking a program of research
that is both:
• supported financially (in whole or part) by the Commonwealth
(paragraph (a)); and
• is critical to national security, the defence of Australia or another critical
infrastructure sector (paragraph (b)).
51. As amended, this definition is intended to capture entire the public university sector as
well as privately-funded universities and other research entities who conduct security-
sensitive research. Other higher education providers (such as technical or private colleges)
are no longer captured by the definition unless they conduct research that is critical to another
critical infrastructure sector, national security or defence.
52. This amendment follows consultation with the higher education sector, which
recommended that the original sector definition be narrowed in scope and provide additional
clarity as to the entities and assets that would be captured.
Item 16 Section 5
53. Item 16 of Schedule 1 to the Bill inserts an additional definition for a term that
facilitates the amendments to the SOCI Act being made by the Bill.
incident response plan
54. This term is defined in section 30CJ of the SOCI Act (see from paragraph 368).
18
Item 17 Section 5 (at the end of the definition of notification provision)
55. Item 17 of Schedule 1 to the Bill inserts references to new subsections 52B(3) and
52D(4) in the definition of 'notification provision'. Under subsection 46(3) of the SOCI Act,
making a record of, disclosing or otherwise using protected information is not an offence
where the disclosure is done in good faith and in purported compliance with a notification
provision.
56. This amendment means that 'notification provision' includes a notice provided by the
Minister to a responsible entity that the entity's asset has been declared as a system of
national significance (new subsection 52B(3)) and a notice provided by the Secretary to a
new reporting entity for a system of national significance under new subsection 52D(4).
57. It follows that, under subsection 46(3) of the SOCI Act, any recording, disclosing or
otherwise using protected information in good faith and purported compliance with these
provisions is not captured by the offence in section 45.
Item 18 Section 5 (after paragraph (b) of the definition of protected
information)
58. Item 18 of Schedule 1 to the Bill expands the definition of 'protected information' in
to include information that records or is the fact that an asset is declared under section 52B to
be a system of national significance (paragraph (ba)).
59. The purpose of this item is to ensure that information relating to the declaration of
systems of national significance is subject to Part 4 of the SOCI Act and must not be
recorded, used or disclosed except as authorised or permitted in the Act.
60. The fact that a critical infrastructure asset is declared as a system of national
significance is highly sensitive information, which may be captured by the definition of
'inherently harmful information' as defined in subsection 121.1(1) of the Criminal Code.
Having information identifying systems of national significance on the public record has the
potential to highlight assets for targeting by malicious actors--who could readily identify the
asset as being of national significance to Australia's social or economic stability, defence or
national security.
61. Importantly, there are a number of circumstances where the use and disclosure of
protected information is authorised or permitted (see Division 3 of Part 4 of the SOCI Act).
Notably, using or disclosing protected information is authorised in the circumstances set out
in new section 43E of the Act (see below for explanation).
Item 19 Section 5 (after paragraph (bb) of the definition of protected
information)
62. Item 19 of Schedule 1 to the Bill expands the definition of 'protected information' in
section 5 of the Act to include information that:
19
• is, or is included in, a critical infrastructure risk management program that is
adopted by an entity in compliance with new section 30AC (paragraph (bc)); and
• is, or is included in, a report that is given under new sections 30AG or 30AQ
(paragraph (bd)).
63. The reporting obligations sections 30AG and 30AQ are to make an annual report
concerning compliance with a critical infrastructure risk management program or, if the
critical infrastructure asset is exempt from that obligation, to make an annual report about its
alternative risk management arrangements.
64. This information should be considered protected information given it is highly
sensitive information about a critical infrastructure asset and it may be captured by the
definition of 'inherently harmful information' as defined in subsection 121.1(1) of the
Criminal Code. This information may also fall under the definition of 'security classification'
in subsection 90.1 of the Criminal Code as disclosure of it may result in serious damage or
exceptionally grave damage to the national interest in the hands of malicious actor.
65. The purpose of this item is to ensure that information in an entity's critical
infrastructure risk management program or an associated annual report (see new Part 2A of
the Act) is subject to Part 4 of the SOCI Act and must not be recorded, used or disclosed
except as authorised or permitted.
Item 20 Section 5 (after paragraph (be) of the definition of protected
information)
66. Item 20 of Schedule 1 to the Bill expands the definition of 'protected information' in
section 5 of the Act to include information that:
• is, or is included in, an incident response plan adopted by an entity in compliance
with section 30CD (paragraph (bf));
• is, or is included in, an evaluation report prepared under section 30CQ or 30CR
(paragraph (bg)); and
• is, or is included in, a vulnerability assessment report prepared under section 30CZ
(paragraph (bh))
67. The purpose of this item is to ensure that information related to the enhanced cyber
security requirements is captured by Part 4 of the SOCI Act and must not be recorded, used
or disclosed except as authorised or permitted.
68. This information should be considered protected information given it is highly
sensitive information about a critical infrastructure asset and it may be captured by the
definition of 'inherently harmful information' as defined in subsection 121.1(1) of the
Criminal Code. This information may also fall under the definition of 'security classification'
20
in subsection 90.1 of the Criminal Code as disclosure of it may result in serious damage or
exceptionally grave damage to the national interest in the hands of malicious actor.
Item 21 Section 5 (definition of registerable superannuation entity)
69. Item 21 of Schedule 1 to the Bill repeals the definition of 'registerable superannuation
entity' in section 5 of the SOCI Act, consequential to the amendment made at item 19 (see
from paragraph 74).
Item 22 Section 5
70. Item 22 of Schedule 1 to the Bill inserts the definition of 'related company group' in
section 5 of the SOCI Act. The purpose of this amendment is to facilitate the extension of the
immunities contained in sections 30BE, 35AAB, 35AW and 35BB of the SOCI Act beyond
persons who are employees, officers or agents of a relevant entity.
71. The term is defined to mean a group of two or more bodies corporate, where each
member of the group is related to each other member of the group. Whether or not a body
corporate is related to another body corporate is to be determined in the same manner as in
the Corporations Act (see section 50 of that Act).
72. Amending the SOCI Act to insert a 'related company group' definition will broaden
the scope of the immunities in sections 30BE, 35AAB, 35AW and 35BB to protect
employees, officers and agents of separate but related body corporates that may conceivably
discharge obligations or requirements under the Act due to corporate or contractual
arrangements with the responsible entity. These immunities are being extended in response to
recommendation 7 and paragraph 3.49 of the PJCIS report, which outline that the types and
breadth these immunities should be reconsidered and amended by the Bill.
Item 23 Section 5
73. Item 23 of Schedule 1 to the Bill inserts the definition of 'RSE licensee' to section 5
of the SOCI Act. This term is being defined for the purpose of making amendments to the
definition of 'critical superannuation asset' so that the correct entity that owns or operates
that asset is identified in the definition (see items 37-39, from paragraph 106).
74. 'RSE licensee' is defined to have the same meaning as in section 10 of the
Superannuation Industry (Supervision) Act 1993. At the time of introduction of the Bill, the
term was defined to be a constitutional corporation, body corporate, or group of individual
trustees, that holds an RSE licence granted under section 29D of that Act.
Item 24 Section 5 (paragraph (a) of the definition of security)
75. Item 24 of Schedule 1 to the Bill inserts references to new sections 30AG, 30AQ,
30CB, 30CM, 30CR, 30CU and 30CW into paragraph (a) of the definition of security in in
section 5. These will be further sections wherein 'security' (other than national security) does
21
not take its meaning from the Australian Security Intelligence Organisation Act 1979 and is
capable of having a broader meaning than that outlined in section 4 of that Act.
Item 25 Section 5 (paragraph (b) of the definition of security)
76. Item 25 of Schedule 1 to the Bill inserts references to new sections 30AG, 30CB,
30CM, 30CR, 30CU and 30CW into paragraph (b) of the definition of security in section 5.
These will be further sections wherein security has its ordinary meaning.
Item 26 Section 5
77. Item 26 of Schedule 1 to the Bill inserts further definitions into the SOCI Act that are
required as a result of the amendments being made by the Bill.
system information event-based reporting notice
78. This means a notice under new subsection 30DC(2) of the SOCI Act (see from
paragraph 472).
system information periodic reporting notice
79. This means a notice under new subsection 30DB(2) of the SOCI Act (see from
paragraph 461).
system information software notice
80. This means a notice under new subsection 30DJ(2) of the SOCI Act (see from
paragraph 505).
system of national significance
81. This term has the meaning given in new section 52B of the SOCI Act (see from
paragraph 604).
vulnerability assessment
82. This term has the meaning given by new section 30CY of the SOCI Act (see from
paragraph 445).
vulnerability assessment report
83. This term has the meaning given by new section 30DA of the SOCI Act (see from
paragraph 456).
Item 27 Subsection 8(2) (at the end of the heading)
84. Item 27 of Schedule 1 to the Bill is a minor amendment to add 'etc' to the heading for
subsection 8(2) of the SOCI Act, consequential to the amendment in item 22C.
22
Item 28 At the end of subsection 8(2)
85. Item 28 of Schedule 1 to the Bill repeals paragraphs 8(2)(b) and (c) of the SOCI Act
and substitutes new paragraph (b). Amended subsection 8(2) of the SOCI Act sets out when
subsection 8(1) of the does not apply to a moneylender.
86. Paragraph 8(2)(a) is being retained. This requires that the entity must hold the asset
solely by way of security for a moneylending agreement, or solely as a result of enforcing a
security for a moneylending agreement. The entity must also satisfy one of the requirements
mentioned in paragraph (b).
87. Paragraph 8(2)(b) provides that the entity must also be at least one of the following:
• the entity (the first entity) that entered into the moneylending agreement; or
• a subsidiary or holding entity of the first entity; or
• a person who is (alone or with others) in a position to determine the investments
or policy of the first entity; or
• a security trustee who holds or acquires the interest on behalf of the first entity;
or
• a receiver, or a receiver and manager, appointed by, or appointed on instructions
from, a person or entity mentioned in any of the above points.
88. The purpose of item 28 is to remove the requirement in current paragraphs 8(2)(b) and
(c) that the holding of the interest, or the enforcing of the security, does not put the entity in a
position to directly or indirectly influence or control the asset. The amendments implemented
by item 28 are intended to align the moneylender exemption in the SOCI Act with the
provisions in subsection 27(1) of the Foreign Acquisitions and Takeovers Regulation 2015.
Item 29 At the end of section 8
89. Item 29 adds a new subsection (4) to section 8 of the SOCI Act, as a new exemption
from subsection (1) that applies for providers of custodial or depository services. The
exemption will apply to an interest in an asset, held by an entity, if:
• the entity is the provider of a custodial or depository service (paragraph (a));
• the entity holds the interest in the asset solely in the entity's capacity as the
provider of a custodial or depository service (paragraph (b)); and
• the holding of the interest does not put the entity in a position to directly or
indirectly influence or control the asset (paragraph (c)).
23
90. The purpose of this provision is to ensure that providers of a custodial or depository
services do not acquire the obligations of the direct interest holders under the SOCI Act.
91. Item 29 also adds new subsection (5) to section 8 of the SOCI Act, as a new
exemption from subsection (1) that applies for entities specified in the rules. The exemption
will apply to an interest in an asset held by an entity if:
• the entity is the provider of a service specified in the rules; and
• the entity holds the interest in the asset solely in the entity's capacity as the
provider of the service; and
• the holding of the interest does not put the entity in a position to directly or
indirectly influence or control the asset.
Item 30 At the end of section 8G
92. Item 30 of Schedule 1 to the Bill amends the definition of 'relevant impact' in
section 8G of the SOCI Act to include the impact of a cyber security incident on a system of
national significance. New subsection 8G(3) provides that a relevant impact of a cyber
security incident on a system of national significance is an impact, whether direct or indirect,
on any of the following:
• the availability of the asset (paragraph (a));
• the integrity of the asset (paragraph (b));
• the reliability of the asset (paragraph (c)); or
• the confidentiality of information about the asset, information stored in the
asset, or computer data (paragraph (d)).
93. For instance, the relevant impact of a ransomware attack on a major
telecommunications service provider could be that the telecommunications provider is taken
offline or is unable to service customer demand, leaving millions of customers without
regular service. This amounts to a 'relevant impact' because the availability and reliability of
the asset has been compromised. Further, a ransomware attack may also involve an
unauthorised access to the systems of the service provider which could directly result in a
compromise to the confidentiality of information held in its data centre, resulting in an impact
on businesses ability to trust in the integrity of the data held in that facility.
Item 31 After paragraph 12(1)(d)
94. Item 31 inserts a new paragraph (e) into subsection 12(1) of the SOCI Act.
24
95. The purpose of this item is to clarify that a control room or any other asset that is
required to operate a gas transmission pipeline is part of a 'critical gas asset' as defined by
section 12 of the SOCI Act.
Items 32-33 Paragraph 12F(1)(b)
96. Recommendation 7 and paragraph 3.49 of the PJCIS report indicated that the scope of
the definitions in the SOCI Act should be reviewed as part of consultation processes for this
Bill. The definition of 'critical data storage or processing asset' in section 12F is being
amended by items 32-36 in accordance with this recommendation.
97. An asset is a 'critical data storage or processing asset' is currently defined to be an
asset that meets the criteria listed in paragraphs 12F(1)(a)-(c). Item 32 amends paragraph
(1)(b) by inserting the words 'relates to business critical data and that' after the reference to
the service in the provision. Item 33 amends the criteria paragraph (1)(b) by omitting the
words 'on a commercial basis'.
98. The intent of this amendment is to capture any asset that is used to provide a data
storage or processing service to an end-user listed in subparagraphs (i)-(vi). This apparent
broadening should be read consistently with the amendments to significantly reduce the scope
of the meaning of 'data storage or processing service' (item 13, from paragraph 39).
Item 34 After paragraph 12F(1)(c)
99. Item 34 of Schedule 1 to the Bill adds a new criteria that must be met for an asset to
be a 'critical data storage or processing asset' under subsection 12F(1), by inserting new
paragraph (d). This further criteria is that that an asset is not included with this definition if it
is a critical infrastructure asset that is covered by a paragraph of subsection 9(1) (other than
paragraph 9(1)(d), which is a reference to a 'critical data or storage processing asset').
100. The purpose of this new paragraph is to carve out any other critical infrastructure
assets that may inadvertently be captured within the scope of the critical data storage or
processing definition due to data storage or processing functions these assets perform, in
particular critical telecommunications assets. This item is inserted in response to feedback
received from industry stakeholders.
Item 35 Subparagraph 12F(2)(b)(i)
101. An asset is also a 'critical data storage or processing asset' where it meets the criteria
listed in paragraphs 12F(2)(a)-(c) of the SOCI Act.
102. Item 35 of Schedule 1 to the Bill omits the words 'on a commercial basis' from
subparagraph (2)(b)(i).
103. The intent of this amendment is to capture any asset that is used to provide a data
storage or processing service to a critical infrastructure asset relating to 'business critical
25
data'. This apparent broadening should be read consistently with the amendments to
significantly reduce the scope of the meaning of 'data storage or processing service' (item 13,
from paragraph 39).
Item 36 After paragraph 12F(2)(c)
104. Item 36 of Schedule 1 to the Bill adds a new criteria that must be met for an asset to
be a 'critical data storage or processing asset' under subsection 12F(2), by inserting new
paragraph (d). This further criteria is that an asset is not included with this definition if it is a
critical infrastructure asset that is covered by a paragraph of subsection 9(1) (other than
paragraph 9(1)(d)).
105. As discussed in item 34, the purpose of this new paragraph is to carve out critical
infrastructure assets that may inadvertently be captured within the scope of the critical data
storage or processing definition due to data storage or processing functions these assets
perform, in particular critical telecommunications assets.
Items 37-39 Paragraphs 12J(1)(a), 12J(2)(a), 12J(2)(b)
106. Recommendation 7 and paragraph 3.49 of the PJCIS report indicated that the scope of
the definitions in the SOCI Act should be reviewed as part of consultation processes for this
Bill. The definition of 'critical superannuation asset' in section 12J of the SOCI Act is being
amended in accordance with this recommendation.
107. Items 37-39 of Schedule 1 to the Bill amend the definition of 'critical superannuation
asset' to omit 'a registerable superannuation entity' and substitute 'an RSE licensee', and to
omit 'registerable superannuation entities' and substitute 'RSE licensees'.
108. The purpose of these amendments are to include critical superannuation assets that are
owned or operated by an RSE licensee, rather than a registerable superannuation entity, as
potential critical infrastructure assets (noting that the asset must also be captured by
section 14 of the Security of Critical Infrastructure (Definitions) Rules 2021 (the Definitions
Rules)).
109. These amendments follow consultation with the Australian Prudential Regulation
Authority, which advised that RSE licensees, rather than registrable superannuation entities,
own and operate critical superannuation assets.
Items 40-41 Subparagraph 12K(1)(a)(i) and subparagraph 12K(1)(a)(ii)
110. Items 40 and 41 amend the definition of 'critical food and grocery asset' in section
12K of the SOCI Act.
111. Items 40 and 41 insert the word 'essential' prior to the words 'food' and 'groceries'.
The purpose of this is to clarify that only 'essential' foods and groceries are included within
the definition of 'critical food and grocery asset'.
26
Item 42 After paragraph 12KA(1)(b)
112. An asset is a 'critical domain name system' under section 12KA of the SOCI Act
where it meets the following criteria:
• the asset is managed by an entity that is that is critical to the administration of
an Australian domain name system (see subsection 12KA(2) and section 16 of
the Definitions Rules) (paragraph (1)(a)); and
• the asset is used in connection with an Australian domain name system
(paragraph (1)(b)).
113. Item 42 of Schedule 1 to the Bill adds an additional criteria in new paragraph (c), that
the asset is, in accordance with subsection (3), critical to the administration of an Australian
domain name system (see from paragraph 114).
Item 43 At the end of section 12KA
114. Item 43 of Schedule 1 to the Bill adds a new subsection (3) into the definition of
critical domain name system under section 12KA. This subsection provides the Minister with
the ability to make rules, for the purposes of paragraph (1)(c), to prescribe:
• specified assets as critical to the administration of an Australian domain name
system (paragraph (a)); or
• requirements for an asset to be critical to the administration of an Australian
domain name system (paragraph (b)).
115. A rule-making power currently exists under subsection 12KA(2) to prescribe the
entities that are critical to the administration of an Australian domain name system.
Section 16 of the Definitions Rules currently prescribe Domain Administration Ltd
(ABN 38 079 009 340) and the entity that administers the '.au' country code Top Level
Domain for this purpose.
116. With this amendment (and item 42 above), an asset used by these entities in
connection with an Australian domain name system will need to be prescribed in rules made
by the Minister to be a critical domain name system.
117. The purpose of this new rule making power is to provide greater certainty on what
assets are 'critical to the administration of an Australian domain name system'. This
amendment follows consultation with .au Domain Administration Limited (auDA), the entity
responsible for the administration of the '.au' country code Top Level Domain, and the
Department of Infrastructure, Regional Development, Transport and Communications. These
entities raised concerns that the construction of the current definition may capture irrelevant
assets used in connection with the administration of an Australian domain name system (e.g.
accounting software or event management systems).
27
Item 44 Paragraph 12L(6)(a)
118. Section 12L of the SOCI Act outlines the meaning of 'responsible entity'. This is an
important concept used to identify the entity (individual, body corporate, body politic etc.)
who may have obligations in relation to a critical infrastructure asset under Parts 2, 2A and
2B, or a system of national significance under Part 2C, of the SOCI Act.
119. Item 44 of Schedule 1 to the Bill amends the definition of responsible entity for a
'critical superannuation asset' by omitting 'registerable superannuation entity' from
paragraph 12L(6)(a) and substituting 'RSE licensee'.
120. As mentioned in item 37 of Schedule 1 to the Bill, this amendment is based on advice
that critical superannuation assets are owned and operated by RSE licensees, not registerable
superannuation entities. For this reason, the responsible entity for a critical superannuation
asset will become the RSE licensee referred to in subsection 12J(1) of the SOCI Act.
Item 45 At the end of section 12L
121. Item 45 of Schedule 1 to the Bill inserts a new subsection (25) to the end of section
12L of the SOCI Act. This item provides that the responsible entity for a critical
infrastructure asset that is declared a system of national significance is the responsible entity
for the system of national significance. This means that the responsible entity will be the
entity who receives notification from the Minister under section 52B of the SOCI Act that
their asset has been declared to be a system of national significance.
Items 46-48 Subparagraph 18AA(2)(a)(ii), paragraph 18AA(2)(c) and at the
end of section 18AA
122. Sections 18A and 18AA of the SOCI Act provide for the application of Part 2 of the
SOCI Act for a responsible entity for, and a direct interest holder in, a critical infrastructure
asset to provide information to the Register of Critical Infrastructure Assets. Relevantly,
before rules can be made under paragraph 18A(1)(a) to prescribe critical infrastructure assets
to which Part 2 applies, the consultation requirements specified in section 18AA must be met.
123. Items 46 and 47 of Schedule 1 to the Bill amend section 18AA of the SOCI Act to
remove reference to the 28 day period for consultation and insert a reference to the period
mentioned in subsection (3). Item 48 inserts new subsection (3), providing that the period is
the period specified in the notice--but that period must not be shorter than 28 days. This
amendment clarifies that the Minister may invite submissions to be made over a longer
period.
Item 49 After Part 2
124. Item 49 inserts new Part 2A, containing the critical infrastructure risk management
program obligation, into the SOCI Act.
28
Part 2A--Critical infrastructure risk management programs
125. Part 2A will require critical infrastructure assets to develop and comply with a critical
infrastructure risk management program - the second limb of the positive security obligation
(unless an exemption applies). The objective of these amendments is to uplift the core
security practices of critical infrastructure assets by ensuring responsible entities take a
holistic and proactive approach toward identifying, preventing and mitigating risks from all
hazards.
126. The Bill sets out the overarching obligations for the risk management programs, with
the more detailed requirements to be contained in risk management program rules. Since the
responsible entity is best placed to understand the risks to their asset, principle based rules
will be utilised, providing the necessary flexibility and clarity for industry. Combined, the
SOCI Act and the proposed rules will ultimately require responsible entities of critical
infrastructure assets to manage security risks under principles-based outcomes:
• Identifying hazards and risks of hazard occurring: Entities will have a
responsibility to take an all-hazards approach--to identify all physical and
man-made hazards that may impact their business, and then assess the risk that
the hazard may have the availability, integrity, reliability and confidentiality of
their critical infrastructure asset(s).
• Minimising or eliminating the risk of a hazard occurring: Entities will be
required to have appropriate risk mitigations in place to minimise or eliminate
the risks of a hazard occurring.
• Minimising impacts: Entities will be required to have robust procedures in
place to minimise or eliminate the impacts in the event a hazard has occurred
and recover as quickly as possible.
• Effective governance: Responsible entities will have annual and certification
reporting requirements to ensure that risk management is considered at an
appropriately senior level within the entity.
Section 30AA Simplified outline of this Part
127. New section 30AA of the SOCI Act sets out a simplified outline of Part 2A, which is
intended to aid the reader of the legislation in understanding the operation of this Part. Under
Part 2A, responsible entities for one or more critical infrastructure assets to which the Part
applies must adopt, maintain and comply with a critical infrastructure risk management
program (including regular review and updating of the program).
128. Part 2A is one of the three positive security obligations for critical infrastructure
assets in the SOCI Act. The other elements are the notification of cyber security incidents
(Part 2B of the SOCI Act, inserted by the SLACI Act) and maintaining the register of critical
infrastructure assets (Part 2 of the SOCI Act).
29
Section 30AB Application of this Part
129. New section 30AB of the SOCI Act provides that the requirement to have, and
comply with, a critical infrastructure risk management program under Part 2A applies to a
critical infrastructure asset if either of the following apply:
• the asset is specified in the rules (made by the Minister under section 61 of the
SOCI Act, paragraph (1)(a)), or
• the asset is subject to a declaration under section 51 of the SOCI Act (being a
private declaration that an asset is a critical infrastructure asset) and the
declaration determines that Part 2A applies to the asset under new
paragraph 51(2A)(b) (paragraph (1)(b), see also item 70).
130. This effectively works as an 'on switch' through which the Minister can ensure that
this positive security obligation only applies to critical infrastructure assets that are not
subject to other regulatory schemes of a similar nature.
131. As at the time of introduction of the Bill, it is proposed that the critical infrastructure
risk management program obligation in Part 2A will initially be applied to asset classes
where there are not already sufficient regulatory or administrative arrangements in place. The
proposed asset classes are listed below:
• critical electricity assets;
• critical energy market operator assets;
• critical gas assets;
• critical liquid fuels assets;
• critical water and sewerage assets;
• critical financial market infrastructure assets that are a critical payment system
(other critical financial market infrastructure assets will not be captured);
• critical data storage or processing assets;
• critical hospital assets;
• critical domain name system assets;
• critical broadcasting assets;
30
132. Given the current supply chain impacts arising from COVID-19, Part 2A would not
be applied to the following asset classes until at least 1 January 2023:
• critical freight services assets;
• critical freight infrastructure assets; and
• critical food and grocery assets.
133. Section 30AB allows for a nuanced, sector-specific or asset-specific approach to be
taken to the application of the obligations contained in new Part 2A. In determining whether
to make rules to apply the obligations to certain critical infrastructure assets, the Minister is
likely to consider whether any existing requirements or arrangements appropriately deliver
the same outcomes as intended by the critical infrastructure risk management program.
134. The assets that are critical education assets are an example of a class of critical
infrastructure asset with appropriate regulatory requirements or arrangements in place. The
Australian Government and Australia's higher education providers have jointly formed the
University Foreign Interference Taskforce (UFIT) to enhance safeguards against the risk of
foreign interference. The UFIT will deliver the same outcomes as intended by the critical
infrastructure risk management program obligation for critical education assets. Therefore
Government does not intend to 'switch on' any of the positive security obligations (including
Part 2A) for critical education assets.
135. This reflects the range of regulatory obligations that already exist in relation to some
classes of critical infrastructure assets, as well the obligations that may exist in relation to
future critical infrastructure assets that are identified, and the Government's commitment to
avoid duplicating regulation. However, should these alternative regulatory regimes be found
wanting, Government will reserve the ability to 'switch on' any or all of the positive security
obligations, including the critical infrastructure risk management program (Part 2A), to
address any gaps and ensure that entities are subject to suitable and reasonable regulation.
136. A note to subsection (1) indicates that specification by class is permitted by way of
subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power to
make a legislative instrument specifying a matter may identify the matter by referring to a
class or classes of matters.
137. This note has been included to clarify that the Minister has the discretion to specify in
rules that Part 2A applies to:
• all critical infrastructure assets,
• a category of critical infrastructure assets such as critical broadcasting assets,
• a subset of assets within a category of critical infrastructure assets such as liquid
fuel pipelines that are critical liquid fuel assets, or
31
• a specific asset that is a critical infrastructure asset.
138. In addition to the power to make this instrument under section 30AB,
subsection 33(3) of the Acts Interpretation Act provides that where an Act confers a power to
make, grant or issue any instrument of a legislative or administrative character (including
rules, regulations or by-laws), the power shall be construed as including a power exercisable
in the like manner and subject to the like conditions (if any) to repeal, rescind, revoke,
amend, or vary any such instrument.
139. Subsection 30AB(2) provides that the application provision in subsection (1) is
subject to the exemptions listed in subsections (3), (4), (5) and (6).
Subsection 30AB(3)--Exemption (delayed commencement)
140. Subsection 30AB(3) outlines that the rules may provide that, if an asset becomes a
critical infrastructure asset, this Part does not apply to the asset during the period beginning
when the asset became a critical infrastructure asset (paragraph (a)) and ending at a time
ascertained in accordance with the rules (paragraph (b)). This is intended to provide the
ability to offer a delayed commencement when an entity becomes a critical infrastructure
asset to which the Part applies, allowing them a reasonable period to adjust their business.
Subsection 30AB(4)--Exemption (where a critical infrastructure asset is certified strategic
under the hosting certification framework)
141. Subsection 30AB(4) provides that Part 2A of the SOCI Act does not apply to a critical
infrastructure asset where:
• an entity holds a certificate of hosting certification (strategic level) under the
Commonwealth's hosting certification framework (HCF) that relates to one or
more services the entity provides (paragraphs (a) and (b)); and
• a critical infrastructure asset, or a part of a critical infrastructure asset, is used
in connection with the provision of the certified services (paragraph (c)); and
• the entity is the responsible entity for the critical infrastructure asset
(paragraph (d)).
142. Subsection (4) was not included in the 2020 Bill. Consistent with recommendation 7
and paragraph 3.49 of the PJCIS report, this exemption is inserted to minimise the regulatory
overlap between the critical infrastructure risk management program obligation and the HCF
in response to feedback received from the data storage and processing sector.
143. While the exemption under subsection (4) is intended to minimise the regulatory
overlap between the critical infrastructure risk management program obligation and the HCF,
it will not apply to all facilities held by a responsible entity. Responsible entities for assets in
the data storage and processing sector will still be required to comply with any rules made
32
under Part 2A for facilities that do not hold a certificate of hosting certification (strategic
level) under the HCF.
144. More information about the HCF is available at https://www.dta.gov.au/our-
projects/hosting-strategy/hosting-certification-framework.
145. A note to this subsection indicates to the reader that a critical infrastructure asset that
is captured by subsection 30AH(4) is subject to an annual reporting obligation outlined in
Part 2AA of the SOCI Act.
Subsection 30AB(5)--Exemption (entity subject to a prescribed statutory scheme)
146. In addition to the recognition of the HCF as a suitable alternate framework to the
critical infrastructure risk management program obligation, subsections 30AH(5) and (6) of
the SOCI Act provide for additional regimes to be exempt from Part 2A but subject to a
reduced annual reporting obligation specified in Part 2AA.
147. Subsection 30AB(5) provides that a critical infrastructure asset is exempt from
Part 2A where:
• an entity is covered by a provision of a Commonwealth, State or Territory law
(paragraph (a)); and
• the provision is specified by the Minister in rules made under section 61
(paragraph (b)); and
• the entity is the responsible entity for a critical infrastructure asset
(paragraph (c)).
148. This provision will allow for the Minister to prescribe any future statutory schemes
that apply to a responsible entity that apply a regulatory scheme akin to the critical
infrastructure risk management program obligation.
Subsection 30AB(6)--Exemption (critical infrastructure asset subject to a prescribed
statutory scheme)
149. Subsection 30AB(6) provides that a critical infrastructure asset is exempt from
Part 2A where:
• the asset is covered by a provision of a Commonwealth, State or Territory law
(paragraph (a)); and
• the provision is specified by the Minister in rules made under section 61
(paragraph (b)).
33
150. As with subsection (5) above, this provision will allow for the Minister to prescribe
any future statutory schemes that apply to a responsible entity that apply a regulatory scheme
akin to the critical infrastructure risk management program obligation.
Section 30ABA Consultation--rules
151. New section 30ABA of the SOCI Act sets out consultation requirements in relation to
rules made under subsection 30AB(1), (5) or (6), providing that a responsible entity for a
critical infrastructure asset must comply with the requirement to adopt and maintain a critical
infrastructure risk management program or is otherwise exempt and subject to the obligation
in Part 2AA.
Subsection 30ABA(1)--Scope
152. Subsection (1) provides that section 30ABA applies to rules made for the purposes of
section 30AB of the SOCI Act--including rules made for subsections (1), (5) and (6).
Subsections 30ABA(2)-(3)--Consultation
153. Subsection (2) provides that, before making or amending rules for the purposes of
section 30AB, the Minister must do all of the following:
• cause to be published on the Department's website a notice setting out the draft
rules or amendments and inviting persons to make submissions to the Minister
about the draft rules or amendments within the period of time specified the
notice (paragraph (a)), which under subsection (3) must be at least 28 days;
• give a copy of the notice to each First Minister (paragraph (b)); and
• consider any submissions received under paragraph (a) (paragraph (c)).
154. This consultation requirement will ensure that the critical infrastructure risk
management program obligation is only activated after entities have been provided with an
opportunity to provide the Government with submissions about why applying this obligation
is, or is not necessary, and to provide entities with early warning to adjust their businesses
without undue burden.
155. The Bill newly includes the obligation for the Minister to consider submissions
received in response to consultation prior to making rules, consistent with PJCIS
recommendation 7 and paragraph 3.49 as well as feedback from industry stakeholders.
Section 30AC Responsible entity must have a critical infrastructure risk
management program
156. New section 30AC of the SOCI Act provides that an entity that is the responsible
entity for one or more critical infrastructure assets to which Part 2A applies (hereon referred
to as a Part 2A asset) must adopt and maintain a critical infrastructure risk management
34
program that applies to the entity. This requirement will ensure responsible entities develop a
nuanced, comprehensive understanding of the hazards and risks that may affect the
availability, confidentiality, reliability and integrity of the relevant critical infrastructure
asset.
157. The purpose of section 30AC is to require responsible entities to develop and keep a
written program that satisfies the requirements outlined in new section 30AH.
158. Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the infringement. It is designed to deter non-
compliance and to ensure responsible entities adopt and maintain a critical infrastructure risk
management program, noting their importance to Australia's economy, security and
sovereignty. This penalty is commensurate with the penalty for non-compliance with the
obligation on aviation and maritime industry participants to have security programs under the
Aviation Transport Security Act 2004 (ATSA) and Maritime Transport and Offshore
Facilities Security Act 2003 (MTOFSA). The penalty reflects the significance of this program
in uplifting core security practices of critical infrastructure assets and the onus on responsible
entities to proactively identify, prevent and mitigate risks from all hazards.
159. To reduce the administrative burden for entities responsible for more than one critical
infrastructure asset, it is permissible under this section for entities to:
• have a single written program for all Part 2A assets for which they are the
responsible entity; or
• have a number of documents that, in concert, meet the requirements of
section 30AH for all Part 2A assets for which they are responsible.
160. While the purpose and requirements for the critical infrastructure risk management
program are outlined at section 30AH, new Part 2A of the SOCI the Act does not mandate
how responsible entities should go about developing their program. This is reflective of the
wide range of complexity in relation to the scope of critical infrastructure assets as well as the
spectrum of risk management maturity.
161. Government's intention is that responsible entities will have discretion as to how they
develop a critical infrastructure risk management program. This recognises industry's
expertise and deep knowledge of the unique challenges faced by each critical infrastructure
asset and ensures there is no unnecessary regulatory burden. Support and guidance will be
provided to industry through non-regulatory processes (such as the ongoing engagement with
industry through the Trusted Information Sharing Network) and other guidance.
Section 30AD Compliance with critical infrastructure risk management program
162. New section 30AD of the SOCI Act provides that if an entity is the responsible entity
for one or more Part 2A assets and has adopted a critical infrastructure risk management
35
program under section 30AC, the entity must comply with the program, including any
variations to the program.
163. Section 30AD is an extension of section 30AC and is intended to ensure that
responsible entities are not only required to put in place a critical infrastructure risk
management program, but that entities must effectively implement that program to actively
maintain and, where the process to adopt the program has identified hazards and risks to be
minimised or mitigated, uplift the security and resilience of their asset.
164. Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the infringement. It is designed to deter non-
compliance and to ensure responsible entities comply with their critical infrastructure risk
management program. This penalty is commensurate with the penalty for non-compliance
with the obligation on aviation and maritime industry participants to comply with security
programs under the ATSA and MTOFSA and reflects the importance of applying a program
designed to prevent and mitigate risks from harms identified.
Section 30AE Review of critical infrastructure risk management program
165. New section 30AE of the SOCI Act provides that if an entity is the responsible entity
for one or more Part 2A assets and has adopted a critical infrastructure risk management
program that applies to the entity, then the entity must also review the program on a regular
basis.
166. A definitive timeframe within which the program must be reviewed is not specified in
this section. This is reflective of the different threat environments faced by the various critical
infrastructure assets and is intended to allow the responsible entity greater discretion to
determine the frequency with which this should occur, noting they are best placed to
understand the context of the environment in which the asset operates. The frequency may
also change over time as the characteristics of the asset, its interdependences, the market, or
threats change or fluctuate. This approach is intended to prevent unnecessary burden being
placed on industry to review the program in a manner disproportionate to their context. The
Department will work closely with industry to develop guidance to assist them in determining
the application of the provision to their unique circumstances.
167. Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the infringement. It is designed to deter non-
compliance to ensure responsible entities review their critical infrastructure risk management
program. The penalty reflects the importance of keeping risk management programs up-to-
date and accurate.
Section 30AF Update of critical infrastructure risk management program
168. New section 30AF of the SOCI Act provides that if an entity is the responsible entity
for one or more Part 2A assets and has adopted a critical infrastructure risk management
program that applies to the entity, then the entity must take all reasonable steps to ensure that
36
the program is up to date. This obligation to update the program complements the obligation
in section 30AE to regularly review the program.
169. Meaningful uplift of the security and resilience of critical infrastructure assets will
only occur if the risk management programs' articulation of material risks and mitigation
strategies remain current. It is therefore vital that responsible entities review their risk
management program on a regular basis and take reasonable steps to ensure it is kept up to
date. This ensures risk is being continually assessed and managed by the entity rather than
taking a 'set and forget' approach to risk management.
170. The Bill also does not define 'reasonable steps' in section 30AF, as it will depend on
the individual circumstances of each entity, their security environment and the extent of the
updates required. It is intended to ensure risk management programs are regularly reviewed
and updated in response to evolving technology, business circumstances and changes in the
threat environment.
171. Collectively, sections 30AD to 30AF of the SOCI Act are designed to reflect the
overall life cycle of an effective risk management program.
172. Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement. The penalty is
designed to deter non-compliance and to ensure responsible entities update their critical
infrastructure risk management program. The penalty reflects the importance of keeping risk
management programs up-to-date and accurate noting the significant role these programs
play in protecting critical infrastructure.
Section 30AG Responsible entity must submit annual report
173. New section 30AG of the SOCI Act sets out that a responsible entity that has adopted
a critical infrastructure risk management plan under section 30AC must submit an annual
report to the relevant Commonwealth regulator (if one has been prescribed in relation to the
Part 2A asset, see from paragraph 177) or, in any other case, the Secretary.
Subsection 30AG(1)--Scope
174. Subsection (1) provides that section 30AG applies to an entity if, during a period
(known as the 'relevant period') that consists of the whole or a part of a financial year:
• the entity was the responsible entity for one or more critical infrastructure assets
(paragraph (a)), and
• the entity had a critical infrastructure risk management program (paragraph (b)).
175. This is intended to capture those entities that were responsible for the asset at any
point during the relevant period.
37
Subsections 30AG(2)-(3)--Annual report
176. Under subsection (2), an entity that falls within subsection (1) is required to provide
an annual report that meets the requirements outlined in paragraphs (c), (d), (e) and (f) within
90 days after the end of the financial year. This obligation does not require the responsible
entity to provide the full critical infrastructure risk management program to the Secretary, but
rather a statement that the program remains up to date and providing details about any
hazards that have had a significant impact on the asset during the reporting period.
177. The report must be given to the relevant Commonwealth regulator. A 'relevant
Commonwealth regulator' will be specified in Ministerial rules, which will be a legislative
instrument publicly available on the Federal Register of Legislation. If there is no 'relevant
Commonwealth regulator' specified, the annual report must be provided to the Secretary
(paragraph (2)(b)).
178. It is Government's preference for any relevant existing Commonwealth regulatory
bodies and authorities to enforce compliance with Part 2A. These regulators are likely to have
well-established relationships with industry, and may have an extensive understanding of the
threat environment.
179. For this reason, and to facilitate their oversight role, paragraph (2)(a) ensures these
regulatory bodies or authorities have visibility and awareness of the threat environment in the
relevant sector and whether entities are complying with the requirements under Part 2A, and
can provide assistance and guidance as required. Where no relevant Commonwealth regulator
exists, the Department of Home Affairs will be the default regulator.
180. An annual report is required to:
• include a statement as to whether or not the program was up to date at the end
of the financial year, if the entity had the program in place at that time
(paragraph (2)(c));
• include a statement about any hazard that had a significant impact on one or
more Part 2A assets (paragraph (2)(d));
• be in the approved form (paragraph (2)(e)); and
• if the entity has a board, council or other governing body--is approved by the
board, council or other governing body, as the case required (paragraph (2)(f)).
181. It is expected that the most substantial information will need to be provided under
paragraph (2)(d). Under this provision, if a hazard had a significant relevant impact on one or
more assets during the relevant period, the annual report is also required to include a
statement that identifies the hazard, evaluates the effectiveness of the program in mitigating
the significant relevant impact of the hazard on the assets concerned, and outline any
38
variation to the critical infrastructure risk management program that is made as a result of the
occurrence of the hazard.
182. Provision of this information to the regulator will provide the regulator with an
opportunity to engage with the responsible entity to determine if the entity requires further
assistance and guidance to update their program. This information will allow Government to
build a collective picture of the nature of threats impacting on critical infrastructure across all
sectors, and will inform and support the sharing of information and expertise on how those
threats are best managed by government and industry in partnership.
183. For the purpose of paragraph (2)(d), the definition of 'relevant impact' already
established in subsection 8G(1) of the SOCI Act will apply--as a direct or indirect impact on
the availability, integrity, reliability or confidentiality of the critical infrastructure asset. Such
an impact could fundamentally undermine the intended operation or functioning of an asset,
or put at risk the sensitive information and personal information held by the asset.
184. It is not intended that entities will be required to report day-to-day incidents--the
requirement in paragraph (2)(d) is intended to only require information to be provided about
incidents that have had a significant relevant impact. The term 'significant' is not defined,
and the Department will work with responsible entities to provide guidance about this
obligation.
185. What is regarded as significant for the purpose of paragraph (2)(d) will vary between
assets and across sectors and it will be up to the entity to determine when a relevant impact is
significant for the purposes of this reporting obligation. It is expected that a significant
impact would include one that affected the functioning of the asset or its ability to deliver
intended services. In determining the significance of a relevant impact, entities should have
regard to whether the relevant impact has:
• a genuine impact on the availability of the asset, or services delivered by the
asset (noting that the nature and duration of impact will differ across assets
and sectors) such as would occur during a significant ransomware attack. This
type of cyber attack can cripple organisations that rely on computer systems to
function, by encrypting all connected electronic devices, folders and files and
rendering systems inaccessible,
• an impact that caused harm to customers or end-users such as a serious cyber
attack on a financial institution, rendering customers and businesses unable to
access their funds or utilise electronic payment methods, impairing their
ability to engage in commerce; or
• a detrimental impact on information security which has undermined the
integrity of, or led to the loss, theft or unauthorised access of, sensitive
information or personal information, such as a significant data breach.
39
186. The circumstances listed above are intended to provide illustrative examples of the
types of relevant impacts that may be significant. Entities must undertake their own analysis
and consider their particular circumstances and operations to determine what is considered to
be a significant relevant impact for their asset. The Department will also work with industry
to provide sector specific guidance on what may be considered to be a significant relevant
impact for this purpose.
187. The annual report must also be in the approved form (paragraph (2)(e)). The
'approved form' is defined in section 5 of the SOCI Act to be a form approved by the
Secretary of the Department of Home Affairs. The approved form will be made publicly
available on the Cyber and Infrastructure Security Centre's website (www.cisc.gov.au).
188. If the entity has a board, council or other governing body, the report must be approved
by that body (paragraph (2)(f)). This requirement will ensure that there is appropriate
visibility and responsibility within the senior management of the entity. Approval must occur
in accordance with the respective practices of the body.
189. Breach of the obligation to provide an annual report that accords with
paragraphs (2)(c) to (f) is subject to a civil penalty of up to 150 penalty units. This penalty is
a proportionate response based on the nature of the infringement and is designed to deter non-
compliance and to ensure responsible entities comply with their reporting obligation. This
penalty is commensurate with the non-compliance for an obligation on aviation and maritime
industry participants to comply with reporting obligations under ATSA and MTOFSA. The
penalty reflects the importance of governing bodies certifying that appropriate risk
management practices are in place and that security is being considered by the most senior
officers for these assets.
190. Subsection (3) provides that a report given by an entity under subsection (2) is not
admissible in evidence against the entity in civil proceedings relating to a contravention of a
civil penalty provision of the SOCI Act. This means that the 'relevant Commonwealth
regulator' (if applicable) or the Department cannot use information provided in the annual
report to take compliance action against a responsible entity under the SOCI Act, including
the obligations outlined in new sections 30AC, 30AD, 30AE and 30AF, relying upon
information provided in the annual report.
191. Subsection 30AG(3) is necessary to provide industry with assurance that the annual
report will only be used to better understand the threat environment in each sector and for
matters related to providing meaningful assistance and advice to entities on ways to further
enhance the security and resilience of critical infrastructure assets.
192. In the absence of subsection 30AG(3), entities would potentially be obliged to provide
information in the annual report that may subject them to civil proceedings for contravention
of a civil penalty provision the SOCI Act. On balance, excluding use of this information in
civil proceedings under the SOCI Act will be in the public interest by ensuring that industry
is not discouraged from providing complete information in accordance with the requirements
40
of the Bill. This will benefit the public by contributing to the protection of critical
infrastructure assets on which the public rely.
Section 30AH Critical infrastructure risk management program
193. New section 30AH of the SOCI Act defines the requirements for a critical
infrastructure risk management program. Adoption and compliance with a critical
infrastructure risk management program will ensure responsible entities have a
comprehensive understanding of the threat environment, and develop processes and
procedures to effectively respond to the risk of any hazard impacting the availability,
confidentiality, reliability and integrity of their asset.
194. Under subsection (1), a critical infrastructure risk management program is a written
program that applies to the responsible entity for one or more Part 2A assets. There is no
requirement for this program to be in any specific form, other than in writing. This ensures
responsible entities are able to determine the most appropriate form for their risk
management program, including building on existing business enterprise risk management
practices. It is permissible for a responsible entity for multiple critical infrastructure assets to
adopt a combined critical infrastructure risk management program for those assets, noting
that the program must address the risks associated with each individual asset to meet the
requirements of this section.
195. The purpose of the critical infrastructure risk management program is threefold:
• to identify each hazard where there is a material risk that the occurrence of the
hazard could have a relevant impact on the asset (subparagraph (1)(b)(i));
• so far as it is reasonably practicable to do so, to minimise or eliminate any
material risk of such a hazard occurring (subparagraph (1)(b)(ii)), and
• so far as it is reasonably practicable to do so, to mitigate the relevant impact of
such a hazard on the asset (subparagraph (1)(b)(ii)).
196. Each of these purposes are outlined further under separate headings below.
Subparagraph 30AH(1)(b)(i)--Identifying each hazard where there is a material risk that the
occurrence of the hazard could have a relevant impact on the hazard
197. A hazard in the context of a critical infrastructure risk management program is
intended to mean an event that, alone or in combination with other events, has the potential to
give rise to risk. This broad interpretation (consistent with best practice international risk
management doctrine) reflects the diversity of critical infrastructure assets that may be
subject to the obligation. That is to say, a hazard can be human induced (for example, a cyber
attack or sabotage) or natural (for example an extreme weather event).
41
198. This all-hazards approach is intended to ensure the obligations can evolve effectively
in response to changing technology and threat environments, by ensuring the focus of a risk
management program is on the impacts of a hazard on the asset, as opposed to prescriptively
listing the source of the hazard.
199. A 'relevant impact' of a hazard on a critical infrastructure asset is defined in current
subsection 8G(1) of the SOCI Act to be the impact (whether direct or indirect) of the hazard
on the availability, integrity or reliability of the asset, or the confidentiality of information
about the asset, stored in the asset, or computer data.
200. While there may be hazards which impact a critical infrastructure asset in other ways,
these impacts are crucial to the secure operating of the asset and its continuous provision of
essential services. Importantly, a critical infrastructure risk management program does not
require the entity to identify every single hazard that could pose a risk of having a relevant
impact on the hazard. Rather the obligations are limited to those hazards that pose a material
risk of having a relevant impact on the hazard.
201. The term 'material risk' is not defined, and the Department will work with responsible
entities to provide guidance about identifying material risks to their business in accordance
with subsection 30AH(7), which provides that, in making a determination about whether or
not a risk is a material risk, the entity must have regard to:
• the likelihood of the hazard occurring (paragraph (7)(a)); and
• the relevant impact of the hazard on the asset if the hazard were to occur
(paragraph (7)(b)).
202. Subsection (7) is intended to adopt the commonly-known method of assessing risk as
a function of likelihood and potential outcome. Hazards which are incredibly improbable,
even if the potential outcome would be significant, or for which there would be an
inconsequential impact, even though highly likely, are unlikely to be considered material
risks.
203. For example, an asset that is hundreds of kilometres inland would not be required to
take steps to mitigate the significant physical impact of a tsunami on the asset. This is not to
say that an unlikely event that would have a substantial impact would not in all circumstances
be regarded as a material risk. The hazards that the COVID-19 pandemic (a once-in-a-century
event) may have on the availability of workforce and day-to-day operations of an asset are an
example of such an unlikely event with such a significant outcome it could still be assessed as
a material risk and therefore need to be addressed in a critical infrastructure risk management
program.
204. Having had regard to these factors, the entity must ultimately consider which risks
may be material. The approach taken to this obligation is deliberately not prescriptive,
acknowledging that the entity responsible for the asset will be best placed to understand the
42
operating environment of, and threats to, their asset(s), with guidance from Government.
Therefore it is for the responsible entity to undertake this risk identification process, in line
with existing processes inside the business, to determine how to understand and manage
material risk.
Subparagraph 30AH(1)(b)(ii)--Minimise or eliminate any material risk of such a hazard
occurring
205. Under this provision, a critical infrastructure risk management program must outline
how a responsible entity will minimise or eliminate the material risk of a hazard occurring.
The provision is qualified to provide that this must occur so far as it is reasonably practicable
to do so. This qualification is intended to recognise that the responsible entity may not be
able to minimise or eliminate the risk of a hazard occurring, for example, no reasonable steps
could be taken to prevent a cyclone occurring.
206. This feature of the critical infrastructure risk management program recognises the
importance of prevention in risk management. For example, a responsible entity for a critical
infrastructure asset may have the ability to dramatically reduce the risk of a cyber security
incident from occurring by developing and installing certain software that is designed to
uplift information security.
Subparagraph 30AH(1)(b)(iii)--Mitigate the relevant impact of such a hazard on the asset
207. Under this provision, a critical infrastructure risk management program needs to
outline appropriate procedures that the responsible entity has, or will, put in place to mitigate
the relevant impact of a hazard should it occur. Such procedures are limited to those
reasonably practicable, noting that minimisation or eliminate efforts may not be foolproof.
208. For example, while a material risk of a cyclone occurring may not be able to be
minimised or eliminated, an entity should be actively taking steps to mitigate the impact
should one occur by ensuring any critical buildings are built and maintained to an appropriate
standard to withstand such an event.
209. What mitigations are implemented will depend on the context of a Part 2A asset, the
relevant impact and the material risk of a hazard occurring. This provision is intended to be
flexible and adaptable, while nevertheless requiring the responsible entity to achieve the
required security objectives.
Paragraph 30AH(1)(c)--Critical infrastructure risk management program must comply with
requirements specified in the rules
210. Under paragraph 30AH(1)(c), the critical infrastructure risk management program
must comply with any requirements specified in rules made by the Minister under section 61
of the SOCI Act. Any such rules will be a legislative instrument and publically available on
the Federal Register of Legislation (www.legislation.gov.au). Subsections (2)-(12) provide
further clarity as to the scope of this rule making power, including that the rules may be of
43
general application or may relate to one or more specified critical infrastructure assets
(subsection (2)).
211. These rules will be used to provide further requirements on how the principles based
obligations set out in subparagraphs (1)(b)(i)-(iii) are to be implemented. Noting the array of
critical infrastructure assets that may be subject to the obligation to adopt and maintain a
critical infrastructure risk management program, now and into the future, this mechanism will
be crucial for ensuring the program is implemented in a risk-based and proportionate manner
while still achieving the desired security outcomes and avoiding any unnecessary burden.
212. A note to subsection (2) indicates that specification by class is permitted by way of
subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power to
make a legislative instrument specifying a matter may identify the matter by referring to a
class or classes of matters.
213. Subsection (3) outlines that subsection (2) of section 30AH does not, by implication,
limit subsection 33(3A) of the Acts Interpretation Act. This means that subsection 33(3A) of
the Acts Interpretation Act, which generally provides that a power to make a legislative
instrument in relation to a matter includes a power to make an instrument with respect to only
some of those matters or with respect to a particular class or classes of those matters and to
make different provision with respect to different matters or classes of matters, continues to
apply.
214. Subsection (6) sets out the factors that the Minister must have regard to in specifying
the rules for the purposes of paragraph (1)(c):
• any existing regulatory system of the Commonwealth, a State or a Territory that
imposes obligations on responsible entities (paragraph (a));
• the costs that are likely to be incurred by responsible entities in complying with
those rules (paragraph (b));
• the reasonableness and proportionality of the requirements in relation to the
purposes referred to in paragraph (1)(b) (paragraph (c)); and
• such other matters (if any) as the Minister considers relevant (paragraph (d)).
215. This requirement is intended to ensure that any rules made for the purposes of the
critical infrastructure risk management program are appropriate in all the circumstances while
avoiding unnecessary duplication and regulatory burden.
44
Subsections 30AH(4)-(5)--Rules may provide for the conduct of background checks under
the AusCheck scheme
216. Subsection (4) provides that rules made for the purpose of paragraph (1)(c) may
require that a critical infrastructure risk management program include one or more provisions
that:
• permit a background check of an individual to be conducted under the
AusCheck scheme (paragraph (a));
• provide that such a background check must include assessment of information
relating to one or more of the matters mentioned in paragraphs 5(a), (b), (c) or
(d) of the AusCheck Act--relating respectively to a criminal history check, an
ASIO security assessment, an immigration status check and an identity check
(paragraph (b));
• provide that if a background check includes a criminal history check pursuant
to paragraph 5(a) of the AusCheck Act--the criteria must be assessed against
rules made under paragraph 30AH(1)(c) of the SOCI Act (paragraph (c)); and
• if the background check includes an identity check pursuant to paragraph 5(d)
of the AusCheck Act--provide for how that check will be conducted, as an
electronic identity verification check, in person identity verification check, or
both (paragraph (d)).
217. Subsection (5) clarifies that subsection (4) does not limit paragraph (1)(c).
218. The amendments to the AusCheck Act 2007 provided in items 1 and 2 of Schedule 1
to this Bill, read together with these provisions, will provide for background checks to be
conducted for individuals who are associated with Part 2A assets. It is intended that
responsible entities will identify the positions, employees, contractors and agents who are
critical to sensitive aspects of their business, and have the ability to use an AusCheck
background check as a mitigation against these individuals having a relevant impact on their
Part 2A asset(s).
219. Any rules made providing for the conduct of background checking will focus on
addressing the hazard that trusted insiders pose to critical infrastructure assets. Trusted
insiders are potential, current or former employees or contractors who have legitimate access
to information, techniques, technology, assets or premises. Trusted insiders can intentionally
or unknowingly assist external parties to conduct malicious activities or, in the most extreme
circumstances, can commit intentional acts of self-interest. The hazards that trusted insiders
represent can undermine or severely impact the availability, integrity, reliability or
confidentiality of critical infrastructure assets and, as a result, may undermine Australia's
social or economic stability, defence and national security.
Subsections 30AH(8)-(12)--Deeming provisions
45
220. Subsection (8) outlines that rules made for paragraph (1)(c) may provide that a
specified risk is taken to be a material risk for the purpose of section 30AH. This means that
the rules may deem a particular risk as one that must be addressed in a critical infrastructure
risk management program in accordance with paragraph (1)(b).
221. Subsections (9) to (12) outline that the rules made under paragraph (1)(c) may provide
that the taking of specified action:
• in relation to a critical infrastructure asset, or to a specified critical infrastructure
assets, is taken to be action that minimises or eliminates any material risk that
the occurrence of a specified hazard could have a relevant impact on the asset
(subsections (9) and (10)), which means that the rules can specify matters in
relation to critical infrastructure assets generally and specifically for the purpose
of subparagraph (1)(b)(ii)
• in relation to a critical infrastructure asset, or to a specified critical infrastructure
asset, is taken to be an action that mitigates the relevant impact of a specified
hazard on the asset (subsections (11) and (12)), which means that the rules can
specify matters in relation to critical infrastructure assets generally and
specifically for the purpose of subparagraph (1)(b)(iii), and
222. Notes to subsections (9) to (12) refer the reader to subsection 13(3) of the Legislation
Act, which allows for rules to be made under these subsections in relation to a specified class
of critical infrastructure assets.
223. Broadly speaking, rules may be made under subsections 30AH(9)-(12) in three
circumstances:
• to mandate the steps responsible entities should be taking through their critical
infrastructure risk management program to address a particular risk. The
purpose of this provisions is to ensure that Government can, when appropriate,
direct specific action when it is necessary to assist entities with maintaining
the security and resilience of their asset,
• to provide 'safe harbour' by specifying that the taking of certain actions will
acquit the entity of a specific obligation. This may be used, for example,
where duplicate obligations exist in relation to a particular hazard to ensure the
entity is not required to take two different courses of action. This could be
used to recognise existing industry standards and practices as sufficient to
meet aspects of the obligation. The Government intends to work with industry
and State and Territory governments to identify and leverage existing
regulations, frameworks and guidelines to manage risks to critical
infrastructure assets, and to minimise any duplication or unnecessary burden,
and
46
• to de-conflict requirements for entities with assets which fall within more than
one definition of critical infrastructure asset.
Rules have been prepared after consultation with industry
224. In relation to this rule-making power, the Department has undertaken several rounds
of consultation to 'co-design' rules to be made under paragraph (1)(c) after commencement
of the Bill. This process commenced after the introduction of the 2020 Amendment Bill, and
was completed pursuant to recommendation 7 and paragraph 3.49 of the PJCIS report.
225. A detailed consultation process with industry was conducted.
• The Department commenced its industry co-design on the Risk Management
Program in March 2021, with the development of sector-agnostic governance
rules. The overarching rules set out broad obligations for the management of
risk.
• The Department conducted four town halls and seven workshops in March
2021 in developing the governance rules. During this consultation period, the
Department listened to over 1,350 representatives from peak bodies,
regulators, state and territory government partners, and industry stakeholders.
• The Department continued its industry co-design from April 2021 until
October 2021 on sector-specific risk management program rules with the
Electricity, Gas, Data Storage or Processing and Water asset classes. The
objective of this consultation was to assess whether regulation existed that met
the risk management program objectives under Part 2A, to ensure the
regulatory burden was reduced where possible and to ensure there were rules
in place that would drive an uplift in the security and resilience of critical
infrastructure assets.
• Following detailed consultation with the electricity, gas, data storage or
processing, water, and sewerage asset classes, the Department identified
significant commonalities across sectors regarding standards and principles,
timing and business impact.
• The Department also recognised the clear call from industry to the PJCIS for
more clarity and certainty around the risk management program rules.
• As a result, the Department developed a set of clear principles based rules
sector-agnostic rules, which work in concert with the previously agreed cross-
sectoral governance rules. The sector-agnostic rules amalgamated the
standards and principles from across the sector-specific risk management
program rule hazard vectors into a consolidated approach.
47
• The Department finalised consultation on the sector-agnostic risk management
program rules in December 2021 with over 2000 industry stakeholders from
all impacted asset classes. The final town hall was attended by approximately
800 industry and Government stakeholders across the 11 critical infrastructure
sectors affected by risk management program rules.
226. After considering the information provided during extensive consultation with
industry, Government recognises that particular hazards exist across different threat domains
but considers that it is vital that a holistic approach is taken when developing a risk
management program. The first rules to be made by the Minister under paragraph 30AH(1)(c)
will set out the approach to be taken in relation to four primary domains.
• Cyber and information security hazards: Malicious cyber activity is one of the
most significant threats to Australian critical infrastructure and can range from
denial of service attacks, to ransomware and targeted cyber intrusions.
• Personnel hazards: This refers to the 'insider threat' or the risk of employees
exploiting their legitimate access to an organisations' assets for unauthorised
purposes including corporate espionage and sabotage.
• Supply chain hazards: The reliance on supply chains inherently involves
dependencies on other assets, or providing other entities with some level of
access to, or control of, an asset's or business's deliverables. As is the case for
personnel risk, supply chain risks relate to entities exploiting their legitimate
access to, or control of, an organisations' assets for unauthorised purposes or
otherwise creating a cascading impact to dependent assets.
• Physical and natural hazards: This includes risk of harm to people and
damage to physical assets. Examples of hazards in this threat domain include
mechanical failures, unauthorised access, interference and control of the asset,
as well as natural hazards such as floods and cyclones.
227. An exposure draft of this legislative instrument, that is proposed to be made shortly
after the commencement of the Bill under paragraph 30AH(1)(c) and new section 30AKA, is
included at Attachment C to this Explanatory Memorandum (the draft Part 2A instrument).
An exposure draft of the Explanatory Statement for the draft instrument is included at
Attachment D. These documents are incorporated in this Explanatory Memorandum
consistent with recommendation 9 of the PJCIS Report.
228. A regulatory impact statement (RIS) is also being conducted in relation to the draft
Part 2A instrument. Whilst that document cannot be finalised until the Bill is passed and the
rules can be made, a draft RIS informed by extensive consultation with stakeholders has been
developed to identify the regulatory impact of these reforms. A final RIS will be published on
the Office of Best Practice Regulation website should the Minister make rules under
paragraph 30AH(1)(c). The draft RIS weighs the regulatory costs of the RMP rules against
48
the damage to the economy if business underinvests in security and allows breaches to occur.
The RIS clearly identifies that the regulatory costs of complying with the critical
infrastructure risk management program obligation, as specified in rules, is minimal when
compared to the damage to the economy if businesses underinvest in security and allow
breaches to occur.
229. Security is part of the cost of doing business. Should one critical infrastructure entity
fail to adequately invest in basic security measures, such as those required by these reforms,
the impact of an incident is likely to cascade across other sectors of Australia's economy,
potentially burdening other entities significantly. The RIS examines the costs and benefits of
the requirement for industry to comply with the critical infrastructure risk management
program obligation. The detailed costs and benefits analysis also considers the uplift in risk
management practices across Australia's critical infrastructure assets, and resultant cascading
improvement in the security and resilience of interconnected critical infrastructure across
Australia.
230. The RIS highlights that existing regulatory frameworks and market forces are
insufficient to protect critical infrastructure against all hazard threats in a consistent and
coordinated manner across critical infrastructure assets. Government, and its unique ability to
regulate across supply chains and on a whole-of-sector basis, is capable of intervening to
ensure vulnerabilities in critical infrastructure assets are proactively detected, prevented, and
resolved. This is imperative for mitigating the potential impacts of disruption on Australia's
social and economic stability, defence, and national security, as well as the reliability and
security of other critical infrastructure assets.
231. The RIS identifies that there are multiple factors affecting the regulatory burden for
each entity, including their existing risk management practices and capabilities, the nature of
the critical infrastructure assets they operate, and the size of their operations. The RIS has
identified that if the critical infrastructure risk management program obligation is introduced
analysis of the average expected costs for responsible entities to implement, and maintain, the
this obligation across all sectors is currently an average one-off cost of $9 million per entity
followed by an average ongoing cost of $3.7 million per annum per entity to maintain
compliance. The cost of regulation will be borne by entities responsible for critical
infrastructure assets who meet the relevant thresholds. Community organisations and
individuals will not be directly affected but there will likely be indirect costs passed onto
consumers.
232. The likely benefits of the critical infrastructure risk management program obligation
will be at least (and are expected to be more than) the costs of the regulation. This is
primarily because the frequency and severity of all-hazard risks for critical infrastructure
assets are growing and this increasing severity and frequency of incidents, particularly in the
context of growing cybersecurity incidents, represents a risk to the whole economy. The
identification, mitigation, and remediation of such hazards, should they occur, will be
improved through:
49
• lowering the material risk of hazards, and subsequent impacts of those
hazards, as they manifest for critical infrastructure assets;
• ensuring that the adoption of the critical infrastructure risk management
program obligation is reasonable and proportionate to the purpose of the
program;
• avoiding regulatory duplication and facilitating coordinated uplift in
responsible entities' compliance with relevant standards; and
• improving Government's visibility over the security and resilience of critical
infrastructure assets.
233. Detailed economic analysis of costing figures received through the RIS indicates that
the potential cost of the required security uplift would be significantly outweighed by the net
benefits to the economy as a whole.
Section 30AJ Variation of critical infrastructure risk management program
234. New section 30AJ of the SOCI Act provides that a critical infrastructure risk
management program may be varied, so long as the varied program is a critical infrastructure
risk management program. This means that a critical infrastructure risk management program
may be amended by a responsible entity, so long as the amended program still has the
required characteristics as outlined in new section 30AH--including complying with any risk
management program rules made for the purpose of paragraph 30AH(1)(c).
235. It is intended that a critical infrastructure risk management program may be varied by
a responsible entity where changes are required or desirable as a result of:
• the review of the program on a regular basis under new section 30AE of the
SOCI Act;
• changes in the threat environment or an asset's operating environment;
• new rules made for the purpose of section 30AH; or
• ensuring the program is up to date under section 30AF.
Section 30AK Revocation of adoption of critical infrastructure risk management
program
236. New section 30AK of the SOCI Act outlines that, if an entity has adopted a critical
infrastructure risk management program under section 30AC, Part 2A does not prevent the
entity from revoking and adopting another critical infrastructure risk management program
that applies to the entity.
50
Section 30AKA Responsible entity must have regard to certain matters in deciding
whether to adopt or vary a critical infrastructure risk
management program
237. A key theme of the information received from industry stakeholders during
consultation was that the critical infrastructure risk management program obligation needs to
be flexible and adaptable to the business processes and environment of an individual
responsible entity. To incorporate this feedback into the critical infrastructure risk
management program obligation, consistent with recommendation 8 of the PJCIS,
section 30AKA is being newly inserted into Part 2A to allow rules to be made by the Minister
under section 61 specifying certain matters that must be considered by a responsible entity
when adopting, reviewing and varying their critical infrastructure risk management program.
Subsections 30AKA(1)-(2)--Adoption of program
238. Subsection (1) provides that, if an entity is the responsible entity for one or more
Part 2A assets, then the entity must have regard to such matters (if any) that are specified in
rules in deciding whether or not to adopt a critical infrastructure risk management program.
239. Breach of the obligation to consider any matters specified in rules under
subsection (1) is subject to a civil penalty of up to 200 penalty units. This penalty is a
proportionate response based on the nature of the infringement and is designed to align with
the obligation to adopt and maintain a critical infrastructure management program under
section 30AC.
240. Subsection (2) indicates that subsection (1) does not limit the matters to which the
responsible entity may have regard, clarifying that the entity's obligation to adopt a critical
infrastructure risk management program that complies with section 30AH of the SOCI Act is
not confined to any matters specified in rules under subsection 30AKA(1).
Subsections 30AKA(3)-(4)--Review of program
241. Subsection (3) provides that, if an entity is the responsible entity for one or more
Part 2A assets and has adopted a critical infrastructure risk management program for those
assets, then the entity must have regard to such matters (if any) that are specified in rules in
reviewing the critical infrastructure risk management program under section 30AE.
242. Breach of the obligation to consider any matters specified in rules under
subsection (3) is subject to a civil penalty of up to 200 penalty units. This penalty is a
proportionate response based on the nature of the infringement and is designed to align with
the obligation to regularly review a critical infrastructure risk management program (that
meets the requirements of section 30AH) under section 30AE.
243. Subsection (4) indicates that subsection (3) does not limit the matters to which the
responsible entity may have regard, clarifying that the entity's obligation to regularly review
51
a critical infrastructure risk management program that complies with section 30AH of the
SOCI Act is not confined to any matters specified in rules under subsection 30AKA(3).
Subsections 30AKA(5)-(6)--Variation of program
244. Subsection (5) provides that, if an entity is a responsible entity for one or more
Part 2A assets and has adopted a critical infrastructure risk management program for those
assets, then the entity must have regard to such matters (if any) that are specified in rules in
deciding whether or not to vary the program.
245. Breach of the obligation to consider any matters specified in rules under
subsection (5) is subject to a civil penalty of up to 200 penalty units. This penalty is a
proportionate response based on the nature of the infringement and is designed to align with
the obligation to ensure a critical infrastructure risk management program (that meets the
requirements of section 30AH) is up to date under section 30AF.
246. Subsection (6) indicates that subsection (5) does not limit the matters to which the
responsible entity may have regard, clarifying that the entity's obligation to keep a critical
infrastructure risk management program that complies with section 30AH of the SOCI Act up
to date under section 30AF is not confined to any matters specified in rules under
subsection 30AKA(5).
Subsections 30AKA(7)-(8)--Rules
247. Subsection (7) provides that rules made for subsections (1), (3) or (5) may be of
general application, or relate to one or more specified critical infrastructure assets. A note to
this subsection refers the reader to subsection 13(3) of the Legislation Act, which further
allows for rules to be made under subsections (1), (3) or (5) in relation to a specified class of
critical infrastructure assets. Read together, these provisions allow for varying matters to be
specified for different types of critical infrastructure assets and industry sectors.
248. Subsection (8) clarifies that subsection (7) does not, by implication, limit the
application of subsection 33(3A) of the Acts Interpretation Act.
Draft Part 2A rules
249. The draft Part 2A rules proposed to be made shortly after commencement of the Bill
are at Attachment C and an extract of the Explanatory Statement for those rules is at
Attachment D--consistent with recommendation 9 of the PJCIS Report.
Section 30AL Consultation--rules
250. New section 30AL of the SOCI Act outlines consultation requirements that must be
met by the Minister before making rules for the purpose of paragraph 30AH(1)(c) or
subsections 30AKA(1), (3) or (5).
52
251. The purpose of this section is to embed a requirement for the Minister to undertake a
meaningful and genuine consultation process prior to making or amending the risk
management program rules. The consultation process may take into account the level of
business transformation that may be required, as well as the costs associated with that
transformation. The Minister may choose to have an extended period between the making and
commencement of rules to allow industry to have time to consider and implement the legal
requirements prescribed within.
252. It is important to note however that this statutory consultation period will occur after
passage of the Bill. As outlined above, the Department has undertaken extensive consultation
with industry to on the requirements to be contained in the critical infrastructure risk
management program rules since the 2020 Amendment Bill was first introduced.
Subsection 30AL(1)--Scope
253. Subsection (1) provides that section 30AL applies to risk management program rules
made for the purpose of sections 30AH and 30AKA. This means that these requirements will
apply in relation to any rules prescribed under paragraph 30AH(1)(c) or
subsections 30AKA(1), (3) and (5).
Subsections 30AL(2)-(4)--Consultation
254. Subsection 30AL(2) provides that, before making or amending rules under
sections 30AH or 30AKA, the Minister must:
• cause to be published on the Department's website a notice setting out the draft
rules or amendments, inviting persons to make submissions to the Minister
about the draft rules or amendments within the period of time specified in the
notice (paragraph (a)), which must be at least 28 days (as outlined in
subsection (3)); and
• give a copy of the notice to each First Minister (paragraph (b)), and
• consider any submissions received within the specified period mentioned in
paragraph (a) (paragraph (c))--noting that nothing in this provision is intended
to limit the Minister's ability to consider responses received after that period.
255. Paragraph (c) and subsection (3) were not included in the 2020 Amendment Bill,
however they have been inserted in acceptance of recommendation 7 and paragraph 3.49 of
the PJCIS report which relevantly provides that 'any decision or determination made that will
affect an entity by amended not only to include the existing consultation by the Minister ...
but also require a right of reply by the effected entity and consideration of that reply in the
final determination'.
53
256. Subsection 30AL(4) provides that subsection (2) does not apply if:
• the Minister is satisfied that there is an imminent threat that a hazard will have
a significant relevant impact on a critical infrastructure asset (paragraph (a)), or
• the Minister is satisfied that a hazard has had, or is having, a significant relevant
impact on a critical infrastructure asset (paragraph (b)).
257. This means that, in the limited circumstances specified in subsection (3), the Minister
does not need to meet the notification requirements, and consider submissions received in
response to the notice, as outlined in subsection (2).
258. The potential urgency of the situation and the significance of the impact, and the flow
on impacts to Australia's economy, society and defence, warrant this departure from the
standard consultation process. However in such circumstances, the Secretary is required to
review the rules after their commencement as outlined in section 30AM (see from
paragraph 259) to ensure there is an appropriate consultation process and consideration of the
impact of imposing the requirements specified in the rules.
Section 30AM Review of rules
259. New section 30AM of the SOCI Act outlines requirements for the Minister and
Secretary in relation to rules made for the purpose of section 30AH when consultation was
not able to be undertaken due to the emergency circumstances identified in 30AL(4).
260. The purpose of section 30AM is to ensure that, in rare circumstances where rules are
made without consulting industry, the Secretary conducts a comprehensive review, including
industry consultation, of the operation, effectiveness and implications of those rules. A report
of the review in turn is then provided for scrutiny by the Minister and Parliament.
Subsection 30AM(1)--Scope
261. Subsection (1) provides that section 30AM applies if, because of subsection 30AL(4),
subsection 30AL(2) did not apply to the making of rules or amendments to rules under
paragraph 40AH(1)(c) or subsections 30AKA(1), (3) or (5).
Subsections 30AM(2)-(5)--Review of rules
262. Subsection 30AM(2) requires that the Secretary must:
• review the operation, effectiveness and implications of the rules or
amendments (paragraphs (a) and (b) respectively)
• consider whether any amendments should be made (paragraph (c)), and
• give the Minister a report of the review and a statement setting out the
Secretary's findings (paragraph (d)).
54
263. Under subsection 30AM(3), and for the purpose of completing the review, the
Secretary must:
• publish on the Department's website a notice setting out the rules or
amendments concerned and inviting persons to make submissions to the
Secretary within the period of time specified in the notice (paragraph (a)),
which must be at least 28 days (subsection (4))
• give a copy of the notice to each First Minister (paragraph (b)), and
• consider any submissions received within the specified period (paragraph (c)).
Nothing in this provision is intended to limit the Secretary's ability to consider
responses received after that period, noting however that under subsection (5)
the Secretary is required to complete the review within 60 days of the
commencement of the rules or amendments concerned.
264. Paragraph (c) was not included in the 2020 Amendment Bill, but is inserted in
acceptance of recommendation 7 and paragraph 3.49 of the PJCIS report which relevantly
provides that 'any decision or determination made that will affect an entity by amended not
only to include the existing consultation by the Minister ... but also require a right of reply by
the effected entity and consideration of that reply in the final determination'.
265. The measures in subsections (2) to (5) are intended to provide transparency for rules
made without consultation and provide an effective mechanism for entities to recommend
amendments to the rules, in a similar way that would occur before rules are made or varied in
non-emergency situations.
266. In practice, the Minister is likely to consider the outcomes of the report and
submissions made by industry to determine if the rules should be maintained, amended or
repealed. The Minister's decision is likely to be based on whether the rules:
• effectively manage or respond to a hazard that has had, or may have a significant
relevant impact on a critical infrastructure asset, and
• the implications of the rules on industry, including whether the requirements are
duplicative, disproportionate or unnecessarily burdensome or costly.
Subsection 30AM(6)--Minister to take statement of findings
267. Subsection 30AM(6) requires the Minister to table a copy of the statement of findings
in each House of Parliament within 15 sitting days of the Minister receiving the statement.
This ensures that the statement will be publicly available, free of charge from the Australian
Parliament House website and available for debate by Members and Senators.
55
Section 30AN Application, adoption or incorporation of a law of a State or
Territory etc.
268. New section 30AN of the SOCI Act modifies the application of subsection 14(2) of
the Legislation Act in relation to any rules made under subsection 30AH(1) or subsection
30AKA(1).
269. Subsection 14(2) of the Legislation Act generally provides that a legislative
instrument, such as rules that may be made by the Minister under new section 30AH of the
SOCI Act, may not make provision in relation to a matter by applying, adopting or
incorporating any matter contained in an instrument or other writing as in force from time to
time. This applies to matters such as State and Territory laws and Australian standards.
270. A common request from industry throughout the consultation process on this Bill and
the risk management program rules was that the framework should, wherever possible, be
consistent, and evolve, with existing industry best practice in order to reduce regulatory
burden while achieving the desired security outcomes.
Subsection 30AN(2)--Application, adoption or incorporation of a law of a State or Territory
271. Subsection (2) provides that, despite subsection 14(2) of the Legislation Act, rules
made under sections 30AH or 30ANA may be made making provision in relation to a matter
by applying, adopting or incorporating, with or without modification, any matter contained in
a law of a State or Territory as in force or existing from time to time.
272. State and Territory laws may potentially duplicate components of critical
infrastructure risk management programs. This provision is intended to ensure the rules can
effectively recognise those State and Territory laws to avoid duplicative regulatory burden
being placed on industry. For example, the rules may provide that an action done in
compliance with a particular State law, which sets security requirements for information
technology, would be taken as the required action under this Part.
Subsection 30AN(3)--Application, adoption or incorporation of a standard
273. Subsection (3) provides that, despite subsection 14(2) of the Legislation Act, rules
made under sections 30AH or 30ANA may make provision in relation to a matter by
applying, adopting or incorporating, with or without modification, any matter contained in a
standard proposed or approved by Standards Australia as in force or existing from time to
time. A note to this subsection indicates that the expression 'Standards Australia' is defined
in section 2B of the Acts Interpretation Act.
274. This provision may be relied upon to recognise accepted and reputable standards in
relation to risk management processes, including as those standards change to accommodate
best practice.
56
275. Subsection (3) is included to allow for the direct recognition of accepted and
reputable standards. Standards Australia is a peak standards development body--developing
standards, or adopting international standards, across a range of topics which represent best
practice specifications, procedures and guidelines. Therefore a mechanism to facilitate the
incorporation of such standards meets the expectation that the regulatory framework reflects
best practice and minimises regulatory impost on industry.
276. The underlying objective of new Part 2A of the Act is to ensure current and
appropriate risk management programs are in place for critical infrastructure assets, and
therefore it is vital that any requirements for such programs adapt over time to changing
security contexts. In light of this, the provision also recognises that these standards are
regularly reviewed and updated to keep pace with emerging technology, risks, threats, etc.,
ensuring that the regulatory framework remains up to date and fit for purpose.
277. A requirement to update the rules every time a specified standard is changed would be
administratively burdensome and would likely result in the law falling behind industry best
practice, which is at odds with the principles underpinning the reforms and
recommendation 7 and paragraph 3.49 of the PJCIS report, which relevantly provides that the
positive security obligations, including a critical infrastructure risk management program
obligation, should be aligned to international standards where possible. In this regard, it is
notable that international standards, such as ISO 31000 referred to in the PJCIS report, are
commonly adopted as Australian Standards (see AS ISO 31000:2018, available via:
https://www.standards.org.au/standards-catalogue/sa-snz/publicsafety/ob-007/as--iso--31000-
colon-2018). This aligns with Recommendation 7 and paragraph 3.49 of the PJCIS report,
which indicated that the critical infrastructure risk management program should align with
international standards wherever possible.
278. Adopting Australian standards as in force from time to time into rules made under
sections 30AH and 30AKA is considered by Government to be the best approach to resolving
the tension between the law being fit for purpose and minimising regulatory burden, whilst
also being publically available free of charge.
279. On the one hand, and as outlined above, rules under paragraph 30AH(1)(c) may be
used to provide 'safe harbour' by deeming certain actions to meet the obligations in the SOCI
Act. Rules made for the purposes of subsection 30AH(9) may specify action that is deemed to
be action that minimises or eliminates any material risk that the occurrence of a specified
hazard could have a relevant impact on the asset.
280. In practice, this would allow rules to be made which deem specified action, such as
compliance with a particular standard, to meet aspects of the obligation. However, the entity
would be free take alternative actions so long as they can ultimately demonstrate that their
legal obligations have been met. In effect, compliance with standards specified in these types
of rules is not mandatory as the entity will be free to pursue an alternative approach to
ensuring regulatory compliance.
57
281. Alternatively, it is noted that the rules may be used to establish mandatory
requirements. For example, rules made for the purposes of paragraph 30AH(1)(c) may
establish mandatory requirements for the critical infrastructure risk management program.
The Government recognises the importance of accessibility for mandatory requirements for
fair and effective functioning of the regime.
282. The draft Part 2A rules would incorporate the Australian Standards version of
ISO 31000 referred to above. Before making such rules, the Minister is required to consider
the costs associated with accessing that standards. In considering these costs, the Minister
may take into account a number of factors, such as:
• any responses received during consultation, either supporting or arguing
against the incorporation of the Australian standard; and
• the outcomes of the regulatory impact statement process that the Department
is currently undergoing in relation to the draft Part 2A rules.
283. Ultimately, the accessibility of the standards will need to be considered on a case by
case basis. The Minister or relevant Commonwealth regulator may consider entering into an
agreement with Standards Australia to facilitate relevant standards being made available at no
direct cost to users for example, on request or via the portal on the Department's Cyber and
Infrastructure Security Centre website. Such arrangements are supported by the Standards
Australia Distribution and Licensing Policy Framework (available at:
https://www.standards.org.au/getattachment/8b8551a9-e580-4dce-a6d7-
6b953b44bf31/Standards-Australia-Distribution-and-Licensing-Policy-Framework-
2019.pdf.aspx?lang=en-AU).
284. Standards Australia are also developing new online products, including new paid
subscription models to access to standards.
285. This model follows other product and subscription models for other forms of online
content where users pay smaller, ongoing fees for a range of digital services across a wider
range of products. These models seek to provide greater value to consumers through the
provision of increased choice, accessibility and use via digital technologies. Alternatively,
and in light of the factors discussed above, it may be considered appropriate for the regulated
population to incur the costs of accessing the standards.
286. The safeguards included in the legislation provide an appropriate balance of
supporting industry's desire for existing standards to be incorporated and mandating
processes to ensure any costs to industry or Government are considered. It is considered any
potential regulatory costs associated with this approach would be minimal compared to the
costs associated with generating new standards despite existing, and widely accepted,
standards.
58
Section 30ANA Application, adoption or incorporation of certain documents
287. Sections 30ANA, 30ANB and 30ANC were not included in the 2020 Amendment
Bill, and are newly included in response to industry stakeholder feedback and
recommendation 7 and paragraph 3.49 of the PJCIS report. The purpose of these sections is
to permit additional documents to be applied, adopted or incorporated from time to time in
rules made under paragraph 30AH(1)(c) and subsections 30AKA(1), (3) or (5).
Subsection 30ANA(1)--Application, adoption or incorporation of a relevant document
288. Subsection (1) provides that, despite subsection 14(2) of the Legislation Act, rules
made under sections 30AH and 30AKA may make provision in relation to a matter by
applying, adopting or incorporating, with or without modification, any matter contains in a
'relevant document' as in force or existing from time to time.
289. As outlined in the PJCIS report, a key theme raised by industry stakeholders who
would potentially be made subject to the critical infrastructure risk management program
obligation is that current best-practice should be sufficient to meet the legal requirements in
the SOCI Act. The ability to incorporate certain documents as in force from time to time
allows for best practice guidelines and processes (captured within the definition of 'relevant
documents' in subsection (2)) to be adopted as part of a critical infrastructure risk
management program.
290. Subsection 30ANA(1) recognises that these documents are regularly reviewed and
updated to keep pace with emerging technology, risks, threats, etc., ensuring that the
regulatory framework remains up to date and fit for purpose. A requirement to update the
rules every time a specified document is changed would be administratively burdensome and
would likely result in the law falling behind industry best practice which is at odds with the
principles underpinning the reforms.
Subsection 30ANA(2)-(3)--Relevant documents
291. Subsection (2) lists the documents that can be incorporated in rules as in force from
time to time in rules made under sections 30AH and 30AKA. The documents are:
• the Essential Eight Maturity Model published by the ASD (paragraph (a)),
which at the time of introduction of the Bill is publically available free of
charge on the Australian Cyber Security Centre website:
https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-
maturity-model; and
• the Framework for Improving Critical Infrastructure Cybersecurity published
by the National Institute of Standards and Technology of the United States of
America (paragraph (b)), which at the time of introduction of the Bill is
publically available free of charge on the US National Institute of Standards
59
and Technology website: https://www.nist.gov/publications/framework-
improving-critical-infrastructure-cybersecurity-version-11; and
• the Cybersecurity Capability Maturity Model (commonly referred to as the
C2M2) published by the Department of Energy of the United States of
America (paragraph (c)), which at the time of introduction of the Bill is
publically available free of charge on the US Department of Energy website:
https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2;
• the 2020-21 AESCSF Framework Core published by Australian Energy
Market Operator (AEMO), which at the time of introduction of the Bill is
publicly available free of charge at the AEMO website:
https://aemo.com.au/en/initiatives/major-programs/cyber-security/aescsf-
framework-and-resources; and
• the document titled Cyber Supply Chain Risk Management also published by
the ASD (paragraph (e)), which at the time of introduction of the Bill is
publically available free of charge on the Australian Cyber Security Centre
website: https://www.cyber.gov.au/acsc/view-all-content/publications/cyber-
supply-chain-risk-management.
292. These documents are published by Australian and US government agencies, and are
prepared on the basis of advice from numerous experts in the relevant fields. They represent
Australian and international best-practice in relation to the management of cyber security
risks relating to critical infrastructure assets. Given the speed of development of information
technologies, the fact that these documents are highly technical in nature and that changes to
policy needs to be agile to respond to a rapidly changing threat environment, it is considered
appropriate to incorporate these particular documents in rules as those documents are in force
from time to time.
293. In addition to the documents specified in paragraphs (2)(a) to (e), paragraph (f)
defines a 'relevant document' to include a document that is specified in the rules.
Importantly, this rule-making power is subject to a number of safeguards that afford
transparency and parliamentary oversight of including any further documents for
subsection 30ANA(1).
• Subsection (3) excludes the operation of subsection 13(3) of the Legislation
Act in relation to these rules--which means that the rules cannot prescribe a
class of documents, and each individual document to be specified under
paragraph (2)(f) needs to be named individually.
• A detailed consultation process needs to be conducted before any such rules
can be made under section 30ANB.
60
• Any rules made for paragraph (2)(f) cannot commence until the disallowance
period for the legislative instrument has concluded under section 30ANC--
meaning that both Houses of Parliament, and in particular the Senate Standing
Committee for the Scrutiny of Delegated Legislation and other scrutiny
committees, will have the opportunity to assess whether or not including the
additional document as a 'relevant document' is an appropriate measure before
it has legal effect.
294. This subsection will allow the utilisation of relevant standards (including those
specific to a particular sector) that relate to mitigating against a range of hazards. This may
include (but is not limited to) standards that relate to a range of hazards, such as material risk,
personnel hazards or supply chain hazards.
Section 30ANB Consultation--rules made for the purposes of
paragraph 30ANA(2)(f)
295. New section 30ANB of the SOCI Act outlines the consultation process that must be
conducted before rules may be made by the Minister under paragraph 30ANA(2)(f),
modelled after the consultation process for other rules made under Part 2A outlined in
section 30AL but without the ability to make rules on an urgent basis in exceptional
circumstances.
Subsection 30ANB(1)--Scope
296. Subsection (1) provides that section 30ANB applies to rules made for
paragraph 30ANA(2)(f), to specify a document as a 'relevant document' that may be
incorporated as in force from time to time in rules made under sections 30AH and 30AKA.
Subsections 30ANB(2)-(3)--Consultation
297. Subsection (2) provides that, before making or amending rules under
paragraph 30ANA(2)(f), the Minister must:
• cause to be published on the Department's website a notice setting out the
rules or amendments concerned and inviting persons to make submissions to
the Secretary within the period of time specified in the notice (paragraph (a)),
which must be at least 28 days (subsection (3))
• give a copy of the notice to each First Minister (paragraph (b)), and
• consider any submissions received within the specified period (paragraph (c)).
Nothing in this provision is intended to limit the Minister's ability to consider
responses received after that period.
298. Consultation is an important mechanism by which industry stakeholders may advise
the Department and the Minister that the document proposed to be prescribed is a suitable
61
document for incorporation within the critical infrastructure risk management program
obligation. Indeed, it is anticipated that this power may be used at the request of particular
responsible entities for Part 2A assets.
Section 30ANC Disallowance of rules
299. New section 30ANC of the SOCI Act provides a unique regime for the disallowance
of rules made under paragraph 30ANA(2)(f), which excludes the operation of the general
disallowance provision in section 42 of the Legislation Act (see subsection (5)). Importantly,
this provision means that rules made under paragraph 30ANA(2)(f) cannot commence until
day after the disallowance period has ended.
Subsection 30ANC(1)--Scope
300. Subsection (1) provides that section 30ANC applies to rules made for
paragraph 30ANA(2)(f), to specify a document as a 'relevant document' that may be
incorporated as in force from time to time in rules made under sections 30AH and 30AKA.
Subsections 30ANC(2)-(5)--Disallowance
301. Subsection (2) provides that, after being tabled in each House of the Parliament under
section 38 of the Legislation Act, rules under paragraph 30ANA(2)(f) may be disallowed if,
within 15 sitting days of being tabled, a disallowance motion is moved and, within a further
15 sitting days, the resolution is passed. In addition, subsection (4) also provides that the rules
are disallowed where, if a disallowance motion has been moved and not withdrawn or
otherwise disposed, the rules are taken to have been disallowed. Both of these provisions
mirror the requirements of subsections 42(1) and (2) of the Legislation Act.
302. Notably, subsection (3) delays rules under paragraph 30ANA(2)(f) from taking effect
until the day after the last day that the rules are subject to disallowance. In practice, this
means that:
• if no disallowance motion is moved, or a motion moved and withdrawn etc.
before the end of 15 sitting days, the rules take effect on the day after
15 sitting days after the rules are tabled--whichever is the later day between
the House of Representatives and the Senate;
• if a disallowance motion is moved but subsequently withdrawn or disposed of
after the first 15 sitting day period has expired, the rules take effect on the day
after the motion is withdrawn or disposed of.
303. This is a distinct disallowance scheme that applies specifically in relation to rules
under paragraph 30ANA(2)(f), to afford transparency and Parliamentary oversight of any
document that may be prescribed as a 'relevant document' that may be incorporated in rules
made under sections 30AH and 30AKA as in force from time to time whilst still permitting
those rules to reflect best Australian and international risk management practices.
62
Part 2AA Reporting obligations relating to certain assets that are not
covered by a critical infrastructure risk management program
304. Item 49 also inserts a new Part 2AA in the SOCI Act providing for reporting
obligations relating to assets that are not covered by a critical infrastructure risk management
program. In particular, these reporting provisions cover where an exemption applies under
new subsections 30AB(4)-(6) (see from paragraph 141).
Section 30AP Simplified outline
305. New section 30AP is a simplified outline of Part 2AA, which sets out that a
responsible entity must give an annual report relating to certain assets that are not covered by
a critical infrastructure risk management program.
Section 30AQ Reporting obligations
306. New section 30AQ of the SOCI Act provides for a responsible entity for a critical
infrastructure asset that is exempt from Part 2A by way of subsections 30AB(4), (5) or (6) to
provide an annual report to the relevant Commonwealth regulator or, in the absence of such a
regulator, the Secretary.
Subsection 30AQ(1)--application
307. Subsection (1) provides that the reporting obligations in section 30AQ apply if, for a
period that consists of a whole or a part of a financial year (referred to as the 'relevant
period'), an entity was a responsible entity for a critical infrastructure asset covered by an
exemption in subsection 30AB(4)-(6) of the SOCI Act. For reference, those exemptions apply
to critical infrastructure assets:
• for which the responsible entity is an entity is certified strategic under the
Commonwealth's Digital Certification Framework (subsection 30AB(4)); or
• for which the responsible entity is an entity covered by a Commonwealth,
State or Territory law specified by rules (subsection 30AB(5)); or
• covered by a provision of a Commonwealth, State or Territory law specified
by rules (subsection 30AB(6)).
Subsections 30AQ(2)-(3)--annual report
308. Subsection (2) provides that where section 30AQ applies to an entity it must, within
90 days after the end of a financial year, give either a relevant Commonwealth regulator
(paragraph (a)), or if there is no relevant regulator, the Secretary (paragraph (b)) a report that:
• sets out why one of the exemptions in subsections 30AB(4), (5) or (6) applies
to the entities critical infrastructure asset(s) (paragraph (c));
63
• a description of any hazards having a relevant impact on assets and the
effectiveness of any actions the entity took to mitigate the hazard
(paragraph (d));
• is in the approved form (paragraph (e));
• is approved by the entity's board, council or other governing body
(paragraph (f)).
309. Breach of the obligation to consider any matters specified in rules under
subsection (3) is subject to a civil penalty of up to 200 penalty units. This penalty is a
proportionate response based on the nature of the infringement and is designed to align with
the obligation to regularly review a critical infrastructure risk management program (that
meets the requirements of section 30AH) under section 30AE.
310. Breach of the obligation to provide an annual report that accords with
paragraphs (2)(c) to (f) is subject to a civil penalty of up to 150 penalty units, which accords
with the penalty for failing to provide an annual report under the critical infrastructure risk
management program obligation in section 30AG.
311. This penalty is a proportionate response based on the nature of the infringement and is
designed to deter non-compliance and to ensure responsible entities comply with their
reporting obligation. This penalty is commensurate with the non-compliance for an obligation
on aviation and maritime industry participants to comply with reporting obligations under
ATSA and MTOFSA. The penalty reflects the importance of governing bodies certifying that
appropriate risk management practices are in place and that security is being considered by
the most senior officers for these assets.
312. Subsection (3) provides that the report is not admissible in evidence against the entity
in civil proceedings relating to a contravention of a civil penalty provision of the SOCI Act.
313. Subsection (3) is included to provide industry with assurance that the annual report
will only be used to better understand the threat environment in each sector and for matters
related to providing meaningful assistance and advice to entities on ways to further enhance
the security and resilience of critical infrastructure assets.
314. In the absence of subsection 30AQ(3), entities would potentially be obliged to provide
information in the annual report that may subject them to civil proceedings for contravention
of a civil penalty provision the SOCI Act. On balance, excluding use of this information in
civil proceedings under the SOCI Act will be in the public interest by ensuring that industry
is not discouraged from providing complete information in accordance with the requirements
of the Bill. This will benefit the public by contributing to the protection of critical
infrastructure assets on which the public rely.
64
Items 50-53 Subparagraph 30BBA(2)(a)(ii), paragraph 30BBA(2)(c),
subparagraph 30BBA(2)(d)(ii) and at the end of section 30BBA
315. Sections 30BA and 30BBA of the SOCI Act provide for the application of Part 2B of
the SOCI Act to a responsible entity of a critical infrastructure asset to provide mandatory
cyber incident reports to the ASD. Relevantly, before rules can be made under
paragraph 30BA(1)(a) to prescribe critical infrastructure assets to which Part 2A applies, the
consultation requirements specified in section 30BBA must be met.
316. Items 50-52 of Schedule 1 to the Bill amend section 30BBA of the SOCI Act to
remove reference to the 28 day period for consultation and insert a reference to the period
mentioned in subsection (3). Item 53 inserts new subsection 30BBA(3), providing that the
period is the period specified in the notice--but that period must not be shorter than 28 days.
This amendment clarifies that the Minister may invite submissions to be made over a longer
period.
Item 54 At the end of section 30BE
317. Item 54 inserts new subsections 30BE(3) and (4) into the SOCI Act to expand the
scope of existing civil immunities under the SOCI Act for responsible entities when
complying with sections 30BC or 30BD to provide incident reports about cyber security
incidents. The new subsections expand the scope of the immunities to officers, employees
and agents of a:
• related company group (subsection (3)); and
• contracted service provider (subsection (4)).
318. The current immunities in the SOCI Act ensure that entities, when acting in response
to a compulsory legal direction, are not subject to civil liability. The absence of such an
immunity would result in the entity being forced to choose between complying with the
lawful direction or for example, contractual obligations. Noting the objectives of the
directions are to respond to a serious cyber security incident that poses a material risk of
serious prejudice to Australia's national interests, it is important that there are no barriers to
the entity complying with such a direction and that they are not penalised for doing so. In
their submissions to the PJCIS when reviewing the 2020 Amendment Bill, the Law Council
of Australia and Business Council of Australia highlighted the need to expand the immunities
in the SOCI Act to protect employees, officers and agents of separate but related body
corporates.
319. The current immunities in the SOCI Act do not protect officers, employees and agents
of separate, but related entities, who engage in conduct for the purpose of compliance with
obligations on the primary entity. Also, the current immunities do not protect persons (natural
or legal) who are engaged to provide services or advice to the primary entity on a contractual
basis.
65
320. It is conceivable that the obligations or requirements of the SOCI Act may be
discharged by a separate but related body corporate, because of contractual or other corporate
arrangements between entities. In those circumstances, it is clear that the current immunities
in the SOCI Act would not necessarily extend to provide protection from an action or other
proceedings for damages for those bodies corporate or persons, unless in the particular
circumstances they would come within the concept of an 'agent'.
321. The amendment to section 30BE is being made in accordance with recommendation 7
and paragraph 3.49 of the PJCIS report.
Subsection 30BE(3) - Civil liability for a member of a related company group
322. Subsection (3) provides that if an entity is or was subject to a requirement under
section 30BC or 30BD and the entity is or was a member of a related company group
(defined by reference to the Corporations Act), then another member of the related company
group is not liable to an action for compensation for acts or omissions done in good faith to
comply with the direction. Furthermore, an officer, employee or agent of another member of
the related company group is not liable to an action for compensation for an act done or
omitted in good faith to facilitate compliance with the requirement.
Subsection 30BE(4) - Civil liability for a contracted service provider
323. Subsection (4) provides an immunity for a contracted service provider who is a party
of a contract with, or responsible under contract to provide services to, an entity subject to a
requirement under section 30BC or 30BD.
324. Under this immunity, a contracted service provider is not liable to an action for
compensation for actions or omissions done in good faith to facilitate the responsible entity
complying with a section 30BC or 30BD requirement. Furthermore, an officer, employee or
agent of another member of the contracted service provider is not liable to an action for
compensation for actions or omissions done in good faith to facilitate the first entity
complying with a requirement.
Items 55-57 Paragraph 30BEB(2)(b), paragraphs 20BEB(2)(c) and (d) and at
the end of section 30BEB
325. Under paragraph 30BEA(b) of the SOCI Act, the Minister may specify circumstances
that are taken to be a cyber security incident that has a significant impact (whether direct or
indirect) on the availability of a critical infrastructure asset for the purpose of Part 2B.
Relevantly, before rules can be made under paragraph 30BEA(b), the consultation process
specified in section 30BEB must be conducted.
326. Items 55-56 of Schedule 1 to the Bill amend section 30BEB of the SOCI Act to
remove reference to the 28 day period for consultation and insert a reference to the period
mentioned in subsection (3). Item 57 inserts new subsection 30BEB(3), providing that the
period is the period specified in the notice--but that period must not be shorter than 28 days.
66
This amendment clarifies that the Minister may invite submissions to be made over a longer
period.
Item 58 After Part 2B
327. Item 58 inserts new Part 2C, containing enhanced cyber security obligations for
systems of national significance, into the SOCI Act.
Part 2C--Enhanced cyber security obligations
Division 1--Simplified outline of this Part
Section 30CA Simplified outline of this Part
328. New section 30CA of the SOCI Act includes a simplified outline of Part 2C, which is
intended to aid the reader of the legislation in understanding the operation of this Part. This
section outlines that Part 2C sets out enhanced cyber security obligations that relate to
systems of national significance (which are a particular sub-set of critical infrastructure assets
that are the subject of a declaration under new Part 6A of the Bill, see item 49 of Schedule 1
to the Bill below).
329. The critical infrastructure cyber threat environment is worsening, in part, due to an
ever-increasing reliance on technology, and increasing interoperability and interdependency
between Australia's most critical assets. This has created a new set of vulnerabilities that can
have catastrophic cascading consequences to Australia's economy and national security. This
growing threat necessitates a strengthened relationship between Government and industry,
built on enhanced information sharing and activities to prepare for, prevent and mitigate
against significant cyber security incidents.
330. There are four different legislative mechanisms that implement the enhanced cyber
security obligations outlined in new Part 2C of the SOCI Act:
• statutory incident response planning obligations (new Division 2 of Part 2C),
• cyber security exercises (Division 3);
• vulnerability assessments (Division 4); and
• access to system information (Division 5).
67
Division 2--Statutory incident response planning obligations
Subdivision A--Application of statutory incident response planning obligations
Section 30CB Application of statutory incident response planning obligations--
determination by the Secretary
331. New section 30CB of the SOCI Act provides for the application of the statutory
incident response planning obligations to systems of national significance. Subsection (1)
provides that the Secretary may, by written notice given to an entity that is the responsible
entity for a system of national significance, determine that the statutory incident reporting
obligations apply to the entity in relation to the system and to cyber security incidents.
332. As clarified at paragraph (1)(a), a notice to apply the response planning obligations
can only be given to a responsible entity for a 'system of national significance'.
333. Subsection (2) provides that a determination made by the Secretary under
subsection (1) takes effect at the time specified in the determination which, under
subsection (3), must not be earlier than the end of the 30-day period that began when the
notice was given. This provides responsible entities with a minimum 30 day notice period to
make arrangements to meet this obligation.
334. Subsection (4) specifies criteria that the Secretary must have regard to before issuing
a notice under subsection (1). The criteria are:
• the costs that are likely to be occurred by the entity in complying with
Subdivision B (sections 30CD-30CH in particular, paragraph (a)); and
• the reasonableness and proportionality of applying the statutory incident
reporting obligations to the entity in relation to the system that the entity is the
responsible entity for and cyber security incidents (paragraph (b)); and
• such other matters (if any) as the Secretary considers relevant (paragraph (c)).
335. Other matters that the Secretary may consider relevant under paragraph (4)(c) are any
international trade obligations that apply, whether the entity is, or has been, subject to any
other enhanced cyber security obligation, and whether the entity is subject to another
regulatory regime under Commonwealth, State or Territory law that is similar.
336. Subsection (5) outlines a consultation requirement that must be met before a notice is
given under this section. The Secretary must consult the entity and, if there is a relevant
Commonwealth regulator that has functions relating to the security of that system, the
relevant Commonwealth regulator. This will minimise any unnecessary burden being
imposed on the entity as a result of the notice not being appropriately adapted to the
circumstances of the system of national significance.
68
337. Subsection (6) clarifies that a determination under section 30CB is not a legislative
instrument. It is reasonable and appropriate that determinations made by the Secretary under
this section are not legislative instruments. A legislative instrument should be implemented
where the purpose of the instrument is to determine the content of the law. The Secretary's
determination under subsection (1) of this section applies the law in a particular instance to a
particular system of national significance, and does not determine the content of the law that
applies--that is set out in this Subdivision.
Exclusion of merits review for section 30CB, other Part 2C decisions and decisions to
declare a system of national significance
338. Section 30CB and a number of other provisions in new Part 2C of the SOCI Act
contain provisions that provide an administrative discretion by a decision maker
(subsections 30CM(1), 30CU(1), 30CR(2), 30DB(2), 30DC(2) and 30DJ(2)).
Recommendation 7 and paragraph 3.49 of the PJCIS report suggested that administrative
decisions under these decisions, and decisions of the Minister to declare a system as a system
of national significance (see section 52B) should be subject to merits review.
339. The Government's position is that this is not an appropriate measure to include. The
Secretary's decisions to impose the enhanced cyber security obligations under Part 2C are
inherently linked to the Minister's decision under section 52B--because Part 2C can only
apply to a system of national significance once privately and personally declared by the
Minister.
340. The fact that a critical infrastructure asset is inherently sensitive and harmful
information, especially assets that may be declared that may not be immediately apparent as
systems of national significance or particular assets owned by larger corporations to the
exclusion of others. If external or malicious actors were easily able to identify the assets of
highest criticality, they would be able to target those assets. Further, the Secretary's decisions
under Part 2C are likely to contain information that is even more sensitive, given that the
various obligations may be applied to assist an entity to uplift and review their cyber security.
341. As outlined in the Administrative Review Council's 1999 Report What decisions
should be subject to merits review?, the exclusion of merits review for these decisions
contain policy decisions of high political content because of:
• their potential to impact the Australian economy--if systems of national
security, and their cyber security arrangements, are made available it could
lead to those assets being significantly impacted or the mass disclosure of
sensitive financial information;
• the potential impact to Australia's relations with other countries--some
responsible entities will be foreign and multinational corporations, and any
impact to their operations may lead to further impact on the security and
availability of that corporation's asset in other countries; and
69
• their relationship to national security--the Minister, in making the decision to
declare a critical infrastructure asset as a system of national significance, is
required to consider the consequences that would arise for the social or
economic stability of Australia or its people, the defence of Australia and
national security (see paragraph 52B(2)(a) in particular, from paragraph 607).
Considering these factors will involve the consideration of security classified
information and other information of an inherently harmful information (as
defined by section 121.1 of the Criminal Code).
342. It is also notable that the Minister's decision under section 52B can only be made by
the Minister personally, and there is no statutory power of delegation of the Minister's
powers under the SOCI Act. It is further noted that judicial review, including review under
the Administrative Decisions (Judicial Review) Act 1997 (ADJR Act), is available in relation
to such decisions.
Section 30CC Revocation of determination
343. New section 30CC of the SOCI Act provides for the revocation of determinations
made by the Secretary under section 30CB.
Subsection 30CC(1)--Scope
344. Subsection (1) outlines that section 30CC applies if a determination applying the
statutory incident response planning obligations is in force under section 30CB and notice of
the determination was given to a particular responsible entity for a system of national
significance.
Subsection 30CC(2)--Power to revoke determination
345. Subsection (2) provides that the Secretary may, by written notice given to the entity,
revoke the determination.
Subsection 30CC(3)--Application of Acts Interpretation Act 1901
346. Subsection (3) outlines that section 30CC does not, by implication, affect the
application of subsection 33(3) of the Acts Interpretation Act to an instrument made under of
a provision of the SOCI Act (other than this Division).
347. This means that subsection 33(3) of the Acts Interpretation Act, which generally
provides that a power to make an instrument of legislative or administrative character is
construed to include a power to repeal, rescind, revoke, amend, or vary that instrument in the
like manner and subject to the like conditions, continues to apply in relation to other
instrument-making powers in the SOCI Act.
70
Subdivision B--Statutory incident response planning obligations
348. Subdivision B of Division 2 of Part 2C of the SOCI Act creates obligations that a
responsible entity for a system of national significance must comply with if the Secretary has
given the entity a written notice under subsection 30CB(1).
Section 30CD Responsible entity must have an incident response plan
349. New section 30CD of the SOCI Act creates an obligation for the entity to adopt and
maintain an 'incident response plan' that applies to the entity in relation to the system and
cyber security incidents. In this regard:
• 'incident response plan' is defined in new section 30CJ of the SOCI Act (see
below), and
• the meaning of 'cyber security incident' is outlined in section 12M (see
item 39 of Schedule 1 to the Bill above).
350. Cyber incident response plans help an organisation identify the activities and
resources needed to respond to malicious cyber activity, and is an essential business
continuity process. Incident response plans prepare an organisation to identify and respond to
malicious cyber activity on their networks and ensures both internal and external (including
relevant government entities) contacts, roles and responsibilities are identified before an
incident. Incident response plans also allow organisations, staff and service providers to
exercise their roles and responsibilities even before an incident occurs. Rehearsed and
exercised incident response plans limit the potential disruption caused by malicious cyber
activity and ensure that normal operations can be restored as soon as possible.
351. While improving our collective situational awareness of threats and uplifting the
cyber security of critical infrastructure are important steps, there may be some threats that
cannot be thwarted. In these circumstances, incident response plans provide responsible
entities with a clear understanding of 'what to do' and 'who to call' to minimise the impact of
an incident and continue providing services to the community.
352. Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement. The penalty is
designed to deter non-compliance and to ensure responsible entities adopt an incident
response plan if required to. This penalty is commensurate with the non-compliance of an
obligation on aviation and maritime industry participants to have security programs under the
ATSA or MTOFSA. The penalty reflects the important function of the incident response plan
in ensuring the entity has appropriate procedures in place to identify and respond effectively
to cyber security incidents.
71
Section 30CE Compliance with incident response plan
353. New section 30CE of the SOCI Act creates an obligation for an entity, once an
incident responsible plan has been adopted, to comply with that plan. This includes
compliance with any amendments to the incident response plan that may have been made
under section 30CK.
354. This section is an extension of section 30CD and is intended to clarify that responsible
entities are not only required to have an incident response plan in place but that entities must
actually comply with that plan and the various procedures it contains (aligning with the
requirements for a critical infrastructure risk management program under Part 2A).
355. Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on nature of the infringement. The penalty and is
designed to deter non-compliance and to ensure responsible entities comply with their critical
infrastructure risk management program. This penalty is commensurate with the non-
compliance of an obligation on aviation and maritime industry participants to comply with
security programs under the ATSA or MTOFSA. The penalty reflects the important function
of the incident response plan in ensuring the entity has appropriate procedures in place to
identify and response effectively to cyber security incidents.
Section 30CF Review of incident response plan
356. New section 30CF of the SOCI Act creates an obligation for the responsible entity
that has adopted an incident response plan to review that plan on a regular basis (aligning
with the requirements for a critical infrastructure risk management program under Part 2A).
357. This section does not prescribe a specific timeframe during which the entity must
review the incident response plan. This is because critical infrastructure assets operate in a
variety of threat environments and therefore face different challenges. As such, the frequency
of review of the program may change over time as the characteristics of the asset,
organisational structures, its interdependences, the market, or threats change or fluctuate. For
this reason, it is intended that the responsible entity will determine the frequency with which
review of the plan should occur, noting they are best placed to understand the context of the
asset and its evolving threat environment.
358. This approach is intended to prevent unnecessary burden being placed on industry to
review the program in a manner disproportionate to their context. The Department will work
closely with industry to develop guidance to assist them in determining the application of the
provision to their unique circumstances.
359. Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement. It is designed to
deter non-compliance and to ensure responsible entities review their incident response plan.
The penalty reflects the importance of reviewing an incident response plan to ensure that it is
fit for purpose and, therefore, effective in managing a cyber security incident response.
72
Section 30CG Update of incident response plan
360. New section 30CG of the SOCI Act creates an obligation for an entity that has
adopted an incident response plan to take all reasonable steps to ensure that the plan is up to
date (aligning with the requirements for a critical infrastructure risk management program
under Part 2A).
361. Meaningful cyber security preparedness, and in turn resilience, will only occur if the
incident response plan remains current. It is therefore vital that responsible entities review
their incident response plan on a regular basis and take reasonable steps to ensure it is kept up
to date. This ensures risk and procedures are being continually assessed and managed by the
entity rather than taking a 'set and forget' approach to risk management.
362. The term 'reasonable steps' refers to the entity's practical efforts to update the
incident response plan relative to the changing security and organisational context. Further,
best practice dictates that incident response plans are focused on the roles of the various
individuals in the escalation chain, rather than the individuals themselves, which will avoid
the need to update a plan in response to staff movements.
363. Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement and is designed to
deter non-compliance and to ensure responsible entities update their incident response plan.
The penalty reflects the importance of keeping an incident response plan up-to-date and
accurate.
Section 30CH Copy of incident response plan must be given to the Secretary
364. New section 30CH of the SOCI Act creates an obligation for an entity that has
adopted an incident response plan to provide a copy of their incident response plan, and any
variation of the plan, to the Secretary.
365. Subsection (1) provides that an entity that has adopted an incident response plan must
provide a copy of the plan to the Secretary as soon as practicable after the adoption. Breach
of this obligation is subject to a civil penalty of up to 200 penalty units. This penalty is a
proportionate response based on the nature of the infringement and is designed to deter non-
compliance to ensure responsible entities notify the Secretary of their incident response plan.
The penalty reflects the importance of maintaining the two-way information sharing between
Government and the entity to ensure both sides are well positioned to respond to emerging
threats.
366. Subsection (2) provides that an entity that has adopted an incident response plan, and
subsequently varies that plan, must provide a copy of the varied plan to the Secretary as soon
as practicable after the variation. Breach of this obligation is subject to a civil penalty of up to
200 penalty units. This penalty is a proportionate response based on the nature of the
infringement and is designed to deter non-compliance to ensure responsible entities notify the
Secretary of variations to an incident response plan. The penalty reflects the importance of
73
maintaining the accuracy of two-way information sharing between Government and the entity
to ensure both sides are well positioned to respond to emerging threats.
367. This provides Government with visibility of the procedures and processes entities
have put in place to prepare for, and respond to, a cyber security incident. Practically
speaking, the Government is likely to use this plan to work with the responsible entity should
any changes be required to ensure the asset is in a better position to handle the often sudden
shocks caused by a cyber security incident. In the event that a cyber security incident does
occur, the procedures and processes outlined in the plan will be followed in responding to the
cyber security incident.
Section 30CJ Incident response plan
368. New section 30CJ of the SOCI Act describes an incident response plan. Subsection
(1) provides that an incident response plan is a written plan:
• that applies to an entity that is the responsible entity for a system of national
significance (paragraph (a)), and
• that relates to the system and to cyber security incidents (paragraphs (b) and
(c)), and
• the purpose of which is to plan for responding to cyber security incidents that
could have a relevant impact on the system (paragraph (d)), and
• that complies with such requirements (if any) that are specified in rules made
under section 61 of the SOCI Act (paragraph (e)).
369. It is not proposed that the precise form of the plan will be dictated through the rules.
Rather, these obligations are focused on achieving the required security objectives and
ensuring the entity is well placed to respond to a cyber security incident. Entities are best
placed to construct the plan, taking into account a variety of factors including the services
provided by the asset, the extent and nature of interdependencies, and the threat environment.
This also acknowledges that many entities will already have incident response plans in place,
and therefore, takes a light touch approach focused on security outcomes over form.
370. Further, the incident response plan is limited to cyber security incidents and is not
intended to address hazards more generally. Best practice incident response plans do not
apply to specific cyber security incidents (although components of them may focus on
specific types), but rather apply to cyber security incidents generally. This ensures procedures
are in place to address the various methodologies that may be adopted in a cyber attack.
371. Subsection (2) clarifies that requirements specified in Ministerial rules made for the
purpose of paragraph (1)(e) may be of general application (paragraph (a)), may relate to one
or more specified systems of national significance (paragraph (b)), or may relate to one or
more specified types of cyber security incidents (paragraph (c)).
74
372. A note to subsection (2) indicates that specification by class is permitted by way of
subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power to
make a legislative instrument specifying a matter may identify the matter by referring to a
class or classes of matters.
373. Subsection (3) further clarifies that subsection (2) does not, by implication, limit the
application of subsection 33(3A) of the Acts Interpretation Act. This means that
subsection 33(3A) of the Acts Interpretation Act, which generally provides that a power to
make a legislative instrument in relation to a matter includes a power to make an instrument
with respect to some only of those matters or with respect to a particular class or classes of
those matters and to make different provision with respect to different matters or classes of
matters, continues to apply.
Section 30CK Variation of incident response plan
374. New section 30CK of the SOCI Act provides that an entity that has adopted an
incident response plan under section 30CD may vary their plan, so long as the varied plan is
an incident response plan. This means that an incident response plan may be amended by a
responsible entity, so long as the amended program still has the required characteristics as
outlined in new section 30CJ--including any specific requirements prescribed in Ministerial
rules for the purpose of paragraph 30CJ(1)(e).
375. It is intended that an incident response plan may be varied by a responsible entity
where changes are required or desirable as a result of the review of the program on a regular
basis under new section 30CF of the SOCI Act. This recognises that an entity may need may
need to change its incident response plan in response to the evolving threat environment.
Section 30CL Revocation of adoption of incident response plan
376. New section 30CL of the SOCI Act outlines that, if an entity has adopted an incident
response plan, any of the provisions in Division 2 of Part 2C does not prevent the entity from
revoking that adoption and adopting another incident response plan that applies to the entity.
This allows for an entity to prepare and subsequently adopt a new incident response plan, but
the previous incident response plan must remain in place until the new plan is adopted.
Division 3--Cyber security exercises
Section 30CM Requirement to undertake cyber security exercise
377. New section 30CM of the SOCI Act empowers the Secretary to require a responsible
entity for a system of national significance to undertake a 'cyber security exercise' as defined
by section 30CN.
378. Subsection (1) provides that the Secretary may, by written notice given to the
responsible entity, require the entity to undertake a cyber security exercise in relation to the
system of national significance and all types of cyber security incidents, within the time
75
specified in the notice. Subsection (2) provides, on similar terms, that the Secretary may
require the entity to undertake a cyber security exercise but only in relation one or more
specified types of cyber security incidents.
379. In practice, subsection (1) will be used where the Government and entity want to test
the general cyber response preparedness, mitigation and response capabilities of the asset.
Subsection (2) could be used to test responsiveness in relation to a particular threat scenario,
for example a ransomware attack.
380. An exercise may be discussion or tabletop-based, operational or functional. For
example, the responsible entity may be required to engage in a strategic discussion exercise
to build industry and Government's coordinated response to a significant cyber incident
impacting a specified sector. Through the exercise, the responsible entity would test its
internal response capability, responsibilities for key staff, and coordination with Government.
Through the exercise report, the responsible entity will benefit from a greater understanding
of the effectiveness of any response plans and build its capability to respond to a real-life
event.
381. Subsection (3) outlines that the period specified to complete the cyber security
exercise in a notice given under subsections (1) or (2) must not be less than the 30-day period
that began when the notice was given. This should afford the entity sufficient opportunity to
undertake and complete the exercise, noting the consultation requirements that may occur
prior to the notice being given.
382. Subsection (4) provides that a notice under subsections (1) or (2) may also require the
responsible entity for a system of national significance to do any or all of the following
things:
• allow one or more designated officers to observe the cyber security exercise and
give the officers access to premises for that purpose (paragraphs (a) and (b))
• provide designated officers with reasonable assistance and facilities to allow the
officers to observe the exercise (paragraph (c))
• allow designated officers to make records as are reasonably necessary for the
purposes of monitoring compliance with the notice (paragraph (d))
• give designated officers reasonable notice of the time when the cyber security
exercise will begin, so that they can observe the exercise if they choose to do so
(paragraph (e)).
383. A designated officer is defined in section 30DQ to be an employee of the Department
or a staff member of the ASD (see further below).
384. The purpose of subsection 30CM(4) is to ensure Government officials have visibility
of the way the exercise is being conducted, and, importantly, the outcome of the exercise.
76
Assets that are declared to be systems of national significance are of the highest criticality to
Australia's national interest. Accordingly, Government has a strong interest and a
responsibility to understand the ability of these assets to respond appropriately to, or mitigate
the impact of, a cyber security incident.
385. Subsection (5) specifies criteria that the Secretary must have regard to before issuing
a notice under subsection (1). The criteria are:
• the costs that are likely to be occurred by the entity in complying with the
notice (paragraph (a)); and
• the reasonableness and proportionality of the requirement in the notice
(paragraph (b)); and
• such other matters (if any) as the Secretary considers relevant (paragraph (c)).
386. Other matters that the Secretary may consider relevant under paragraph (4)(c) are any
international trade obligations that apply, whether the entity is, or has been, subject to any
other enhanced cyber security obligation, and whether the entity is subject to another
regulatory regime under Commonwealth, State or Territory law that is similar.
387. Subsection (6) outlines a consultation requirement that must be met before a notice is
given under this section. The Secretary must consult the entity and, if there is a relevant
Commonwealth regulator that has functions relating to the security of that system, the
relevant Commonwealth regulator. This will minimise any unnecessary burden being
imposed on the entity as a result of the notice not being appropriately adapted to the
circumstances of the system of national significance.
388. See also the information concerning the exclusion of merits review in relation for the
Secretary's decision under subsection 30CM(1) as outlined in relation to section 30CB above
(as discussed in paragraph 338).
Section 30CN Cyber security exercise
389. New section 30CN of the SOCI Act defines a cyber security exercise. Ultimately, an
exercise is designed to reveal whether the existing resources, processes and capabilities of an
entity sufficiently safeguards the system from being impacted by a cyber security incident.
390. During the Department's consultation on the Cyber Security Strategy 2020,
submissions highlighted the importance of joint cyber security exercises involving industry
and government to improve entities' cyber resilience. Noting the interdependencies between
critical infrastructure assets, these exercises can be used to develop interoperable response
capabilities to prevent a cascading of impacts across sectors.
391. Section 30CN is purposely non-prescriptive to ensure that the focus is not on the form
of the exercise but rather on the purpose or outcomes the exercise is trying to achieve.
77
However, the exercise could for example take the form of a tabletop exercise, a function
exercise, discussion exercises etc. Government will work with entities to determine what the
best exercise format may be in relation to the threat environment and the individual
characteristics of the asset to ensure maximum effectiveness.
392. Under subsection (1), a cyber security exercise is an exercise that:
• is undertaken by the responsible entity for a system of national significance
(paragraph (a)), and
• that relates to the system of national significance (paragraph (b)), and
• that either relates to all types of cyber security incidents (i.e. as required by the
Secretary under subsection 30CM(1)) or one or more types of cyber security
incidents (as required by the Secretary under subsection 30CM(2))
(paragraph (c)), and
• if the exercise relates to all types of cyber security incidents--the purpose of
the exercise is as outlined in subparagraphs (d)(i)-(iii) (paragraph (d)), and
• if the exercise relates to one or more specified types of cyber security
incidents (for example, malware attacks or denial-of-service attacks)--the
purpose of the exercise is as outlined in subparagraphs (e)(i)-(iii) (paragraph
(e)), and
• complies with the requirements (if any) as specified in rules made under
section 61 of the SOCI Act (paragraph (f)).
393. A cyber security exercise that relates to all types of cyber security incidents must,
under paragraph (1)(d), be for the purposes of:
• testing the entity's ability to respond appropriately to all types of cyber security
incidents that could have a relevant impact on the system (subparagraph (i))
• testing the entity's preparedness to respond appropriately to all types of cyber
security incidents that could have a relevant impact on the system
(subparagraph (ii)), and
• testing the entity's ability to mitigate the relevant impacts that all types of cyber
security incidents could have on the system (subparagraph (iii)).
78
394. A cyber security exercise that relates to a specified type or types of cyber security
incident must, under paragraph (1)(e), be for the purposes of:
• testing the entity's ability to respond appropriately to the specified types of
cyber security incidents that could have a relevant impact on the system
(subparagraph (i))
• testing the entity's preparedness to respond appropriately to the specified types
of cyber security incidents that could have a relevant impact on the system
(subparagraph (ii)), and
• testing the entity's ability to mitigate the relevant impacts that the specified
types of cyber security incidents could have on the system (subparagraph (iii)).
395. With respect to rules made for the purpose of paragraph (1)(f), subsection (2) clarifies
that any such rules may of general application (paragraph (a)), may relate to one or more
specified systems of national significance (paragraph (b)), or may relate to one or more
specified types of cyber security incident (paragraph (c)).
396. A note to subsection (2) indicates that specification by class is permitted by way of
subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power to
make a legislative instrument specifying a matter may identify the matter by referring to a
class or classes of matters.
397. Subsection (3) further clarifies that subsection (2) does not, by implication, limit the
application of subsection 33(3A) of the Acts Interpretation Act. This means that
subsection 33(3A) of the Acts Interpretation Act, which generally provides that a power to
make a legislative instrument in relation to a matter includes a power to make an instrument
with respect to some only of those matters or with respect to a particular class or classes of
those matters and to make different provision with respect to different matters or classes of
matters, continues to apply.
Section 30CP Compliance with requirement to undertake cyber security exercise
398. New section 30CP of the SOCI Act requires an entity to comply with a notice given to
the entity by the Secretary under section 30CM. This includes an obligation to complete the
cyber security exercise within the timeframe included in the Secretary's notice.
399. Breach of this requirement is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the infringement and is designed to deter non-
compliance to ensure responsible entities undertake a cyber security exercise. The penalty
reflects the importance of a cyber security exercise in improving entities' cyber resilience
and, potentially, developing interoperable response capabilities across critical infrastructure
assets.
79
Section 30CQ Internal evaluation report
400. New section 30CQ of the SOCI Act requires an entity who has undertaken a cyber
security exercise under section 30CM to prepare an 'evaluation report' (within the meaning
given by section 30CS) and give a copy to the Secretary within 30 days after completing the
exercise, unless the Secretary has allowed a longer period for the provision of the report
(subsection (1)).
401. Breach of this requirement is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the infringement and is designed to deter non-
compliance to ensure responsible entities provide evaluation reports of a completed cyber
security exercise. This penalty is commensurate with the non-compliance for an obligation on
aviation and maritime industry participants to comply with reporting obligations under ATSA
and MTOFSA. The penalty reflects the importance for entities to evaluate and reflect on a
cyber security exercise.
402. Subsection (2) provides that an evaluation report prepared by an entity under
subsection (1) is not admissible in evidence against the entity in civil proceedings relating to
a contravention of a civil penalty provision of the SOCI Act, other than proceedings relating
to subsection (1) and subsection 30CR(6). For example, the evaluation report cannot be used
in evidence to demonstrate non-compliance with the critical infrastructure risk management
program at Part 2A.
403. This reflects the purpose of the evaluation report and cyber security exercises, which
is to assist entities in better understanding and taking any necessary steps to ensure assets of
the highest criticality are safeguarded from cyber security incidents. This approach reflects
the partnership approach that will underpin these obligations in practice, whereby
Government will build strong relationships with responsible entities for systems of national
significance to ensure resilience and promote rapid, and interoperable, responses to incidents.
404. In the absence of subsection 30CQ(2), entities would potentially be obliged to provide
information in the evaluation report that may subject them to civil proceedings for
contravention of a civil penalty provision the SOCI Act. On balance, excluding use of this
information in civil proceedings under the SOCI Act will be in the public interest by ensuring
that industry is not discouraged from providing complete information in accordance with the
requirements of the Bill. This will benefit the public by contributing to the protection of
critical infrastructure assets on which the public rely.
Section 30CR External evaluation report
405. New section 30CR of the SOCI Act outlines the circumstances in which an entity,
who has undertaken a cyber security exercise, may be required to arrange for an 'evaluation
report' (within the meaning given by section 30CS) to be prepared by an external auditor.
80
Subsection 30CR(1)--Scope
406. Subsection (1) outlines that section 30CR of the SOCI Act applies to an entity that has
undertaken a cyber security exercise under section 30CM in either of the following
circumstances:
• the entity has prepared, or purported to prepare, an evaluation report under
section 30CQ relating to the exercise, given the report to the Secretary and the
Secretary has reasonable grounds to believe that report was not prepared
appropriately (paragraph (a)), or
• the entity has contravened section 30CQ, such as where an entity has failed to
provide a report to the Secretary within the time specified in the section 30CM
notice (paragraph (b)).
Subsections 30CR(2)-(3)--Requirement
407. Under subsection (2) the Secretary may, by written notice given to the entity captured
by subsection (1), require the entity to all of the following:
• appoint an external auditor, being a person who has been authorised by the
Secretary to be an external auditor under section 30CT (paragraph (a))
• arrange for the external auditor to prepare a 'new evaluation report' within the
meaning given by section 30CS and to give the report to the entity
(paragraphs (b) and (c)), and
• give the Secretary a copy of the new evaluation report within the period
specified in the notice, or within a longer period as allowed by the Secretary
(paragraph (d)).
408. See also the information concerning the exclusion of merits review in relation to the
Secretary's decision under subsection 30CR(2) as outlined in relation to section 30CB above
(from paragraph 338).
409. Subsection (3) requires that the notice given by the Secretary under subsection (2)
must specify the matters to be covered in the new evaluation report, the form of the new
evaluation report and the kinds of details it is to contain.
Subsection 30CR(4)--Consultation
410. Subsection (4) provides that, before giving a notice to an entity under this section in
connection with a cyber security exercise that relates to a system of national significance, the
Secretary must consult the entity and, if there is a relevant Commonwealth regulator that has
functions relating to the security of that system, that regulator. The Secretary will have regard
to the initial evaluation report provided by the entity when deciding whether to give a notice.
81
This will minimise any unnecessary burden being imposed on the entity as a result of the
notice not being appropriately adapted to the circumstances of the system of national
significance.
Subsection 30CR(5)--Eligibility for appointment as external auditor
411. Subsection (5) provides that an individual is not eligible to be appointed as an external
auditor by the entity as required under subsection (2) if the individual is an officer, employee
or agent of the entity. This is intended to prevent conflicts of interest and ensure the report is
independent.
Subsection 30CR(6)--Compliance
412. Under subsection (6), an entity must comply with a requirement from the Secretary
under subsection (2). Breach of this requirement is subject to a civil penalty of up to 200
penalty units. This penalty is a proportionate response based on the nature of the infringement
and is designed to deter non-compliance to ensure an entity complies with a notice by the
Secretary to arrange for an external evaluation report. The penalty reflects the importance of
obtaining accurate and comprehensive evaluation reports to review the viability of cyber
incident exercises and entity preparedness.
Subsection 30CR(7)--Immunity
413. Akin to subsection 30CQ(2) of the SOCI Act, subsection (7) provides that the new
evaluation report prepared in accordance with a requirement under subsection (2) is not
admissible in proceedings against the entity in civil proceedings relating to a contravention of
a civil penalty provision of the SOCI Act, other than a contravention of subsection (6). This is
intended to encourage open and transparent assessments and collaboration towards improving
the security practices of the asset.
414. In the absence of subsection 30CR(7), entities would potentially be obliged to provide
information for the evaluation report that may subject them to civil proceedings for
contravention of a civil penalty provision the SOCI Act. On balance, excluding use of this
information in civil proceedings under the SOCI Act will be in the public interest by ensuring
that industry is not discouraged from providing complete information in accordance with the
requirements of the Bill. This will benefit the public by contributing to the protection of
critical infrastructure assets on which the public rely.
Section 30CS Meaning of evaluation report
415. New section 30CS of the SOCI Act outlines what is an 'evaluation report' for the
purpose of the SOCI Act, in particular sections 30CQ and 30CR. Different meanings are
given to the term in circumstances where a report is required to be prepared as a result of a
requirement to conduct an exercise in relation to all types of cyber security incidents under
subsection 30CM(1), or where a report is required to be prepared as a result of a requirement
82
to conduct an exercise in relation to one or more specified types of cyber security incidents
under subsection 30CM(2).
416. Under paragraph (a), an 'evaluation report' required as a result of undertaking an
exercise under subsection 30CM(1) is a written report, the purpose of which is to:
• evaluate the entity's ability to respond appropriately to all types of cyber
security incidents that could have a relevant impact on the system of national
significance (subparagraph (i))
• evaluate the entity's preparedness to respond appropriately to all types of
cyber security incidents that could have a 'relevant impact' on the system
(subparagraph (ii)), and
• evaluate the entity's ability to mitigate the impacts that all types of cyber
security incidents could have on the system (subparagraph (iii)).
417. Under paragraph (b), an 'evaluation report' required as a result of undertaking an
exercise under subsection 30CM(2) is a written report, the purpose of which is to:
• evaluate the entity's ability to respond appropriately to those types of cyber
security incidents specified in the notice under subsection 30CM(2) that could
have a relevant impact on the system of national significance
(subparagraph (i))
• evaluate the entity's preparedness to respond appropriately to those types of
cyber security incidents that could have a relevant impact on the system
(subparagraph (ii)), and
• evaluate the entity's ability to mitigate the relevant impacts that those types of
cyber security incidents could have on the system (subparagraph (iii)).
418. An 'evaluation report' must also comply with the requirements, if any, as are
prescribed in rules made by the Minister under section 61 of the SOCI Act (see
paragraph (c)). This will allow for a mechanism to provide more structure and detail to how
an evaluation report must be prepared and what it must contain.
Section 30CT External auditors
419. New section 30CT of the SOCI Act provides that the Secretary may, by writing,
authorise a specified individual to be an external auditor for the purposes of the SOCI Act
(see subsection (1)). A note to subsection (1) indicates that specification by class is permitted
by way of subsection 33(3AB) of the Acts Interpretation Act. This subsection relevantly
provides that a power to make a legislative instrument specifying a matter may identify the
matter by referring to a class or classes of matters. This means that an authorisation under
83
subsection (1) can authorise a class of persons to be an external auditor for the purpose of the
SOCI Act.
420. Subsection (2) clarifies that an authorisation under subsection (1) is not a legislative
instrument. This is an appropriate position to take, given that the authorisation only applies
the law in a particular instance to a particular individual or class of individuals and therefore
does not determine or alter the content of the law for the purpose of subsection 8(3) of the
Legislation Act.
421. This provision is intended to create a pool of external auditors that can be drawn on as
necessary and required to perform external evaluation reports under section 30CR.
Division 4--Vulnerability assessments
Section 30CU Requirement to undertake vulnerability assessment
422. New section 30CU of the SOCI Act sets out the circumstances in which an entity that
is the responsible entity for a system of national significance may be required to undertake a
vulnerability assessment. A 'vulnerability assessment' has the meaning given by
section 30CY (see further below).
423. A vulnerability assessment involves identifying potential points of weakness or gaps
in the systems and networks that are relevant to the continued operation, functionality and
security of systems of national significance. An assessment may include (but is not limited
to) vulnerability scanning or testing.
424. The vulnerability assessment will help the entity in identifying where further
resources and capabilities are required to improve preparedness and resilience of the system
in relation to protecting against cyber security incidents. It will also allow Government to
assess whether cyber security advice or assistance can be provided to strengthen the security
or resilience of systems of national significance, and identify patterns of weakness across
sectors and assets which could be exploited by malicious actors.
425. Under subsection (1), the Secretary may, by written notice given to an entity that is
the responsible entity for a system of national significance, require the entity to undertake a
vulnerability assessment in relation to the system and all types of cyber security incidents
within the period specified in the notice. This would involve a broad spectrum assessment for
vulnerabilities to various types of cyber security incidents.
426. See also the information concerning the exclusion of merits review in relation to the
Secretary's decision under subsection 30CU(1) as outlined in relation to section 30CB above
(from paragraph 338).
427. Subsection (2) is drafted in similar terms, but allows for the Secretary to require the
entity to undertake a vulnerability assessment in relation to one or more specified types of
cyber security incidents specified in the notice. This form of notice would be used for a more
84
targeted assessment relating to one or more particular types of cyber security incidents. For
example, where credible intelligence exists that a malicious cyber actor may launch a
particular attack on an asset, the Government can work with the responsible entity to
determine vulnerabilities and put in place prevention and mitigation measures.
428. Subsection (3) specifies criteria that the Secretary must have regard to before issuing
a notice under subsection (1). The criteria are:
• the costs that are likely to be occurred by the entity in complying with the
notice (paragraph (a)); and
• the reasonableness and proportionality of the requirement in the notice
(paragraph (b)); and
• such other matters (if any) as the Secretary considers relevant (paragraph (c)).
429. Other matters that the Secretary may consider relevant under paragraph (3)(c) are any
international trade obligations that apply, whether the entity is, or has been, subject to any
other enhanced cyber security obligation, and whether the entity is subject to a similar
regulatory regime under another Commonwealth, State or Territory law.
430. The Secretary is also required, under subsection (4), to consult with the entity, or if
there is a relevant Commonwealth regulator, that regulator before issuing a notice under
either subsections (1) or (2). This consultation requirement will ensure that the notice is
targeted and appropriate, as well as ensuring that any unintended consequences of the
assessment can be identified and considered before a notice is issued.
Section 30CV Compliance with requirement to undertake a vulnerability
assessment
431. New section 30CV of the SOCI Act makes it a requirement for an entity to comply
with a notice given to the entity by the Secretary under section 30CU.
432. Breach of this requirement is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement. The penalty is
designed to deter non-compliance and to ensure entities comply with a notice to undertake a
vulnerability assessment. This penalty is commensurate with the penalty for non-compliance
with an obligation on aviation and maritime industry participants to comply with directions
under ATSA and MTOFSA. The penalty reflects the importance of this assessment in
strengthening the security and resilience of systems of national significance, and identifying
patterns of weakness across sectors and assets.
Section 30CW Designated officers may undertake a vulnerability assessment
433. New section 30CW of the SOCI Act outlines the circumstances in which a
'designated officer' may undertake a vulnerability assessment. A 'designated officer' for this
85
purpose means an APS employee of the Department or a staff member of ASD who is
appointed by the Secretary under subsection 30DQ(1) (see further below).
434. This provision acknowledges that responsible entities are best placed to conduct a
vulnerability assessment, and the Government's commitment for this to be the preferred
course of action. However, if the entity is incapable or unwilling to undertake the assessment
then it is appropriate for Government to take action, noting the criticality of systems of
national significance to Australia's national interest and the need to ensure their protection.
Subsection 30CW(1)--Scope
435. Subsection (1) provides that section 30CW applies if an entity is the responsible entity
for a system of national significance and either:
• the Secretary has reasonable grounds to believe that if the entity were to be
given a notice under subsection 30CU(1) or (2), the entity would not be capable
of complying with the notice (subparagraph (b)(i)), or
• the entity has not complied with a notice given to the entity under
subsection 30CU(1) or (2) (subparagraph (b)(ii)).
Subsections 30CW(2)-(4)--Request
436. Subsection (2) provides that the Secretary may give a designated officer a written
request to undertake a vulnerability assessment in relation to a system of national significance
and all types of cyber security incidents that apply to that system, within the period specified
in the request. Subsection (3) is drafted in similar terms, but allows for the Secretary to
request that a designated officer undertake a vulnerability assessment in relation to one or
more types of cyber security incidents specified in the request. The written request will
specify a period within which the vulnerability assessment must be completed.
437. The Secretary is required, under subsection (4), to consult with the responsible entity
for the system of national significance before giving the request. The Secretary is also
required to consult with the relevant Commonwealth regulator, should one exist with
functions relating to the security of the system. This consultation requirement provides an
opportunity for the responsible entity to demonstrate either willingness or capability to
undertake the assessment and therefore avoid a designated officer doing so.
438. See also the information concerning the exclusion of merits review in relation to the
Secretary's decision under subsections 30CW(2) and (3) as outlined in relation to
section 30CB above (from paragraph 338).
86
Subsection 30CW(5)--Requirement
439. Subsection (5) provides that, if a request under subsection (2) or (3) has been given to
a designated officer, the Secretary may, by written notice given to the entity in respect of
whom the request relates, require the entity to do all or any of the following:
• provide the designated officer with access to the premises for the purposes of
undertaking the vulnerability assessment (paragraph (a));
• provide the designated officer with access to computers for the purposes of
undertaking the vulnerability assessment (paragraph (b));
• provide the designated officer with reasonable assistance and facilities that are
reasonably necessary to allow the designated officer to undertake the
vulnerability assessment (paragraph (c)).
440. Things that may be reasonably necessary for the purpose of paragraph (5)(c) include
information in relation to the operation and functioning of the system. This assistance will be
crucial to preventing any unintended consequences as well as ensuring the assessment is
rigorous and able to drive meaningful security uplift.
Subsection 30CW(6)--Notification of request
441. Under subsection (6), the Secretary is required to give a copy of a request under
subsection (2) or (3) to the entity that is responsible for the system of national significance in
respect of whom the request relates. This will ensure the responsible entity is fully apprised
of the scope of the request and can test any concerns around its validity.
Section 30CX Compliance with requirement to provide reasonable assistance etc.
442. New section 30CX of the SOCI Act provides that an entity must comply with a notice
given to the entity by the Secretary under subsection 30CW(5).
443. Breach of this requirement is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the infringement. This penalty is designed to
ensure entities provide reasonable assistance to designated officers undertaking vulnerability
assessments in instances where the Secretary has reasonable grounds to believe the entity has
not or cannot comply with an assessment notice under subsection 30CU(1) or (2).
444. This penalty is commensurate with the penalty for non-compliance with the obligation
on aviation and maritime industry participants to comply with directions under ATSA and
MTOFSA. The penalty reflects the importance of not obstructing government officials,
particularly noting the objective of the intervention is to strengthen and protect the integrity
of systems of national significance.
87
Section 30CY Vulnerability assessment
445. New section 30CY of the SOCI Act outlines what is a 'vulnerability assessment' for
the purposes of the SOCI Act, in particular for sections 30CU, 30CV, 30CW and 30CX.
446. Under subsection (1), a vulnerability assessment is an assessment:
• that relates to a system of national significance (paragraph (a));
• that relates to either all types of cyber security incidents or one or more
specified types of cyber security incident (paragraph (b)), e.g. the Secretary
may request the responsible entity undertake a one-off host assessment to
identify system-level vulnerabilities to a key emerging threat impacting other
entities in the sector, or the Secretary may request the responsible entity
undertake a routine assessment to identify a network's vulnerabilities to all
types of cyber security incidents);
• if the assessment relates to all types of cyber security incident (i.e. is
undertaken pursuant to subsections 30CU(1) or 30CW(2))--the purpose of
which is to test the vulnerability of the system to all types of cyber security
incidents (paragraph (c));
• if the assessment relates to one or more specified types of cyber security
incident (i.e. is undertaken pursuant to subsections 30CU(2) or 30CW(3))--
the purpose of which is to test the vulnerability of the system to those types of
cyber security incidents (paragraph (d)); and
• that complies with the requirements, if any, as are specified in the rules made
by the Minister under section 61 of the SOCI Act (paragraph (e)).
447. Subsection (2) clarifies that rules specified under paragraph (1)(e) may be of general
application, may relate to one or more specified systems of national significance, or may
relate to one or more specified types of cyber security incidents. A note to this section
indicates that specification by class is permitted by way of subsection 13(3) of the Legislation
Act.
448. Subsection (3) further clarifies that subsection (2) does not, by implication, limit the
application of subsection 33(3A) of the Acts Interpretation Act. This means that
subsection 33(3A) of the Acts Interpretation Act, which generally provides that a power to
make a legislative instrument in relation to a matter includes a power to make an instrument
with respect to some only of those matters or with respect to a particular class or classes of
those matters and to make different provision with respect to different matters or classes of
matters, continues to apply.
88
Section 30CZ Vulnerability assessment report
449. New section 30CZ of the SOCI Act outlines requirements in preparing a
'vulnerability assessment report' as a result of undertaking a vulnerability assessment. The
meaning of 'vulnerability assessment report' is outlined in section 30DA (see further
immediately below).
450. Under subsection (1), where an entity undertakes, or causes to be undertaken, a
vulnerability assessment in accordance with a request by the Secretary under section 30CU,
the entity must prepare a vulnerability assessment report. The entity must provide a copy of
this report to the Secretary within 30 days of completing the assessment, or within a longer
period allowed by the Secretary under subparagraph (b)(ii).
451. Breach of this requirement is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement. It is designed to
deter non-compliance to ensure entities report on a vulnerability assessment. The penalty
reflects the importance of obtaining accurate and comprehensive assessment reports.
452. Subsection (2) provides that, if a designated officer undertakes a vulnerability
assessment in accordance with a request by the Secretary under section 30CW, the designated
officer must prepare a vulnerability assessment report. The designated officer must provide a
copy of the report to the Secretary within 30 days of completing the assessment, or within a
longer period allowed by the Secretary under subparagraph (b)(ii).
453. This provides Government with visibility of the potential weaknesses or gaps in assets
that are of highest criticality to Australia's national interests. In practice, it is likely that
Government will use a report to work with the responsible entity to identify and implement
proportionate measures to addresses any weaknesses contained in the report. It will also
provide Government with a comprehensive understanding of any systemic vulnerabilities that
may need to be addressed in consultation with industry to achieve the desired uplift in the
security and resilience of the asset.
454. Subsection (3) outlines that if an entity prepares, or causes to be prepared, a report
under subsection (1), the report is not admissible in evidence against the entity in civil
proceedings relating to a contravention of a civil penalty provision of the SOCI Act, other
than a contravention of subsection (1) of this section. For example, the report cannot be used
in evidence to demonstrate non-compliance with the critical infrastructure risk management
program at Part 2A. This reflects the purpose of the report and vulnerabilities assessments
which is to assist entities in better understanding and taking any necessary steps to ensure
assets of the highest criticality are safeguarded from cyber security incidents.
455. In the absence of subsection 30CZ(3), entities would potentially be obliged to provide
information in the vulnerability assessment report that may subject them to civil proceedings
for contravention of a civil penalty provision the SOCI Act. On balance, excluding use of this
information in civil proceedings under the SOCI Act will be in the public interest by ensuring
89
that industry is not discouraged from providing complete information in accordance with the
requirements of the Bill. This will benefit the public by contributing to the protection of
critical infrastructure assets on which the public rely.
Section 30DA Meaning of vulnerability assessment report
456. New section 30DA of the SOCI Act outlines the meaning of 'vulnerability assessment
report' in relation to a vulnerability assessment for the purpose of the SOCI Act, and in
particular section 30CZ.
457. Under this section, a 'vulnerability assessment report' is a written report:
• for an assessment relating to all types of cyber security incidents (i.e. under
subsections 30CU(1) or 30CW(2))--the purpose of which is to assess the
vulnerability of the system of national significance to all types of cyber
security incidents (paragraph (a))
• for an assessment relating to one or more types of cyber security incidents (i.e.
under subsections 30CU(2) or 30CW(3))--the purpose of which is to assess
the vulnerability of the system to those types of cyber security incidents
specified in the notice (paragraph (b)), and
• that complies with such requirements, if any, as are prescribed in Ministerial
rules made under section 61 of the SOCI Act (paragraph (c)). This will allow
for a mechanism to provide more structure and detail to how a vulnerability
assessment report must be prepared and what it must contain.
Division 5--Access to system information
458. System information is information generated by computer systems that relates to the
functioning of the computer needed to operate a system of national significance. This
information may assist with determining whether a power under this Act should be exercised
in relation to the system of national significance, in particular, the powers set out in Part 3A.
System information does not include personal information within the meaning of the Privacy
Act. System information is data generated about a system for the purposes of security,
diagnostic monitoring or audit, such as network logs, system telemetry and event logs, alerts,
netflow and other aggregate or metadata that provide visibility of malicious activity occurring
within the normal functioning of a computer network.
459. System information is crucial to quickly identifying a system or network compromise,
tracing that compromise to mitigate against similar attacks, and understanding the impacts of
a compromise on the current state of a system. This allows for a rapid and effective response
to mitigating a cyber incident and restoring functionality to a system.
460. During the Department's consultation on the Cyber Security Strategy 2020,
stakeholders strongly supported initiatives to improve information sharing to make critical
90
infrastructure more resilient and secure. The provision of system telemetry from systems of
national significance will support the Government's ability to build a near-real time threat
picture through the Cyber Enhanced Situational Awareness and Response (CESAR)
capability. In return, the Government will share actionable, anonymised information back out
to industry to assist relevant entities improve cyber resilience in relation to their assets.
Aggregated system information from key assets across the economy, overlaid with
intelligence and reporting, will also enable the Government to target its capabilities to the
threats and vulnerabilities of greatest consequence to the nation.
Subdivision A--System information reporting notices
Section 30DB Secretary may require periodic reporting of system information
461. New section 30DB of the SOCI Act provides for the Secretary to require an entity,
who is the relevant entity for a system of national significance, to provide periodic reporting
of system information.
Subsection 30DB(1)--Scope
462. Subsection (1) provides that section 30DB applies if both of the following apply:
• a computer is needed to operate a system of national significance, or is itself a
system of national significance (paragraph (a)), and
• the Secretary believes on reasonable grounds that the relevant entity for the
system of national significance is technically capable of preparing periodic
reports consisting of information that relates to the operation of the computer,
may assist with determining whether a power under the SOCI Act should be
exercised in relation to the system of national significance, and is not
'personal information' within the meaning given by the Privacy Act
(paragraph (b)).
463. The use of 'technically capable' ensures that the Secretary can only issue a notice
under section 30DB to an entity that is in a position, from a technical perspective, to fulfil the
requirements set out subsection 30DB(2). The consultation requirements in section 30DD
will be important in determining the technical capability of an entity.
Subsections 30DB(2)-(4)--Requirement
464. Under subsection (2), the Secretary may, by written notice given to the entity, require
the entity to:
• prepare periodic reports that consist of any of the information referred to in
paragraph 30DB(1)(b) relating to the regular intervals that are specified in the
notice (paragraph (a));
91
• prepare those periodic reports in the manner and form specified in the notice,
and in accordance with the information technology requirements specified in
the notice (paragraph (b)) (for example, relating to formatting to allow system
of national significance to generate computer data and the Government's
system to ingest that data, without human intervention); and
• give each periodic report to the ASD within the period specified in the notice
relating to the periodic report (paragraph (c)).
465. Subsection (3) provides that a notice given by the Secretary under subsection (2) is to
be known as a 'system information periodic reporting notice' for the purposes of the
SOCI Act.
466. Subsection (4) specifies criteria that the Secretary must have regard to before issuing
a notice under subsection (1). The criteria are:
• the costs that are likely to be occurred by the entity in complying with the
notice (paragraph (a)); and
• the reasonableness and proportionality of the requirement in the notice
(paragraph (b)); and
• such other matters (if any) as the Secretary considers relevant (paragraph (c)).
467. Subsection (4) ensures that a reporting notice is proportionate and reasonable--
balancing the beneficial outcome of the notice with the likely impact and costs to the affected
entity when complying with the notice. To support this consideration as well as the
determination of whether the entity is technically capable of providing the report, section
30DD mandates that the Secretary must consult with the entity prior to issuing the notice.
468. The regularity of the intervals at which the reports must be provided will be
determined in consultation with the entity and, noting the requirement for the Secretary to
have regard to the costs of compliance, consider the level of computer automation that would
support the request. For example, a computer may be able to generate the report will minimal
resource impact at a high frequency (for example, every minute). Ultimately this assessment
will be dependent upon the nature of the request, the type of information being sought and the
purpose for which it is being sought.
469. See also the information concerning the exclusion of merits review in relation to the
Secretary's decision under subsection 30DB(1) as outlined in relation to section 30CB above
(from paragraph 338).
92
Subsection 30DB(5)--Matters to be set out in notice
470. Subsection (5) provides that a system information periodic reporting notice must set
out the effect of section 30DF, which relevantly requires that an entity must comply with a
system information periodic reporting notice (see further below).
Subsection 30DB(6)--Other powers not limited
471. Subsection (6) clarifies that new section 30DB does not, by implication, limit a power
conferred by another provision of the SOCI Act. This ensures that the other powers in the
SOCI Act, such as the Secretary's information gathering powers at existing section 37, in the
Act are not taken to be limited as a result of the insertion of section 30DB.
Section 30DC Secretary may require event-based reporting of system
information
472. New section 30DC of the SOCI Act provides that the Secretary may require an entity
who is the relevant entity for a system of national significance to provide reporting of system
information if a specified event occurs.
473. This will provide Government with visibility of system information as soon as
practicable each time a specified event occurs ('a system information periodic reporting
notice'). For example, a report may be required every time a particular computer program
raises a specified class of alert or error message.
Subsection 30DC(1)--Scope
474. Subsection (1) provides that section 30DC applies if all of the following apply:
• a computer is needed to operate a system of national significance, or is itself a
system of national significance (paragraph (a)); and
• the Secretary believes on reasonable grounds that the relevant entity for the
system of national significance is technically capable of preparing reports each
time a particular type of event occurs (paragraph (b)); and
• those reports consist of information that relates to the operation of the
computer, may assist with determining whether a power under the SOCI Act
should be exercised in relation to the system of national significance, and is
not 'personal information' (within the meaning given by the Privacy Act 1988)
(subparagraphs (b)(i)-(iii)).
475. The reference to 'technically capable' in paragraph (b) ensures that the Secretary can
only issue a notice under section 30DC to an entity that is in a position from a technical
perspective to fulfil the requirements set out subsection 30DC(2).
93
Subsections 30DC(2)-(4)--Requirement
476. Under subsection (2), the Secretary may, by written notice given to the entity, require
the entity to do each of the following each time an event of a specified kind occurs:
• prepare a report that consists of any such information (paragraph (a));
• prepare a report in the manner and form specified in the notice, and in
accordance with the information technology requirements specified in the
notice (paragraph (b)); and
• give the report to ASD as soon as practicable after the event occurs
(paragraph (c)).
477. Subsection (3) provides that a notice given by the Secretary under subsection (2) is a
'system information event-based reporting notice' for the purposes of the SOCI Act.
478. Subsection (4) specifies criteria that the Secretary must have regard to before issuing
a notice under subsection (1). The criteria are:
• the costs that are likely to be occurred by the entity in complying with the
notice (paragraph (a)); and
• the reasonableness and proportionality of the requirement in the notice
(paragraph (b)); and
• such other matters (if any) as the Secretary considers relevant (paragraph (c)).
479. Subsection (4) ensures that a notice is proportionate and reasonable--balancing the
beneficial outcome of the notice with the likely impact and costs to the affected entity when
complying with the notice. To support this consideration, as well as the determination of
whether the entity is technically capable of providing the report, section 30DD also requires
that the Secretary consult with the entity prior to issuing the notice.
480. See also the information concerning the exclusion of merits review in relation for the
Secretary's decision under subsection 30DC(2) as outlined in relation to section 30CB above
(from paragraph 338).
Subsection 30DC(5)--Matters to be set out in notice
481. Subsection (5) provides that a system information event-based reporting notice must
set out the effect of section 30DF, which relevantly requires that an entity must comply with
a system information event-based reporting notice (see further below).
94
Subsection 30DC(6)--Other powers not limited
482. Subsection (6) clarifies that section 30DC does not, by implication, limit a power
conferred by another provision of the SOCI Act. This ensures that the other powers in the
SOCI Act, such as the Secretary's information gathering powers at existing section 37 in the
Act, are not taken to be limited as a result of this power.
Section 30DD Consultation
483. New section 30DD of the SOCI Act provides that, before giving either a system
information periodic reporting notice under subsection 30DB(2) or a system information
event-based reporting notice under subsection 30DC(2), the Secretary must consult the
relevant entity and, if a different entity, the responsible entity for the system of national
significance. The Secretary must have regard to any information during consultation in
deciding whether to give a notice.
484. This consultation requirement has been included to assist the Secretary in determining
whether the relevant entity is technically capable of providing a report, considering the costs
associated with complying with a notice and ensuring that the compliance with the request
will not impose any unnecessary burden on the relevant entity.
485. For example, this consultation process may review that a system information periodic
reporting notice would not be effective, as it would generate significant duplication in
reporting, which imposes unnecessary cost on industry and is of limited value to
Government. Instead, the consultation may reveal that the system is capable of reporting
when the particular information becomes available. Therefore a system information event-
based reporting notice may be more appropriate to achieve the desired result with less impost
on the entity.
486. Consultation will also ensure that the entity with broader and overarching
responsibility for the asset has an opportunity to comment on the appropriateness of the
notice.
Section 30DE Duration of system information periodic reporting notice or
system information event-based reporting notice
487. New section 30DE of the SOCI Act sets out the timeframe for which a system
information periodic reporting notice, given under section 30DB, or a system information
event-based reporting notice, given under section 30DC, is in force.
488. Under subsection (1), a system information periodic reporting notice or a system
information event-based reporting notice comes into force when it is given, or at a later time
specified in the notice (paragraph (a)). This means that either notice cannot have a
retrospective effect. Paragraph (b) provides that the notice remains in force for the time
specified in the notice but, under subsection (2), the period specified in the notice cannot be
longer than 12 months.
95
489. Subsection (3) provides that, if a system information periodic reporting notice is in
force, the SOCI Act does not prevent the Secretary from giving a fresh system information
periodic reporting notice under section 30DB that is in the same, or substantially the same,
terms as the original notice and that new notice into force immediately after the expiry of the
original notice.
490. Subsection (4) is drafted in substantially similar terms relating to a system
information event-based reporting notice given under section 30DC. Although the
Government intends to maintain a continuous dialogue with the entity, including two-way
information sharing of intelligence relating to the system of national significance, this
safeguard will ensure a statutorily required consultation period under section 30DD occurs
every 12 months.
Section 30DF Compliance with system information periodic reporting notice or
system information event-based reporting notice
491. New section 30DF of the SOCI Act provides that an entity must comply with a
system information periodic reporting notice or a system information event-based reporting
notice to the extent that the entity is capable of doing so.
492. Breach of this requirement is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement and is designed to
deter non-compliance to ensure entities comply with their periodic or event-based reporting
obligation. This penalty is commensurate with the non-compliance for an obligation on
aviation and maritime industry participants to comply with reporting obligations under ATSA
and MTOFSA. The penalty reflects the importance of enabling Government to build a near-
real time threat picture in order to target its capabilities to those threats and vulnerabilities of
greatest consequence to Australia.
Section 30DG Self-incrimination etc.
493. New section 30DG of the SOCI Act provides that:
• an entity is not excused from giving a report under sections 30DB or 30DC on
the ground that the report may incriminate the entity (subsection (1)), and
• if an individual would ordinarily be able to claim the privilege against self-
exposure to a penalty in relation to giving a report under sections 30DB or
30DC, the individual is not excused from giving a report under that section on
that ground (subsection (2)).
494. A note to subsection (2) indicates that a body corporate is not entitled to claim the
privilege against self-exposure to penalty.
495. These obligations are focused on building enhanced partnerships with industry and
greater, and joint, situational awareness. ASD will use this information to develop and
96
maintain a near-real time threat picture, positioning it to identify threats early and provide
actionable advice to industry to prevent and mitigate threats as they emerge.
496. The purpose of section 30DG is to ensure that entities provide appropriate reporting to
the Secretary so that Part 2C of the Act operates effectively. Without the provision of system
information, the Department and the ASD may be unable to effectively implement the
requirements of enhanced cyber security obligations that relate to systems of national
significance.
497. It should also be noted that in most circumstances, the entity providing the relevant
information under section 30DB and 30DC will not be an individual, but rather will be a
body corporate. The note to section 30DG notes that a body corporate is not entitled to claim
the privilege against self-exposure to a penalty.
498. Section 30DG is subject to section 30DH, as explained below.
Section 30DH Admissibility of report etc.
499. New section 30DH of the SOCI Act limits how a report under sections 30DB or
30DC can be admitted into evidence. Under this section, if a report is given under those
sections, the report or the giving of the report is not admissible in evidence against an entity:
• in criminal proceedings other than proceedings for an offence against
section 137.2 of the Criminal Code that relates to the SOCI Act (paragraph
(c)). Section 137.2 of the Criminal Code makes it an offence for a person to
provide a false or misleading document to another person in compliance with a
requirement under Commonwealth law (such as under section 30DF), or
• in civil proceedings other than proceedings for recovery of a penalty in
relation to a contravention of section 30DF of the SOCI Act (paragraph (d)).
500. This provision is important to encourage open and accurate reporting of system
information, noting the importance of information sharing between industry and Government.
Importantly, the new section 30DG also aims to ensure that the report is not used against the
individual as evidence. This position reflects that this information is not being sought for a
compliance purpose, but rather to uplift cyber security and protect critical infrastructure.
501. Section 30DH constitutes a 'use' immunity in relation to provisions of section 30DG.
The overall purpose of this provision is to provide an immunity for an entity in the actions it
undertakes to comply with new Part 2C of the Bill.
502. Section 30DH appropriately limits the effect of section 30DG to an offence against
section 137.2 of the Criminal Code that relates to the SOCI Act, or to civil proceedings for
recovery of a penalty in relation to contravention of section 30DF.
97
503. Section 30DH balances the impact of new section 30DG to ensure that the
information provided is not used against an individual as evidence except where appropriate.
This position reflects that this information is not being sought for a compliance purpose but
rather to uplift cyber security and protect critical infrastructure.
504. The overall purpose of this provision is to provide an immunity for an entity in the
actions it takes to provide information to comply with new sections 30DB and 30DB of the
SOCI Act.
Subdivision B--System information software
Section 30DJ Secretary may require installation of system information software
505. New section 30DJ of the SOCI Act provides that the Secretary may require a relevant
entity for a system of national significance to install and maintain a specified computer
program in limited circumstances. This is a provision of last resort, with the strong preference
of Government being for the entity to provide information under a system information notice
(Subdivision A) using its own capabilities to minimise any imposition on the system. As
such, it is important the government can have oversight of cyber security risks where an
entity lacks capacity to provide system information (for example, it would require a costly
reform to their system). This provision enables the Government to provide the entity with the
capability necessary to enable the sharing of system information.
506. The software that could be provided by the Government to the entity includes things
like a host-based sensor that enables reporting of telemetry information used to monitor
systems and networks for malicious behaviour. The functioning of any software will be
strictly limited to the acquisition and provision of specified information to the ASD.
507. It should be noted that the ASD does not perform a regulatory or compliance role
under the SOCI Act. System information and telemetry will be used by the ASD to inform an
enhanced cyber threat picture and develop appropriate mitigations and advice for the entity.
Subsection 30DJ(1)--Scope
508. Subsection (1) provides that section 30DJ applies if all of the following apply:
• a computer is needed to operate a system of national significance, or is itself
the system of national significance (paragraph (a));
• the Secretary believes on reasonable grounds that the relevant entity for the
system would not be technically capable of preparing reports under
sections 30DB or 30DC (paragraph (b)): and
• the reports consist of information that relates to the operation of the computer,
may assist with determining whether a power under the SOCI Act should be
98
exercised in relation to the system, and is not 'personal information' within the
meaning given by the Privacy Act (subparagraphs (b)(i)-(iii)).
509. The requirement for the Secretary to believe on reasonable grounds that the relevant
entity for the system would not be technically capable of providing the information, is
intended to ensure that this power is only used as a last resort. If the entity is able to comply
with a notice given under sections 30DB or 30DC, those options will be utilised. The
consultation requirements in section 30DK will be important in determining the technical
capability of an entity and informing the decision as to which option is to be pursued.
Subsections 30DJ(2)-(5)--Requirement
510. Under subsection (2) the Secretary may, by written notice given to the entity captured
by subsection (1), require the entity to:
• install a specified computer program on the computer within the period
specified in the notice (paragraph (a))
• maintain the computer program once installed (paragraph (b)), and
• take all reasonable steps to ensure that the computer is continuously supplied
with an internet carriage service that enables the computer program to function
(paragraph (c)).
511. Subsection (3) provides that a notice given by the Secretary under subsection (2) is to
be known as a 'system information software notice'.
512. Subsection (4) specifies criteria that the Secretary must have regard to before issuing
a notice under subsection (1). The criteria are:
• the costs that are likely to be occurred by the entity in complying with the
notice (paragraph (a)); and
• the reasonableness and proportionality of the requirement in the notice
(paragraph (b)); and
• such other matters (if any) as the Secretary considers relevant (paragraph (c)).
513. Subsection (4) ensures that a notice is proportionate and reasonable - balancing the
beneficial outcome of the notice with the likely impact and costs to the affected entity when
complying with the notice. To support this consideration, as well as the determination of
whether the entity is technically capable of providing the report under a notice issued under
sections 30DB or 30DC, section 30DK mandates that the Secretary of Home Affairs must
consult with the entity prior to issuing the notice.
99
514. Subsection (5) sets out requirements for computer programs that may be specified in a
system information software notice under subsection (2). Under this provision, a computer
program may only be specified if the purpose of the computer program is to collect and
record information that:
• relates to the operation of the computer, and
• may assist with determining whether a power under the SOCI Act should be
exercised in relation to the system of national significance, and
• is not personal information within the meaning given by the Privacy Act
(paragraph (a)), and
• is transmitted electronically by the computer program to ASD (paragraph (b)).
515. This provision ensures that the program is strictly limited to provisioning of the
specified system information. The program will not enable broader access to the system or
the altering of any data on that system. Rather, the program will only provide basic technical
capability for the entity to undertake actions that may be required in response to a notice
issued under section 30DB or 30DC.
516. The computer program will be provided by the Government and will, for example,
operate as a host-based sensor, reporting system information back to the ASD to facilitate
monitoring of the system and network for malicious behaviour.
517. See also the information concerning the exclusion of merits review in relation for the
Secretary's decision under subsection 30DJ(2) as outlined in relation to section 30CB above
(from paragraph 338).
Subsection 30DJ(6)--Matters to be set out in notice
518. Subsection (6) requires that a system information software notice given by the
Secretary under subsection (2) must set out the effect of section 30DM, which provides that
an entity must comply with a system information software notice to the extent that the entity
is capable of doing so (see further below).
Subsection 30DJ(7)--Other powers not limited
519. Subsection (7) clarifies that section 30DJ does not, by implication, limit a power
conferred by another provision of the SOCI Act. This ensures that the other powers in the
SOCI Act, such as the Secretary's information gathering powers at existing section 37, in the
Act are not taken to be limited as a result of this power.
Section 30DK Consultation
520. New section 30DK of the SOCI Act requires the Secretary to consult with a relevant
entity, and if different, the responsible entity, before giving a system information software
100
notice to the relevant entity. As part of this consultation process, the Secretary may consider
whether the entity is technically capable of providing a report under sections 30DB or 30DC,
as well as the costs associated with their compliance. This further highlights that a system
information software notice is a power of last resort, with the entity able to indicate that it is
not necessary if they can provide the required information without having external software
installed on their systems.
521. Consultation with the responsible entity will also ensure that the entity with broader
and overarching responsibility for the asset has an opportunity to comment on the
appropriateness of the notice.
Section 30DL Duration of systems information notice
522. New section 30DL of the SOCI Act sets out the timeframe in which a system
information software notice under section 30DJ is in force.
523. Under subsection (1), a system information software notice comes into force when it
is given, or at a later time if specified in the notice (paragraph (a)). This means that the notice
cannot have a retrospective effect. Under paragraph (b) the notice remains in force for the
time specified in the notice but, under subsection (2), the period specified in the notice cannot
be longer than 12 months.
524. Subsection (3) provides that, if a system information periodic reporting notice is in
force, the SOCI Act does not prevent the Secretary from giving a fresh system information
software notice under section 30DJ that is in the same, or substantially the same, terms as the
original notice and comes into force immediately after the expiry of the original notice.
525. Although the Government intends to maintain a continuous dialogue with the entity,
including two-way information sharing of intelligence relating to the system of national
significance, this safeguard will ensure a statutorily required consultation period under
section 30DK occurs every 12 months.
Section 30DM Compliance with system information software notice
526. New section 30DM of the SOCI Act provides that an entity must comply with a
system information software notice to the extent that the entity is capable of doing so. Breach
of this requirement is subject to a civil penalty of up to 200 penalty units.
527. This penalty is a proportionate response based on the nature of the infringement and is
designed to deter non-compliance with a notice to install system information software. This
penalty is commensurate with the non-compliance for an obligation on aviation and maritime
industry participants to comply with directions under ATSA and MTOFSA. The penalty
reflects the importance of enabling Government to build a near-real time threat picture in
order to target its capabilities to those threats and vulnerabilities of greatest consequence to
Australia.
101
Section 30DN Self-incrimination etc.
528. New section 30DN of the SOCI Act provides that:
• an entity is not excused from complying with a system information software
notice given to the entity under section 30DJ on the ground that complying
with the notice might tend to incriminate the entity (subsection (1)), and
• if an individual would ordinarily be able to claim the privilege against self-
exposure to a penalty in relation to complying with a system information
software notice, the individual is not excused from giving a report under that
section on that ground (subsection (2)).
529. A note to subsection (2) indicates that a body corporate is not entitled to claim the
privilege against self-exposure to penalty, noting the protections provided by section 30DP
(outlined below).
530. Entities should not be excused from self-incrimination, noting that the purpose of
section 30DJ is to ensure Government can actively work with entities that are responsible for
assets that are of the highest importance and criticality to Australia's national interest. The
information that is provided in this report may be crucial to protecting assets from an
imminent attack that could have cascading impacts throughout the economy or undermine
Australia's defence and national security.
531. This provision, together with section 30DP below, highlights that the information
being provided by software installed on an entity's system under this Subdivision is not
intended to be used for a compliance purpose. For example, the information provided by the
software cannot be used in evidence to demonstrate non-compliance with the critical
infrastructure risk management program at Part 2A. Rather these obligations are focused on
building enhanced partnerships with industry and greater situational awareness. The ASD
will use this information to develop and maintain a near-real time threat picture, positioning it
to identify threats early and provide actionable advice to industry to prevent or mitigate
threats as they emerge.
532. The purpose of section 30DN is to ensure that entities provide appropriate information
to the Secretary so that Part 2C of the Act operates effectively. Without the provision of
system information, the Department and the ASD may be unable to effectively implement the
requirements of enhanced cyber security obligations that relate to systems of national
significance.
533. It should also be noted that in most circumstances, the entity providing the relevant
information under the notice will not be an individual, but rather will be a body corporate.
The note to section 30DN notes that a body corporate is not entitled to claim the privilege
against self exposure to a penalty.
534. Section 30DN is subject to section 30DP, as explained below.
102
Section 30DP Admissibility of information etc.
535. New section 30DP of the SOCI Act limits how information transmitted to the ASD as
a result of the operation of a computer program under a system information software notice
can be admitted into evidence. Under this section, such information is not admissible in
evidence against an entity in criminal proceedings (paragraph (c)) or in civil proceedings
other than proceedings for recovery of a penalty in relation to a contravention of
section 30DM (paragraph (d)).
536. This provision is important to encourage open and accurate reporting noting the
importance of the information being provided, however equally balances the impact of new
section 30DN to ensure that the information provided is not used against the individual as
evidence. This position reflects that this information is not being sought for a compliance
purpose but rather to uplift cyber security and protect critical infrastructure.
537. Section 30DP constitutes a 'use' immunity in relation to provisions of section 30DN.
The overall purpose of this provision is to provide an immunity for an entity in the actions it
undertakes to comply with new Part 2C of the Bill.
538. Section 30DP appropriately excludes the use of this information in criminal
proceedings, and limits use in civil proceedings for recovery of a penalty in relation to a
contravention of section 30DM.
539. Section 30DP balances the impact of new section 30DN to ensure that the information
provided is not used against an individual as evidence except where appropriate. This
position reflects that this information is not being sought for a compliance purpose but rather
to uplift cyber security and protect critical infrastructure.
540. The overall purpose of this provision is to provide an immunity for an entity in the
actions it takes to provide information to comply with new section 30DJ of the SOCI Act.
Division 6--Designated officers
Section 30DQ Designated officer
541. New section 30DQ of the SOCI Act provides that a 'designated officer' is an
individual appointed by the Secretary, in writing to be a designated officer for the purposes of
the SOCI Act (subsection (1)).
542. Under subsection (2), the Secretary cannot appoint an individual to be a 'designated
officer' unless they are an APS employee in the Department (see subsection (6)) or, with the
agreement of the Director-General of ASD, a staff member of ASD (within the meaning
given by the Intelligence Services Act (see subsection (7)). This is intended to limit those that
can be designated officers to persons with appropriate technical expertise, or administrative
or regulatory officers within the Department of Home Affairs.
103
543. Subsection (3) provides that the Secretary may, in writing, declare that each
Departmental employee included in a class of Departmental employees specified in the
declaration is a 'designated officer'. Subsection (4) is drafted in substantially similar terms
but allows for a declaration in respect of ASD staff members. Under subsection (5), the
Secretary must not make a declaration under subsection (4) unless the Director-General of
ASD has agreed to the declaration.
544. Subsection (8) indicates that a declaration under section 30DQ is not a legislative
instrument. Under section 6 of the Legislation Act, an instrument is not a legislative
instrument if an Act declares it not to be.
Item 59 After section 35
545. Item 59 of Schedule 1 to the Bill inserts new section 35AAA into Part 3 of the SOCI
Act.
Section 35AAA Directions prevail over inconsistent critical infrastructure risk
management programs
546. New section 35AAA of the SOCI Act provides that, if a critical infrastructure risk
management program is applicable to a critical infrastructure asset, the program has no effect
to the extent to which it is inconsistent with a direction given by the Minister under
subsection 32(2). This provision clarifies that a direction under subsection 32(2) takes
precedence over any obligation that a responsible entity for a critical infrastructure asset may
have in relation to its critical infrastructure risk management program--in particular to
comply with the program under section 30AD of the SOCI Act (see item 49 of Schedule 1 to
the Bill above).
547. A direction make under section 32 will only occur in the most serious circumstances
when other mitigation methods to address the risk to security have proved ineffective. With
the insertion of obligations relating to critical infrastructure risk management programs into
the SOCI Act, this provision will make clear that section 32 directions are matters of last
resort and will override any mitigation measures that the entity may have determined to be
appropriate under their critical infrastructure risk management program.
Item 60 At the end of section 35AAB
548. Item 60 of Schedule 1 to the Bill inserts additional subsections (3) and (4) to section
35AAB of the SOCI Act to expand the scope of civil immunities under the SOCI Act for
responsible entities when complying with a direction under subsection 32(2).
Subsections 35AAB(3) and (4) expand the scope of the immunities to officers, employees
and agents of a:
• related company group, and
• contract service provider.
104
549. These provisions are being inserted to adopt recommendation 7 and paragraph 3.49 of
the PJCIS report, insofar as paragraph 3.49 recommends that the breadth of immunities
afforded to entities under the SOCI Act be reconsidered and expanded to include these
individuals.
Subsection 35AAB(3) - Civil liability for a member of a related company group
550. Subsection (3) provides that if an entity is or was subject to a direction under
subsection 32(2) and the entity is or was a member of a related company group (see item 22,
above), then another member of the related company group is not liable to an action for
compensation for acts or omissions done in good faith to comply with the direction.
Furthermore, an officer, employee or agent of another member of the related company group
is not liable to an action for compensation for acts or omissions done in good faith to comply
with the direction.
Subsection 35AAB(4) - Civil liability for a contracted service provider
551. Subsection (4) provides that if an entity (the first entity) is or was subject to a written
direction under subsection 32(2) and another entity (the contracted service provider) is or
was:
• a party to a contract with the first entity, and
• responsible under the contract to provide services to the first entity,
then the contracted service provider is not liable to an action for compensation relating to acts
or omissions done in good faith to facilitate the first entity complying with the direction.
Furthermore, an officer, employee or agent of another member of the contracted service
provider is not liable to an action for compensation for acts or omissions done in good faith to
facilitate the first entity complying with the direction.
552. Submissions to the PJCIS in conducting their enquiry into the 2020 Amendment Bill
highlighted concern with the SOCI Act immunity regime. The Law Council of Australia
suggested it did not go far enough to protect officers, employees and agents of separate but
related entities who engage in conduct for the purpose of compliance with obligations on the
primary entity. Furthermore, the immunities did not protect persons (natural or legal) engaged
to provide services or advice to the primary entity on a contractual basis. The purpose of
these amendments is to address the feedback of stakeholders by expanding the protections of
the immunity regime in the SOCI Act to these additional classes of entities. This will ensure
that, in the event a written direction under subsection 32(2) is issued to a responsible entity,
all associated parties within the corporate structure feel confident to execute their obligations.
Item 61 After section 35AT
553. Item 61 of Schedule 1 to the Bill inserts new section 35AU into Part 3A of the SOCI
Act.
105
Section 35AU Directions prevail over inconsistent critical infrastructure risk
management programs
554. New section 35AU of the SOCI Act provides that an entity's critical infrastructure
risk management program has no effect to the extent that it is inconsistent with a direction
given to the entity under section 35AQ. The purpose of this new section is to provide clarity
and assurance to a responsible entity in circumstances where an action direction may conflict
with their existing obligations under section 30AC of the Act.
Item 62 At the end of section 35AW
555. Item 62 of Schedule 1 to the Bill inserts additional subsections (3) and (4) to section
35AW of the SOCI Act to expand the scope of civil immunities under the SOCI Act for
responsible entities when complying with a direction under section 35AQ. The new
subsections expand the scope of the immunities to officers, employees and agents of a:
• related company group, and
• contract service provider.
556. These provisions are being inserted to adopt recommendation 7 and paragraph 3.49 of
the PJCIS report, insofar as paragraph 3.49 recommends that the breadth of immunities
afforded to entities under the SOCI Act be reconsidered and expanded to include these
individuals.
Subsection 35AW(3) - Civil liability for a member of a related company group
557. Subsection (3) provides that if an entity is or was subject to a direction under section
35AQ and the entity is or was a member of a related company group (see item 22, above),
then another member of the related company group is not liable to an action for compensation
for acts or omissions done in good faith to comply with the direction. Furthermore, an officer,
employee or agent of another member of the related company group is not liable to an action
for compensation for acts or omissions done in good faith to comply with the direction.
Subsection 35AW(4) - Civil liability for a contracted service provider
558. Subsection (4) provides that if an entity (the first entity) is or was subject to a
direction under section 35AQ and another entity (the contracted service provider) is or was:
• a party to a contract with the first entity, and
• responsible under the contract to provide services to the first entity,
then the contracted service provider is not liable to an action for compensation relating to acts
or omissions done in good faith to facilitate the first entity complying with the direction.
Furthermore, an officer, employee or agent of another member of the contracted service
106
provider is not liable to an action for compensation for acts or omissions done in good faith to
facilitate the first entity complying with the direction
559. Submissions to the PJCIS in conducting their enquiry into the 2020 Amendment Bill
highlighted concern with the SOCI Act immunity regime. The Law Council of Australia
suggested it did not go far enough to protect officers, employees and agents of separate but
related entities who engage in conduct for the purpose of compliance with obligations on the
primary entity. Furthermore, the immunities did not protect persons (natural or legal) engaged
to provide services or advice to the primary entity on a contractual basis. The purpose of
these amendments is to address the feedback of stakeholders by expanding the protections of
the immunity regime in the SOCI Act to these additional classes of entities. This will ensure
that in the event a direction under section 35AQ is issued to a responsible entity, all
associated parties within the corporate structure feel confident to execute their obligations.
Item 63 At the end of section 35BB
560. Item 63 of Schedule 1 to the Bill inserts additional subsections (6) and (7) to section
35BB of the SOCI Act to expand the scope of civil immunities under the SOCI Act for
responsible entities when assisting an authorised agency under section 35BB to comply with
an intervention request (section 35AX). The new subsections expand the scope of the
immunities to officers, employees and agents of a:
• related company group, and
• contract service provider.
561. These provisions are being inserted to adopt recommendation 7 and paragraph 3.49 of
the PJCIS report, insofar as paragraph 3.49 recommends that the breadth of immunities
afforded to entities under the SOCI Act be reconsidered and expanded to include these
individuals.
Subsection 35BB(6) - Civil liability for a member of a related company group
562. Subsection (6) provides that if an entity is or was subject to an intervention request
under section 35AX and the entity is or was a member of a related company group (see item
22, above), then another member of the related company group is not liable to an action for
compensation for acts or omissions done in good faith to comply with the direction.
Furthermore, an officer, employee or agent of another member of the related company group
is not liable to an action for compensation for acts or omissions done in good faith to comply
with the direction.
107
Subsection 35BB(7) - Civil liability for a contracted service provider
563. Subsection (7) provides that if an entity (the first entity) is or was subject to a
direction under subsection 35AQ and another entity (the contracted service provider) is or
was:
• a party to a contract with the first entity, and
• responsible under the contract to provide services to the first entity.
564. Then the contracted service provider is not liable to an action for compensation
relating to acts or omissions done in good faith to facilitate the first entity complying with the
direction. Furthermore, an officer, employee or agent of another member of the contracted
service provider is not liable to an action for compensation for acts or omissions done in good
faith to facilitate the first entity complying with the direction.
565. Item 62 (above) outlines the purpose for expanding the civil immunities in the SOCI
Act to include contracted service providers and related company groups, as well as officers,
employees and agents within those corporate structures. This purpose is essentially the same
for item 63.
Items 64-69 Amendments to Division 3 of Part 4 of the SOCI Act
566. Items 64-69 of Schedule 1 to the Bill make amendments to the protected information
regime outlined in Division 3 of Part 4 of the SOCI Act. Section 45 of the SOCI Act provides
that an entity commits an offence if, in essence, the entity makes a record of, discloses or
otherwise uses protected information unless the recording etc. of the information is captured
by an exclusion listed in section 46, or is authorised under Subdivision A (sections 41-44).
567. Recommendation 7 and paragraph 3.49 of the PJCIS report outlined that the protected
information provisions of the SOCI Act in Division 3 of Part 4 should be amended to enable
the appropriate and lawful exchange of information among oversight and compliance
assurance bodies. The amendments in items 64-69 have been prepared to adopt this part of
recommendation 7.
Item 64 After section 42
568. Item 64 of Schedule 1 to the Bill inserts a new section 42A to the SOCI Act, which
will be a new provision for authorised recording, use or disclosure of protected information
under the Act.
569. Section 42A provides that the Secretary may disclose, make a record of or disclose
protected information for the purpose of developing or assessing:
• proposed amendments to the SOCI Act;
• proposed rules under the SOCI Act; or
108
• proposed amendments to rules under the SOCI Act.
570. This provision is required to supplement the extant authorisations in sections 41 and
42, so that the Secretary (or his delegate) can share protected information with other
government agencies, contracted services providers and responsible entities for critical
infrastructure assets for the purpose of developing future amendments to the Bill, or in the
development of rules under the various rule-making powers under the SOCI Act. As both
sections 41 and 42 are both linked to the exercise of powers under the SOCI Act and do not
capture circumstances where protected information may need to be shared but the purpose for
the sharing of the information is not linked to the exercise of powers under the SOCI Act, but
is a related purpose.
571. As new section 42A is contained in Subdivision A, any entity who receives protected
information from the Secretary under this section is authorised to collect, record or otherwise
use that protected information for the purpose for which it was disclosed to them under
section 44 of the SOCI Act. This, for example, could authorise secondary disclosure to
information technology officers or financial officers of contracted services providers as
required to assist in the development of amendments to the Act or Rules, or making of new
rules. This could also authorise secondary disclosure from a State Government Department to
the State Premier or Cabinet for the same purpose.
Item 65 After section 43
572. Item 65 of Schedule 1 to the Bill inserts a new section 43AA to the SOCI Act, which
will be a new provision for authorised recording, use or disclosure of protected information
under the Act.
573. Paragraph (a) provides that the Secretary may disclose protected information to an
Ombudsman official for the purposes of exercising powers, or performing duties or functions,
as an Ombudsman official. Paragraph (b) provides that the Secretary make a record of or use
protected information for the purpose of disclosure under paragraph (a).
574. New section 43AA operates in conjunction with the new exemption relating to
disclosures of information to an Ombudsman official in new subsection 46(5) (see item 47A).
575. As new section 43AA is contained in Subdivision A, any entity who receives
protected information from the Secretary under this section is authorised to collect, record or
otherwise use that protected information for the purpose for which it was disclosed to them
under section 44 of the SOCI Act. It is notable also that, under the Ombudsman Act 1976,
Ombudsman officials may have separate legal bases for the use and disclosure of protected
information, and any use or disclosure of information authorised by law is an exemption from
the general offence provision in section 45 of the SOCI Act (see subsection 46(1)).
Item 66 After section 43D
576. Item 66 of Schedule 1 to the Bill inserts new section 43E into Part 4 of the SOCI Act.
109
Section 43E Authorised disclosure of protected information by the entity to
whom the information relates
577. New section 43E inserts entity new provision under which an entity is authorised to
disclose protected information. Item 45 is intended to operate in conjunction with item 47 of
the Bill, which omits paragraph 46(4)(b) of the SOCI Act. Paragraph 46(4)(b) was an
exemption from the offence provision in section 45 which provided that an entity could, in
any circumstances, disclose protected information that related to the entity. The issue being
that entities that received information under paragraph 46(4)(b) would be captured by
section 45 when making a record of, otherwise using or disclosing, that protected
information. This caused a particular issue where a responsible entity needed or wanted to
disclose protected information to a relevant State or Territory regulatory body.
578. Section 43E sets out three authorisations under which an entity can disclose protected
information relating to the entity (i.e. protected information relating to itself). The benefit of
changing this to an authorisation under Subdivision A is that the entity receiving the
information will be authorised by section 44--meaning that information may be disclosed by
responsible entities to their respective State or Territory agencies, and those agencies
authorised to collect and use that information. This, for example, would authorise secondary
disclosure from a State Government regulator to a State Department, Premier or Cabinet for
the same purpose to which the information was originally disclosed to that regulator.
Subsection 43E(1)--Disclosure to Commonwealth, State and Territory Ministers,
Departments and agencies
579. Subsection (1) provides that an entity may disclose protected information relating to
the entity for the purpose in paragraph (c) to:
• a Minister of the Commonwealth (subparagraph (b)(i)) or a Minister of State or a
Territory (subparagraph (b)(ii)) who has responsibility for the regulation or
oversight of the relevant critical infrastructure sector to which the protected
information relates; or
• a person employed in the applicable ministerial office (subparagraph (b)(iii)); or
• the head of the applicable government agency or an officer or employee of that
agency (subparagraph (b)(iv))
580. Paragraph (c) requires that the disclosure may only be made for the purposes of
enabling or assisting a person mentioned in paragraph (b) to exercise the person's powers or
perform the person's functions or duties.
110
Subsection 43E(2)--Disclosure of certain protected information with consent from the
Secretary
581. Subsection (2) provides that an entity may also disclose protected information relating
to the entity if:
• the protected information is in a class of particularly sensitive protected
information described in subparagraphs (b)(i)-(ii);
• the Secretary has consented to the disclosure (subparagraph (b)(iii)); and
• if the Secretary has placed any conditions on disclosure, those conditions are
satisfied prior to or in making the disclosure (subparagraph (b)(iv).
582. The class of information described in subparagraphs (b)(i) and (ii) is:
• the information referred to in paragraphs (b) to (bl) of the definition of 'protected
information' in section 5 of the SOCI Act (subparagraph (i)). This is primarily
information contained in documents about systems of national significance and
the positive security obligations, the disclosure of which may include sensitive
and inherently harmful information as defined by the Criminal Code; and
• the information referred to in paragraph (c) of the definition so far as it relates to
paragraphs (b) to (bl), being information that has been obtained under Division 3
of Part 4 or section 46 of the SOCI Act (subparagraph (ii)).
583. Given the highly sensitive nature of protected information, the disclosure of which
may include sensitive and inherently harmful information as defined by the Criminal Code
and the potential for harm to Australia's national interest if this information was disclosed
without consent, it is necessary to obtain the Secretary's consent to the disclosure of this
information. Subsection 43E(2) is intended to provide an entity with flexibility to seek the
Secretary's consent to disclosure protected information as business requirements and reasons
for disclosure may arise that are not otherwise contemplated in the SOCI Act.
584. Subsection 43E(2) is not intended to limit the application of the authorisation under
section 41 so far as that authorisation permits the disclosure of, making a record of or
otherwise using protected information for the purpose of exercising powers, or performing
functions or duties, under the SOCI Act (paragraph 41(a)) or otherwise ensuring compliance
with a provision of the SOCI Act (paragraph 41(b)). Section 41 enables an entity, for
example, the disclosure of protected information to a legal practitioner to seek legal advice on
whether it is compliant with its legal obligations.
585. The disclosure of other information that is obtained by a person in the course of
exercising powers, or performing duties or functions, under the SOCI Act (paragraph (a) of
the definition of 'protected information') does not require the Secretary's consent, and is
authorised under subsection (3).
111
Subsection 43E(3)--Disclosure of other protected information
586. Subsection (3) authorises the disclosure of protected information captured by
paragraph (a) of the definition. This authorisation provides that an entity can disclose such
protected information if the information does not fall within the class specified in
subparagraphs (2)(b)(i) and (ii).
587. The entity will not require the consent of the Secretary to disclose such protected
information under subsection 43E(3).
Item 67 Subsection 46(2)
588. Item 67 of Schedule 1 to the Bill inserts "or of the fact that an asset is declared under
section 52B to be a system of national significance" at the end of subsection 46(2) of the
SOCI Act.
589. Section 46 provides that the offence in section 45 does not apply if required or
authorised by certain laws. Subsection 46(2) provides that for the purposes of subsection (1),
the Corporations Act (except a provision of that Act prescribed by the rules) or a law, or a
provision of a law, of the Commonwealth prescribed by the rules, are taken not to require or
authorise the making of a record, or the disclosure, of the fact that an asset is declared under
section 51 to be a critical infrastructure asset.
590. Item 67 of Schedule 1 to the Bill amends subsection 46(2) to add that an asset
declared under section 52B to be a system of national significance as a further caveat to the
section 46 exception. This reflects that, similarly to declarations made under section 51, the
fact that an asset is a system of national significance may pose risks to the security of the
asset.
Item 68 Paragraph 46(4)(b)
591. Item 68 of Schedule 1 to the Bill repeals paragraph 46(4)(b) of the SOCI Act. This
provision is no longer required as it has been replaced by an authorisation in new section 43E
(see from paragraph 577).
Item 69 After subsection 46(4) (before the note)
592. Item 69 inserts new subsection (5) in section 46 of the SOCI Act.
593. Subsection 46(5) provides an exception to the offence in section 45 of the SOCI Act
for unlawful disclosure of protected information. This exception will apply to an entity to the
extent it discloses protected information to an Ombudsman official for the purposes of
exercising powers, or performing duties or functions, as an Ombudsman official.
594. The purpose of subsection 46(5) is to implement the relevant part of
Recommendation 7 in paragraph 3.49 of the PJCIS report, which was to 'ensure that
112
protected information provisions enable the appropriate and lawful exchange of information
among oversight and compliance assurance bodies'.
595. Item 69 operates in conjunction with item 44B (as explained above).
Item 70 After paragraph 51(2A)(a)
596. Item 70 of Schedule 1 to the Bill inserts new paragraph (b), which allows for a
declaration that the Part 2A risk management program requirements apply to a privately
declared asset. Under section 51, the Minister may, in writing, privately declare an asset to be
a critical infrastructure asset if the asset is not otherwise a critical infrastructure and meets the
thresholds set out in the section.
597. This amendment was made to ensure that, when making a declaration in relation to a
privately declared asset, the Minister can require compliance with a risk management
program under new Part 2A of the SOCI Act.
Item 71 After Part 6
598. Item 71 of Schedule 1 to the Bill inserts new Part 6A into the SOCI Act, concerning
the declaration of systems of national significance.
Part 6A--Declarations of systems of national significance by the Minister
599. The critical infrastructure threat environment is worsening, in part, due to an ever-
increasing reliance on technology, and increasing interoperability and interdependency
between Australia's most critical assets. This has created a new set of vulnerabilities that can
have catastrophic cascading consequences to Australia's economy and national security. This
growing threat necessitates a strengthened relationship between Government and industry,
built on enhanced information sharing and activities to prepare for, prevent and mitigate
significant cyber security.
600. This is most important for systems of national significance, which are a smaller subset
of critical infrastructure assets declared by the Minister because of a higher degree of
criticality. These systems of national significance may be subject to enhanced cyber security
obligations under new Part 2C of the Act.
Part 6A--Declaration of systems of national significance by the Minister
Division 1--Simplified outline of this Part
Section 52A Simplified outline of this Part
601. New section 52A of the SOCI Act is a simplified outline of Part 6A which deals with
the Minister declaring a system of national significance. The first paragraph notes that the
Minister may privately declare a system of national significance. The second paragraph notes
that a Minister must notify each reporting entity for a system of national significance if a
113
declaration has been made. The third paragraph notes that a reporting entity for a system of
national significance must notify the Secretary of changes to who the reporting entity is.
602. A note to this section identifies that it is an offence to disclose that an asset is a
system of national significance under section 45. This reflects the declaration being protected
information under the expanded definition in section 5.
603. Therefore, the responsible entity for a system of national significance will be able to
disclose the fact that such a declaration has been made in relation to the asset. This is
important to ensure that the entity is able to effectively manage the security of the asset and
comply with obligations under the Act, while acknowledging that the entity is well positioned
to sensitively manage any risks that may be associated with the disclosure.
Division 2--Declaration of systems of national significance by the Minister
Section 52B Declaration of systems of national significance by the Minister
604. New section 52B of the SOCI Act sets out how the Minister may privately declare an
asset to by a system of national significance.
605. Under subsection (1), the Minister may, in writing, declare a particular asset to be a
system of national significance if:
• the asset is a critical infrastructure asset (paragraph (a)), and
• the Minister is satisfied that the asset is of national significance, as determined
in accordance with subsection (2) (paragraph (b)).
606. This means that systems of national significance are a subset of critical infrastructure
assets that have an additional element of criticality based on their national significance.
National significance does not require the asset to operate nationally, or provide a service
which impacts the entirety of Australia. Rather the asset, and it's functioning, must be
significant from a national perspective.
607. See also the information concerning the exclusion of merits review in relation to the
Minister's decision under subsection 52B(1) as outlined in relation to the Secretary's decision
making power section 30CB above (from paragraph 338).
608. Subsection (2) sets out factors that the Minister must have regard to for the purpose of
determining if an asset is of national significance.
609. Paragraph (2)(a) requires the Minister to have regard to the consequences that would
arise for the social or economic stability of Australia or its people, the defence of Australia,
or national security if a hazard were to occur that had a significant relevant impact on the
asset. A relevant impact of a hazard on the asset is defined in section 8G and refers to the
impact (whether direct or indirect) of the hazard on the availability, integrity, reliability and
114
confidentiality of information in relation to the asset. For example, should the asset be
degraded or destroyed, would it result in serious damage to Australia's national interest.
610. Paragraph (2)(b) further requires that, if the Minister is aware of one or more
interdependencies between the asset and one or more other critical infrastructure assets, the
Minister have regard to the nature and extent of those interdependencies. The complex and
interconnected nature of Australia's economy means that the functionality and operability of
a large portion critical infrastructure assets are disproportionately dependent on the services
offered by a small set of critical infrastructure asset. In particular, this relationship is often
dependent on, or facilitated by, an interconnected digital network or internet-connected
systems which has many economic benefits for owners and operators.
611. However, the interconnectedness and overreliance on a limited number of assets
creates a new set of vulnerabilities. The compromise of one of these assets could have first,
second and third order consequences which may cascade and compromise other critical
infrastructure assets.
612. The Minister however is not required to be aware of, or consider, every
interdependency of the asset, but rather be satisfied of the assets national significance, having
regard to those interdependencies of which the Minister is aware.
613. However, focusing on the extent of interdependencies alone may not always provide
the necessary context to consider national significance. The requirement for the Minister to
also have regard to the nature of those interdependencies, including where they are small in
number but particularly significant.
614. Paragraph (2)(c) clarifies that the Minister may also have regard to any other matters
the Minister considers relevant to determining the national significance of the asset.
615. Subsection (3) provides that within 30 days of declaring an asset to be a system of
national significance the Minister must, in writing, notify each reporting entity for the asset
and, if the asset is a tangible asset located (wholly or partly) within a State or Territory, the
relevant First Minister or First Ministers.
616. This ensures that the entities affected by the declaration are notified that it has
occurred and made aware of the obligations that may flow from such a declaration under
Part 2C.
617. Subsection (4) clarifies that an instrument under subsection (1) is not a legislative
instrument for the purposes of the Legislation Act. This is reasonable in these circumstances
because:
• systems of national significance are an attractive target for malicious actors,
particularly those with the capability and motive to do significant harm to
Australia's national interests. Due to these factors and the security
vulnerabilities that may emerge if the extent of the assets national significance
115
were widely known, it would be inappropriate and negligent to publicly
disclose the identity of a system of national significance. This approach aligns
with that taken for assets declared by the Minister for Home Affairs under
current section 51 of the SOCI Act, and
• the authorisation applies the law in a particular circumstance to particular
facts, and does not determine or alter the content of the law for the purposes of
subsection 8(4) of the Legislation Act.
618. Subsection (5) provides that, to avoid doubt, an asset may be the subject of a
declaration under subsection (1) even if the asset is not a 'system'. Subsection 52B(5)
clarifies that the use of 'system' does not mean that systems, either computer based or
otherwise, can only be declared by the Minister to be a system of national significance. As
provided at paragraph 52B(1)(a), systems of national significance can be any asset that is a
critical infrastructure asset. However, the additional test at paragraph 52B(1)(b) means that,
practically speaking, only a small subset of critical infrastructure assets are likely to be
declared to be a system of national significance.
Section 52C Consultation--declaration
619. New section 52C of the SOCI Act details express consultation requirements for the
making of a declaration under subsection 52B(1). This ensures that the entity is afforded an
opportunity to consider and scrutinise the matters the Minister has considered or taken into
regard when proposing to declare the asset to be a system of national significance. These
consultation requirements align with those in new section 51A in relation to private
declarations of critical infrastructure assets.
620. Subsection (1) provides that before making a declaration the Minister must give the
responsible entity a notice that sets out the proposed declaration and invites the entity to
make submissions regarding the declaration within 28 days, or a shorter timeframe specified
in the notice.
621. Subsection (2) provides that the Minister must consider any submissions, made by the
responsible entity, within 28 days of the notice being given, or within the shorter period
specified in the notice.
622. Subsection (3) provides that the Minister must not specify a shorter period for
submissions to be made and considered unless they are satisfied that it is necessary due to
urgent circumstances. For example, a newly constructed power station may be identified as a
system of national significance, due to the number of households it will service. The threat
environment may necessitate that the enhanced cyber security obligations are switched on
sooner to protect the asset from an impending cyber attack. In these type of urgent
circumstances, the Minister may elect to specify a shorter consultation period for the
declaration of the asset.
116
623. Subsection (4) provides that the notice must set out the reasons for the Minister
making the declaration, unless the Minister is satisfied that doing so would be prejudicial to
security. For example, the Minister's consideration of the national significance of the asset
may rely on sensitive and classified information in relation to critical dependencies with
national security assets and capabilities that are not publicly known, or even fully known to
the entity. However the Minister should provide the reasons to the greatest extent possible
without prejudicing security.
Section 52D Notification of change to reporting entities for asset
624. Similar to section 52 of the SOCI Act, which deals with notification of a change to
reporting entities for critical infrastructure assets, new section 52D provides for a notification
of a change to reporting entities for a system of national significance.
Subsection 52D(1)--Scope
625. Subsection (1) provides that the section applies if a reporting entity for a system of
national significance (known as the 'first entity') stops being the reporting entity for the asset,
or becomes aware of another reporting entity for the asset.
Subsections 52D(2)-(4)--Notification
626. Subsection (2) provides that within 30 days of becoming aware of the change the first
entity must notify the Secretary of the change and if there is another reporting entity, the
details of that entity.
627. This provision is required as the Minister's declaration of a system of national
significance is private and protected information under section 5. Without this provision
Government may not have visibility of any changes to reporting entities as the provisions
relating to protected information may limit subsequent reporting entities from being aware of
the status of the asset and associated obligations.
628. Breach of the obligation in subsection (1) is subject to a civil penalty of up to 150
penalty units. This penalty aligns with non-compliance with the notifications requirements at
current section 52 of the SOCI Act.
629. Subsection (3) provides that the first entity must use their best endeavours to
determine the name and address of any other relevant entity. This ensures the first entity is
not liable to a penalty if they took all reasonable steps to obtain the information.
630. Subsection (4) provides that if the Secretary is given a notification under this section
they must notify the new reporting entity that the asset is a system of national significance, in
writing, within 30 days of the notification. This ensures the entity is aware of their
obligations as a reporting entity for a system of national significance under the legislation.
117
Section 52E Review of declaration
631. New section 52E of the SOCI Act provides a mechanism through which a responsible
entity for an asset can request a review of the Minister's declaration, under section 52B, that
the asset is a system of national significance. Australia's economic, defence and security
environments are constantly evolving and consequently the assets that are most critical will
change over time. It is important to ensure that assets declared as systems of national
significance have appropriate protections in place. However, it is equally important, noting
the obligations that may be imposed on a system of national significance in new Part 2C of
the SOCI Act, that declarations are not in force for longer than is necessary.
632. The nature of an asset, as well as its operating environment can change over time.
Therefore, it is important that a responsible entity request a review of its declaration as a
system of national significance to avoid any unnecessary regulatory burden.
633. Subsection (1) provides that the section applies if an asset is declared under
subsection 52B(1) to be a system of national significance.
634. Subsection (2) provides that the responsible entity for the system of national
significance may, by written notice given to the Secretary, request the Secretary review
whether the asset is of national significance. Subsections (3)-(5) set out the requirements for
the review.
635. Subsection (3) provides that the Secretary must review whether the asset is of national
significance and give the Minister a report of the review and a statement setting out the
Secretary's findings. This must be done within 60 days of the Secretary receiving the request.
636. Subsection (4) provides that the review must be undertaken in consultation with the
responsible entity for the asset. This will ensure the entity has the opportunity to bring any
relevant information to the Secretary's attention, including any change in circumstances in
relation to the asset.
637. Subsection (5) provides that in undertaking the review, the Secretary must have
regard to:
• the consequences that would arise for the social or economic stability of
Australia or its people, or the defence of Australia, or national security, if a
hazard were to occur that had a significant relevant impact on the asset; and
• if the Secretary is aware of one or more interdependencies between the asset
and one or more other critical infrastructure assets--the nature and extent of
those interdependencies; and
• such other matters (if any) as the Secretary considers relevant.
118
638. These factors align with the factors that the Minister must have regard to being
satisfied as to whether an asset is nationally significant under section 52B(2) of the SOCI
Act. As such, if the asset no longer met the requirements to be declared nationally significant,
the review would likely determine that the declaration is no longer required.
639. Subsection (6) limits the frequency with which a review can be requested by the entity
to no more than once during a 12 month period.
Section 52F Revocation of determination
640. New section 52F of the SOCI Act provides for circumstances in which a declaration
made under subsection 52B(1) must be revoked. This provision imposes a duty on the
Minister to revoke a declaration when no longer satisfied that the asset is of national
significance. The Minister may form this view in a number of ways, including having
considered a report and associated statement of findings prepared by the Secretary under new
section 52E.
641. Subsection (1) provides that the section applies if a declaration under subsection
52B(1) is in force in relation to an asset, and the Minister is no longer satisfied that the asset
is of national significance.
642. Subsection (2) imposes a duty on the Minister to revoke the declaration if the
circumstances in subsection (1) exist.
643. Subsection (3) clarifies that a revocation is not a legislative instrument.
644. Subsection (4) provides that section 52F does not, by implication, affect the
application of subsection 33(3) of the Acts Interpretation Act to an instrument made under a
provision of the SOCI Act.
645. Subsection 33(3) of the Acts Interpretation Act provides that where an Act confers a
power to make, grant or issue any instrument of a legislative or administrative character
(including rules, regulations or by-laws), the power shall be construed as including a power
exercisable in the like manner and subject to the like conditions (if any) to repeal, rescind,
revoke, amend, or vary any such instrument.
Item 72 After paragraph 60(2)(e)
646. Under subsection 60(1) of the SOCI Act, the Secretary must give the Minister, for
presentation to the Parliament, a report on the operation of the SOCI Act for each financial
year. The report under subsection 60(1) must deal with the matters listed in paragraphs (2)(a)-
(e).
647. These amendments reflect the expanded scope of the obligations and powers to be
introduced into the SOCI Act by this Bill and serves as an important oversight mechanism by
119
providing transparency and accountability to Parliament and the public about the operation of
the SOCI Act.
648. Item 50 of Schedule 1 to the Bill inserts the following additional paragraphs into
subsection (2), as matters that the Secretary's report to the Minister under subsection (1) must
contain:
• the number of annual reports given under section 30AG during the financial
year (paragraph (f));
• the number of annual reports given under section 30AG during the financial
year that included a statement to the effect that a critical infrastructure risk
management program was up to date at the end of the financial year
(paragraph (g)); and
• the number of annual reports given under section 30AQ during the financial
year (paragraph (ga)).
Item 73 After paragraph 60(2)(i)
649. Item 73 of Schedule 1 to the Bill inserts further additional paragraphs into
subsection 60(2) of the SOCI Act, as matters that the Secretary's report to the Minister under
subsection (1) must contain:
• the number of notices given to entities under section 30CB during the financial
year (paragraph (j));
• the number of notices given to entities under section 30CM during the
financial year (paragraph (k));
• the number of notices given to entities under section 30CU during the
financial year (paragraph (l)); and
• the number of notices given to entities under Division 5 of Part 2C during the
financial year (paragraph (m)).
Item 74 At the end of subsection 60(2)
650. Item 74 of Schedule 1 to the Bill inserts a further additional paragraph into
subsection 60(2) of the SOCI Act, as matters that the Secretary's report to the Minister under
subsection (1) must contain specifying information about the number of declarations that
were made under section 52B during the financial year (paragraph (r)).
120
ATTACHMENT B
Statement of Compatibility with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022
This Bill is compatible with the human rights and freedoms recognised or declared in the
international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny)
Act 2011.
Overview of the Bill
The Bill proposes amendments to the Security of Critical Infrastructure Act 2018 (the SOCI
Act), including to:
• Introduce a security obligation on owners and operators of critical infrastructure assets to
identify and mitigate risks to their operation.
o In addition to the existing reporting obligations in Parts 2 and 2B of the current SOCI Act,
the Bill will introduce obligations on responsible entities for certain critical infrastructure
assets to adopt, maintain and comply with an all-hazards critical infrastructure risk
management program (new Part 2A).
o To comply with this obligation, entities will be required to identify any material risks that
may affect the availability, integrity, reliability and confidentiality of their asset. Entities will
also be required to have appropriate risk mitigations in place to manage those risks.
o The Bill introduces rule-making powers under Part 2A of the Bill to identify specific material
risks, recognise existing standards, and create requirements for the creation of critical
infrastructure risk management programs. These rules will be designed in close
consultation with the responsible entities that may be subject to these obligations.
• Introduce an enhanced cybersecurity obligation (ECSO) on owners and operators of a
small subset of nationally significant critical infrastructure assets, declared by the
Minister to be Systems of National Significance (SoNS) (new Part 2C). Under the ECSO,
the Secretary of the Department of Home Affairs (the Secretary) will have an ability to
require the responsible entity for a SoNS to undertake one or more prescribed cyber
security activities. These may require the responsible entity for a SoNS to:
o Develop cyber security incident response plans designed to ensure an entity has
established processes and tools to prepare for and respond to cyber security incidents.
o Undertake cyber security exercises to test an entity's cyber preparedness, ability to
respond appropriately to a cyber security incident, and ability to mitigate the relevant
impacts of a cyber security incident.
o Undertake a vulnerability assessment to identify cyber security vulnerabilities.
o Provide system information to the Australian Signals Directorate (ASD) to build Australia's
situational awareness of the cyber threat environment.
• Amend the existing protected information regime to enhance information sharing provisions to
enable the appropriate and lawful exchange of information among oversight and compliance
assurance bodies. Protected information is defined in section 5 of the SOCI Act to include
information obtained by a person in the course of performing duties or functions under that Act
and information in relation to the various powers under the Act.
121
o As it is presently defined in the SOCI Act, protected information includes reports or
information generated under Part 2B (notification of cyber security incidents), operations
under Part 3A (government assistance measures) and information about critical
infrastructure assets that are privately declared by the Minister under section 51.
o The amendments expand protected information to include reports or information relating
to Part 2A of the Bill (risk management programs), Part 2C of the Bill (enhanced cyber
security obligations) and declarations of systems of national significance under section 52B
of the Bill.
o The amendments remove the ability for an entity to share protected information for the
sole reason that the protected information relates to that entity. There must now be an
authorised purpose to do so, such as the additional circumstances described below or that
already exist within the SOCI Act.
o The amendments permit an entity to disclose protected information relating to itself, to a
regulator that has responsibility for regulating the industry that the entity operates within.
o The amendments permit an entity to disclose protected information relating to itself,
where the entity has been provided written consent by the Secretary.
These amendments will implement the second tranche of an enhanced critical infrastructure
security framework, building on the amendments introduced by the Security Legislation
Amendment (Critical Infrastructure) Act 2021 (the SLACI Act). These amendments will
further enhance the security and resilience of critical infrastructure in Australia, boost
situational awareness and enable the Government to partner with entities responsible for
Australia's most critical assets to effectively prevent, defend against and recover from serious
cyber security incidents. This will allow the Government to maintain the continuity of
essential services that support Australia's economy, security and sovereignty.
By uplifting security across a broad range of critical infrastructure sectors, the Bill supports
the human rights of persons in Australia by, amongst other things, supporting an adequate
standard of living, high standards of health and access to medical services and higher
education.
Human rights implications
This Bill engages the following rights:
• The right to an adequate standard of living, including the right to adequate food in Article
11 of the International Covenant on Economic, Social and Cultural Rights (ICESCR).
• The right to the enjoyment of the highest attainable standard of physical and mental
health, including medical service and attention in the event of sickness in Article 12 of
ICESCR.
• The right to a fair and public hearing in Article 14 of the International Covenant on Civil
and Political Rights (ICCPR).
• The right to privacy in Article 17 of the ICCPR.
The right to an adequate standard of living, including the right to adequate food
Article 11 of the ICESCR provides for the right of everyone to an adequate standard of
living, including adequate food, clothing, housing and the continuous improvement of living
conditions. It commits States Parties to take measures to safeguard these standards.
122
The Bill introduces a new requirement for owners and operators of critical infrastructure
assets to have and comply with a critical infrastructure risk management program that, under
rules made by the Minister, may apply to critical food and grocery assets, as well as critical
water, energy and financial assets. The application of the critical infrastructure risk
management program to these assets will recognise the role that these assets play in
delivering an adequate standard of living.
The risk management program obligations introduced by the Bill, where applied to critical
food and grocery assets, will assist to protect the availability of food throughout Australia
through improving business resilience. Critical water or energy assets may also be required to
manage risks, to ensure that risks to adequate energy and clean water supplies are mitigated
or that risks to the finance sector are mitigated so that a person's ability to pay for essential
services or obtain adequate food and clothing is not disrupted.
Introducing these measures promotes the right in Article 11 by reducing the likelihood of a
disruption to distribution networks and other key operations of Australia's major critical
infrastructure assets, which could impact the availability of products and services that support
an adequate standard of living.
The right to physical and mental health
Article 12 of the ICESCR provides for the right of everyone to the enjoyment of the highest
attainable standard of physical and mental health, including medical service and medical
attention in the event of sickness.
Hospitals are crucial to Australia's ability to fulfil this obligation as they provide critical care
for patients with a variety of medical, surgical and trauma conditions, and are therefore
integral to the sustainment of life.
The Bill introduces a new security obligation on owners and operators of critical
infrastructure assets to have and comply with a critical infrastructure risk management
program that, under rules made by the Minister, may apply to critical hospitals and other
critical infrastructure assets with a high degree of interdependency with critical hospitals. The
application of the critical infrastructure risk management program to critical hospitals and
other interdependent assets will assist to protect these important assets, and in turn, the
physical and mental health of all persons in Australia.
For example, an attack on a critical hospital could pose a risk to life. Similarly, the
consequences of a prolonged and widespread failure in the energy sector could cause
shortages or destruction of essential medical supplies. Introducing these measures promotes
the right in Article 12 by improving business resilience and protecting assets should they be
subject to a significant cyber attack or other relevant impact, reducing the likelihood of a
disruption to the provision of essential medical services and ensure appropriate services
remain available in the event of sickness.
The right to a fair and public hearing
Article 14 of the ICCPR provides for the proper administration of justice by upholding,
among other things, the right to a fair and public hearing. These rights include that all persons
are equal before courts and tribunals and have a right to a fair and public hearing before a
competent, independent and impartial tribunal established by law. Article 14 also includes the
right of protection against self-incrimination stating that no person shall be 'compelled to
123
testify against himself or confess guilt' in the determination of criminal charges. The civil
penalty provisions introduced by the Bill are not characterised as criminal as they do not
apply to the public generally, but only to specific regulated entities, and the available
penalties are not of a nature or severity such they may be considered criminal.
Any limitations to the right to a fair and public hearing under Article 14 are permissible if the
limitations are reasonable, proportionate and for a legitimate objective.
The right to a fair and public hearing is attached only to individuals, not to businesses. The
term 'entity' as defined in section 5 of the SOCI Act includes individuals, as well as body
corporates, partnerships and trusts. However it is only in very rare instances (for example,
where a critical infrastructure asset is owned or operated by an individual rather than a
corporation) that the measures in the Bill that relate to the right to a fair and public hearing
would apply to individuals.
In these rare instances, the following measures in the Bill may engage the right to a fair and
public hearing and protection against self-incrimination under Article 14 of the ICCPR and
will be discussed in greater detail below:
• Critical infrastructure risk management programs to mandate procedural
arrangements to address hazards that could impact the availability, integrity, reliability or
confidentiality of critical infrastructure assets (Part 2A of the Bill).
• Enhanced cyber security obligations will ensure assets of the highest criticality to
Australia's national interests are in a position to handle cyber security incidents, and will
allow the Government access to system information (Part 2C of the Bill).
Critical infrastructure risk management program
To fulfil requirements under the critical infrastructure risk management program, responsible
entities will be required to notify their regulator of all hazards for which there is a material
risk of a relevant impact, and whether the impact is imminent, occurring or has occurred.
Responsible entities will be required to submit an annual report that includes an identification
of hazards that had a significant relevant impact on one or more assets and includes a
statement that identifies the hazard, evaluates the effectiveness of the program in mitigating
the significant relevant impact of the hazard on the assets and outlines any variations to the
program. In instances where responsible entities need to reveal that the minimisation
procedures they developed under their risk management program were not reasonable, this
could lead to self-incrimination.
To address this, the immunity provision included in section 30AG(3) of the Bill prevents the
information included in the annual report from being used as evidence against the entity in
any civil penalty proceedings under the SOCI Act.
Enhanced cyber security obligations
As part of the enhanced cyber security obligations, the Secretary may require the responsible
entity for a SoNS to comply with a requirement to provide periodic reports containing system
information (section 30DB of the Bill) or event-based reports (section 30DC of the Bill) to
the ASD if the Secretary believes on reasonable grounds that the entity is capable of doing so.
System information is information that relates to the operation of the computer needed to
operate a SoNS which may assist with determining whether a power under the SOCI Act
should be exercised in relation to the SoNS. System information does not include personal
information within the meaning of the Privacy Act 1988.
124
In deciding whether to give a system information periodic reporting notice or a system
information event-based reporting notice, the Secretary must consult with the entity prior to
issuing the notice and have regard to the costs that are likely to be incurred by the entity in
complying with the notice.
If the Secretary does not believe on reasonable grounds that the entity would be technically
capable of preparing reports undersection 30DB or 30DC of the Bill, section 30DJ provides
that the Secretary may require the entity to install and maintain a specified computer program
to collect and record the required system information and transmit this to ASD. Such a
request may only occur after the Secretary has consulted the entity and considered the cost
the entity might incur by complying with the request.
Any information that is collected under any of the above discussed provisions will be
protected information under the SOCI Act, and is not intended to be used for compliance
purposes. Section 30DG of the Bill provides that an entity is not excused from giving a
periodic or event-based report on the ground that the report might tend to incriminate the
entity (new subsection (1)). Furthermore, if an individual would otherwise be able to claim
the privilege against self-exposure to a penalty in relation to giving a report under sections
30DB or 30DC, the individual is not excused from giving a report on that ground (subsection
(2)).
Importantly, section 30DH provides that the information is not admissible in evidence against
the entity, except as evidence of non-compliance with those obligations or evidence of
providing false and misleading information to the Government. Despite section 30DG
enabling sections 30DB, 30DC and 30DJ to operate irrespective of potential self-
incrimination, section 30DH acts to protect individuals from self-incrimination. For example,
the function of section 30DH is that the information collected cannot be used in evidence to
demonstrate non-compliance with the critical infrastructure risk management program under
new Part 2A of the Bill.
These provisions ensure that any limitations to the right to a fair and public hearing under
Article 14 are permissible if the limitations are reasonable, proportionate and for the
legitimate objective of mitigating risks to critical infrastructure assets.
Right to privacy
Article 17 of the ICCPR provides that no one shall be subjected to arbitrary or unlawful
interference with their privacy. Interferences with the right to privacy may be permissible
provided that it is authorised by law and is not arbitrary. For an interference with the right to
privacy not to be arbitrary, the interference must be for a reason consistent with the
provisions, aims and objectives of the ICCPR and be reasonable in the particular
circumstances.1
The United Nations Human Rights Committee has interpreted 'reasonableness' in this
context to mean that 'any interference with privacy must be proportional to the end sought
and be necessary in the circumstances of any given case'. The term unlawful means that no
interference can take place except as authorised under domestic law.
Article 17 of the ICCPR does not set out the reasons for which the guarantees in it may be
limited. However, limitations contained in other articles, for example, those which are
necessary in a democratic society in the interests of national security, public order, the
protection of public health or the protection of the rights and freedoms of others, may be
1
Toonen v Australia, Communication No. 488/1992, U.N. Doc CCPR/C/50/D/488/1992 (1994) at 8.3.
125
considered legitimate objectives in appropriate circumstances in respect of the prohibition on
interference with privacy.
Article 17 of the ICCPR only applies to interference with privacy for individuals. Whilst the
definition of 'entity' under the current SOCI Act includes individuals, it is highly unlikely
that the measures in the Bill would apply to individuals. The exception to this is the
requirement for the provision of information on the board members of an entity under the
Register of Critical Infrastructure Assets.
All critical infrastructure assets as reported to the Department of Home Affairs in 2021 were
managed by corporations, to which the right to privacy does not apply. However, to the
extent that an 'entity' may at some time include an individual, and that information about
board members may be required, the protected information sharing measures may engage the
right to privacy.
Critical infrastructure risk management program
Under the critical infrastructure risk management program, new section 30AH(4) will enable
a responsible entity to conduct a background check on individuals through AusCheck. To the
extent that the responsible entity submits an individual's personal information for an
AusCheck background check, the right to privacy will be engaged. However, it is reasonable,
necessary and proportionate to limit the right to privacy in this way. Background checks may
be necessary where the risk environment of a critical infrastructure asset includes a material
risk of personnel hazards creating a relevant impact on the asset, such as a compromise to the
availability or integrity of that asset.
This measure will be limited by the rules made under the Bill to those employees who are
engaged as a critical employee, where the responsible entity considers it necessary for the
position. This enables the responsible entity to ensure that only persons suitable to the role
are engaged as critical employees. The measure is also proportionate and the least rights
restrictive, as responsible entities will only be able to access the elements of AusCheck
background checking that are relevant to their threat risk.
Enabling information sharing with oversight and compliance assurance bodies
To enable appropriate sharing of protected information in relation to a critical infrastructure
asset, an entity may disclose protected information in the following circumstances:
• Disclosure authorised to a relevant regulator (new sub-section 43E(1)), that is, an
entity may disclose protected information to whom the protected information relates,
to a Minister, head of agency or person employed by a Minister or agency, that is
responsible for the regulation or oversight of a relevant critical infrastructure sector
(section 43E);
• Disclosure authorised by the Secretary (sub-section 43E(2)), that is, an entity may
disclose protected information to whom the protected information relates and the
Secretary consents in writing to the disclosure.
To appropriately limit the sharing of protected information to certain parties, an entity may
no longer disclose protected information for the sole reason that the protected information
relates to that entity (repealed paragraph 46(4)(b)). There must now be an authorising purpose
to do so, such as the provisions referred to above or the existing authorised purposes in the
SOCI Act.
126
Protected information is collected with respect to entities defined under the SOCI Act that are
not known to be individuals. Protected information collected under the SOCI Act as it is
proposed to be amended, is unlikely to contain personal information.
These provisions do expand the scope of entities that an entity may be authorised in
disclosing protected information to. This expansion of scope is proportionate to the entities'
requirements for owning, operating or performing some function in relation to a critical
infrastructure asset. For example, entities may be required to disclose protected information
that relates to an entity's compliance with the SOCI Act, which may be required to justify
additional resourcing or expenditure to state or territory oversight or regulatory bodies.
However, the repeal of paragraph 46(4)(b) of the SOCI Act instead limits the distribution of
protected information generally, which acts to lessen limitations to the right to privacy of
individuals, where that protected information relates to personal information.
To the extent that these measures limit the right to privacy, in ensuring that any disclosure of
protected information is restricted to purposes authorised under the SOCI Act, that limitation
is necessary, reasonable, and proportionate to the legitimate objective of ensuring the ongoing
security and resilience of critical infrastructure and systems of national significance.
Conclusion
The Bill is compatible with human rights because it will promote rights and, to the extent that
the Bill limits rights, those limitations are reasonable, necessary and proportionate to the
objective of reducing national security risks in relation to critical infrastructure.
127
ATTACHMENT C
LIN 22/018
Security of Critical Infrastructure (Critical infrastructure risk management
program) Rules (LIN 22/018) 2022
I, Karen Andrews, Minister for Home Affairs, make this instrument under section 61 of
the Security of Critical Infrastructure Act 2018 (the Act).
Dated 2022
DRAFT ONLY--NOT FOR SIGNATURE
Minister for Home Affairs
EXPOSURE DRAFT
EXPOSURE DRAFT
Contents
Part 1 Preliminary 3
1 Name 3
2 Commencement 3
3 Definitions 3
4 Material risk 4
Part 2 Requirements etc. for a critical infrastructure risk
management program 5
5 General 5
6 Cyber and information security 6
7 Personnel hazards 7
8 Supply chain 8
9 Physical security hazards and natural hazards 8
EXPOSURE DRAFT
Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022
LIN 22/018 2
EXPOSURE DRAFT
Part 1 Preliminary
1 Name
This instrument is the Security of Critical Infrastructure (Critical infrastructure risk
management program) Rules (LIN 22/018) 2022.
2 Commencement
This instrument commences on the day after registration.
Note The Minister can only make this instrument after the requirements mentioned in section 30AL of
the Act are completed.
3 Definitions
Note A number of phrases used in this instrument are defined in the Act, including:
(a) critical infrastructure asset;
(b) material risk;
(c) relevant impact;
(d) responsible entity.
In this instrument:
asset means a critical infrastructure asset.
critical component means an asset, part of an asset or system that .
critical worker means an individual, including a position holder:
(a) who is an employee, intern, contractor or subcontractor of an entity; and
(b) whose absence or compromise would prevent the proper function of the asset or
could cause significant damage to the asset, as assessed by the entity; and
(c) who has access to, or control and management of, a critical component of a
Part 2A asset.
cyber and information security hazard includes where a person, whether authorised
or not, improperly accesses or misuses information or computer systems about or
related to the asset, or where such person by use of a computer system obtains
unauthorised control of or access to any function which may impair the proper
functioning of the asset.
entity means the responsible entity for a Part 2A asset.
high risk vendors has the meaning given by the Cyber Supply Chain Risk
Management document published by the Australian Signals Directorate as in force
from time to time.
Note Section 30ANA of the Act provides for the incorporation of this document as in force from time to
time.
natural hazard includes a bushfire, flood, cyclone, storm, heatwave, earthquake,
tsunami or health hazard (such as a pandemic).
Part 2A asset means a critical infrastructure asset to which Part 2A of the Act applies.
personnel hazard includes where a critical worker acts, through malice or negligence,
to compromise the proper function of the asset or cause significant damage to the
asset, as assessed by the entity, such as by causing a material risk to the asset.
physical security hazard includes the unauthorised access, interference, or control of
critical assets, other than those covered by cyber and information security hazards,
EXPOSURE DRAFT
Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022
LIN 22/018 3
EXPOSURE DRAFT
including where persons other than critical workers act, through malice or negligence,
to compromise the proper function of the asset or cause significant damage to the
asset, as assessed by the entity.
program means a critical infrastructure risk management program.
sensitive operational information includes any of the following for a Part 2A asset:
(a) layout diagrams;
(b) schematics;
(c) geospatial information;
(d) configuration information;
(e) operational constraints or tolerances information;
(f) data that a reasonable person would consider to be confidential or sensitive about
the asset.
4 Material risk
For subsection 30AH(8) of the Act, material risks for an asset are taken to include a
risk of the following relevant impacts occurring:
(a) an impairment of the asset that may prejudice the social or economic stability of
Australia or its people, the defence of Australia or national security;
(b) a stoppage or major slowdown of the asset's function for an unmanageable
period;
(c) a substantive loss of access to, or deliberate or accidental manipulation of, a
critical component of the asset;
Example The position, navigation and timing systems affecting provision of service or functioning of the
asset.
(d) an interference with the asset's operation technology or information
communication technology essential to the functioning of the asset;
Example A Supervisory Control and Data Acquisition (SCADA) system.
(e) an impact resulting from the storage, transmission or processing of sensitive
operational information outside Australia;
(f) an impact resulting from remote access to operational control or operational
monitoring systems of the asset;
(g) any other material risks as identified by the entity that affect the functioning of
the asset.
EXPOSURE DRAFT
Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022
LIN 22/018 4
EXPOSURE DRAFT
Part 2 Requirements etc. for a critical infrastructure risk
management program
5 General
(1) For paragraph 30AH(1)(c) of the Act, an entity must establish and maintain in the
entity's program:
(a) a process or system for identifying the operational context of each Part 2A asset
for which the entity is responsible; and
(b) a principles-based risk identification process that the entity used to identify risks
to the entity's Part 2A asset; and
(c) a risk management process or system that includes, for each material risk
mentioned in section 5, a process or system to:
(i) consider the risk; and
(ii) as far as it is reasonably practicable to do so--minimise or eliminate the risk;
and
(d) a process:
(i) for reviewing the program so that it complies with section 30AE of the Act;
and
(ii) for keeping the program up to date so that it complies with section 30AF of
the Act.
(2) In this subsection:
(a) for subsection 30AKA(1) of the Act--in deciding whether to adopt a program;
and
(b) for subsection 30AKA(3) of the Act--in reviewing the program in accordance
with section 30AE; and
(c) for subsection 30AKA(5) of the Act--in deciding whether to vary the program
an entity must have regard to the following matters:
(d) whether the program describes the outcome of the process or system mentioned
in paragraph (1)(a);
(e) whether the program describes interdependencies between each of the entity's
Part 2A assets and other critical infrastructure assets;
(f) whether the program identifies each position within the entity:
(i) that is responsible for developing and implementing the program; and
(ii) for each minimisation or elimination mentioned in subparagraph (1)(c)(ii)--
that is responsible for developing and implementing the minimisation or
elimination; and
(iii) for the processes mentioned in paragraph (1)(d)--that is responsible for
reviewing the program or keeping the program up to date;
(g) whether the program contains the contact details for the positions described
under paragraph (f);
(h) whether the program contains a risk management methodology or principles of a
reasonable risk management methodology;
(i) whether the program describes the circumstances in which the entity will review
the program (even if not required by section 30AE of the Act).
EXPOSURE DRAFT
Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022
LIN 22/018 5
EXPOSURE DRAFT
6 Cyber and information security hazards
(1) For paragraph 30AH(2)(c) of the Act, subsections (2) and (3) specify requirements.
(2) The entity must establish and maintain a process or system in the entity's program:
(a) to minimise or eliminate a material risk that a cyber and information security
hazard for which there is a material risk that the hazard could have a relevant
impact on the asset; and
(b) to mitigate the relevant impact of a cyber and information security hazard on the
asset.
(3) Within 12 months of this instrument applying to an asset, an entity must comply with
subsection (4) or (5).
Example If an asset becomes a Part 2A asset on 1 January 2023, the entity for the asset would need to comply
with this subsection on or before 1 January 2024.
Note See also section 30AB of the Act and the Security of Critical Infrastructure (Application)
Rules 2022.
(4) The entity must:
(a) comply with a framework contained in a document in an item in the following
table as in force from time to time; and
(b) if a condition is mentioned in the item--comply with the condition.
Item Document Condition
1 Australian Standard AS ISO/IEC
27001:2015
2 Essential Eight Maturity Model Required to meet maturity level one
published by the Australian Signals as indicated in the document
Directorate
3 Framework for Improving Critical
Infrastructure Cybersecurity
published by the National Institute of
Standards and Technology of the
United States of America
4 Cybersecurity Capability Maturity Required to meet Maturity Indicator
Model published by the Department Level 1 as indicated in the document
of Energy of the United States of
America
5 The 2020-21 AESCSF Framework Required to meet Security Profile 1
Core published by Australian Energy as indicated in the document
Market Operator Limited (ACN
072 010 327)
Note Sections 30AN and 30ANA of the Act provide for the incorporation of the documents mentioned in
this subsection as in force from time to time.
(5) The entity must comply with a framework that is equivalent to a framework in a
document mentioned in subsection (4), including a condition (if any) mentioned for
that document.
(6) In this subsection:
(a) for subsection 30AKA(1) of the Act--in deciding whether to adopt a program;
and
EXPOSURE DRAFT
Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022
LIN 22/018 6
EXPOSURE DRAFT
(b) for subsection 30AKA(3) of the Act--in reviewing the program in accordance
with section 30AE; and
(c) for subsection 30AKA(5) of the Act--in deciding whether to vary the program
an entity must have regard to whether the cyber and information security risks, the
occurrence of which could have a relevant impact on the asset, are described in the
program.
7 Personnel hazards
(1) For paragraph 30AH(1)(c) of the Act, subsection (2) specifies a requirement in
relation to a material risk that an occurrence of a personnel hazard could have a
relevant impact on a Part 2A asset.
(2) Beginning on the compliance day, an entity must establish and maintain a process or
system in the entity's program:
(a) to identify the entity's critical workers; and
(b) to assess, on an ongoing basis, the suitability of a critical worker to have access
to the critical components of the asset; and
(c) minimise or eliminate material risks that negligent employees and malicious
insiders may cause to the functioning of the asset; and
(d) minimise or eliminate material risks arising from the off-boarding process for
outgoing employees and contractors.
(3) For paragraph (2)(b) and paragraph 30AH(4)(a) of the Act, the process and system for
assessing the suitability of a critical worker to have access to the critical components
of the asset may be a background check under the AusCheck scheme at regular
intervals.
(4) For a background check of an individual permitted under subsection (3):
(a) for paragraph 30AH(4)(b) of the Act--the background check must include
assessment of information relating to the matters mentioned in paragraphs 5(a),
(b), (c) and (d) of the AusCheck Act 2007; and
(b) for paragraph 30AH(4)(c) of the Act, as the background check includes an
assessment of information relating to the matter mentioned in paragraph 5(a) of
the AusCheck Act 2007--the criteria against which that information must be
assessed are the criteria specified in [TBD]; and
(c) for paragraph 30AH(4)(d) of the Act, as the background check includes an
assessment of information relating to the matter mentioned in paragraph 5(d) of
the AusCheck Act 2007--the assessment must consist of [an electronic identity
verification check/an in person identity verification check/both an electronic
identity verification check and an in person identity verification check].
Note In this exposure draft, subsections (3) and (4) are included to indicate how background checks
under the AusCheck scheme will be enabled. The specific operation of the AusCheck scheme,
including the criteria against which the background check will be conducted and the associated
amendments required for the AusCheck Regulations 2017 to enable such background checks, will
be the subject of further consultation before being finalised.
(5) In this subsection:
(a) for subsection 30AKA(1) of the Act--in deciding whether to adopt a program;
and
EXPOSURE DRAFT
Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022
LIN 22/018 7
EXPOSURE DRAFT
(b) for subsection 30AKA(3) of the Act--in reviewing the program in accordance
with section 30AE; and
(c) for subsection 30AKA(5) of the Act--in deciding whether to vary the program
an entity must have regard to:
(d) whether the program lists the entity's critical workers; and
(e) whether the personnel risks, the occurrence of which could have a relevant
impact on the asset, are described in the program.
8 Supply chain
(1) Subsection (2) specifies a requirement for paragraph 30AH(1)(c) of the Act.
(2) Beginning on the compliance day, the entity must establish and maintain in the
entity's program a process or system that the entity uses to minimise or eliminate the
material risk of, or mitigate, the relevant impact of:
(c) unauthorised access, interference or exploitation of the asset's supply chain; and
(d) misuse of privileged access to the asset by any provider in the supply chain; and
(e) disruption and sanctions of the asset due to an issue in the supply chain; and
(f) threats to people, assets, equipment, products, services, distribution and
intellectual property within supply chains; and
(g) high risk vendors; and
(h) any failure or lowered capacity of other assets and entities in the entity's supply
chain.
9 Physical security hazards and natural hazards
(1) Subsection (2) specifies a requirement for paragraph 30AH(1)(c) of the Act.
(2) Beginning on the compliance day, an entity must establish and maintain a process or
system in the entity's program:
(a) to identify the parts of the asset that are critical to the functioning of the asset
(the critical sites); and
(b) to minimise or eliminate a material risk of, or mitigate, a relevant impact of a
physical security hazard on a critical site; and
(c) to respond to incidents where unauthorised access to a critical site occurs; and
(d) to control access to critical sites, including restricting access to only those
individuals who are critical workers or accompanied visitors; and
(e) to test that security arrangements for the asset are effective and appropriate to
detect, delay, deter, respond to and recover from a breach in the arrangements;
and
(f) to minimise or eliminate a material risk of, or mitigate, a relevant impact of a
natural hazard on the asset.
(3) In this subsection:
(a) for subsection 30AKA(1) of the Act--in deciding whether to adopt a program;
and
(b) for subsection 30AKA(3) of the Act--in reviewing the program in accordance
with section 30AE; and
(c) for subsection 30AKA(5) of the Act--in deciding whether to vary the program
EXPOSURE DRAFT
Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022
LIN 22/018 8
EXPOSURE DRAFT
an entity must have regard to:
(d) whether the asset's critical sites are described in the program;
(e) whether the physical security hazards, the occurrence of which could have a
relevant impact on a critical site, are described in the program;
(f) whether the security arrangements for the asset are described in the program;
(g) whether the natural hazards, the occurrence of which could have a relevant
impact on the asset, are described in the program.
EXPOSURE DRAFT
Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022
LIN 22/018 9
EXPOSURE DRAFT
ATTACHMENT D
EXPLANATORY STATEMENT
Issued by authority of the Minister for Home Affairs
Security of Critical Infrastructure Act 2018
Security of Critical Infrastructure (Critical infrastructure risk management program) Rules
(LIN 22/018) 2022
1 The instrument, Departmental reference LIN 22/018, is made under section 61 of the Security of
Critical Infrastructure Act 2018 (the Act).
2 The instrument commences on the day after registration and is a legislative instrument for the
Legislation Act 2003 (the Legislation Act).
Purpose
3 Part 2A of the Security of Critical Infrastructure Act 2018 (the Act) provides that the responsible entity
for one or more critical infrastructure assets must have, and comply with, a critical infrastructure risk
management program (a program). As outlined in paragraph 30AH(1)(b) of the Act, the purpose of a
program is to:
• identify each hazard where there is a material risk that the occurrence of the hazard could have
a relevant impact on the asset;
• so far as it is reasonably practicable to do so--minimise or eliminate any material risk of such a
hazard occurring;
• so far as it is reasonably practicable to do so--mitigate the relevant impact of such a hazard on
the asset.
4 Subsection 30AB(1) of the Act provides that Part 2A of the Act applies to a critical infrastructure asset
if the asset is specified in the rules or, if a critical infrastructure asset is the subject of a declaration
under section 51 of the Act, that declaration determines Part 2A applies to the asset.
5 Part 2 of the instrument sets out the requirements for paragraph 30AH(1)(c) of the Act that an entity
must establish and maintain in the entity's program. Part 2 of the instrument also sets matters that must
be considered by a responsible entity when adopting, reviewing and varying their critical infrastructure
risk management program for section 30AKA of the Act.
6 In specifying the requirements in the rules, and in accordance with subsection 30AH(6), the Minister
will have regard to:
• any existing regulatory system of the Commonwealth, a State or a Territory that imposes
obligations on responsible entities (paragraph (a));
EXPOSURE DRAFT
10
EXPOSURE DRAFT
• the costs that are likely to be incurred by responsible entities in complying with the rules
(paragraph (b));
• the reasonableness and proportionality of the requirements in the rules in relation to the
purposes referred to in paragraph 30AH(1)(b) (paragraph (c)).
• such other matters (if any) as the Minister considers relevant (paragraph (d)).
Consultation
7 The Department of Home Affairs (the Department) engaged industry stakeholders from across sectors
in a consultation process to design the rules underpinning the risk management program.
8 Under subsection 30AL(2) of the Act, the Minister must cause to be published a notice on the
Department's website a draft of the proposed rules under section 30AH and invite submissions to the
Minister. The Minister must also give a copy of the notice to each State and Territory First Minister.
The Minister must consider any submissions received within the period specified in the notice.
9 A regulatory impact statement (RIS) is also being conducted in relation to the instrument. Whilst that
document cannot be finalised until the Bill is passed and the rules can be made, a draft RIS informed by
extensive consultation with stakeholders has been developed to identify the regulatory impact of these
reforms. The RIS weighs the regulatory costs of the RMP rules against the damage to the economy if
business underinvests in security and allows breaches to occur. The RIS clearly identifies that the
regulatory costs of complying with the critical infrastructure risk management program obligation, as
specified in rules, is minimal when compared to the damage to the economy if businesses underinvest
in security and allow breaches to occur.
10 The RIS highlights that existing regulatory frameworks and market forces are insufficient to protect
critical infrastructure against all hazard threats in a consistent and coordinated manner across critical
infrastructure assets. Moreover, the likely benefits of the critical infrastructure risk management
program obligation will be at least (and are expected to be more than) the costs of the regulation. This is
primarily because the frequency and severity of all-hazard risks for critical infrastructure assets are
growing and this increasing severity and frequency of incidents, particularly in the context of growing
cybersecurity incidents, represents a risk to the whole economy.
11 Detailed economic analysis of costing figures received through the RIS indicates that the potential cost
of the required security uplift would be significantly outweighed by the net benefits to the economy as a
whole.
Details of the instrument
12 Details of the instrument are set out in Attachment A
Parliamentary scrutiny etc.
13 The instrument is subject to disallowance under section 42 of the Legislation Act and the final
explanatory statement for the instrument will contain a Statement of Compatibility with Human Rights
in accordance with the Parliamentary Scrutiny (Human Rights) Act 2011.
EXPOSURE DRAFT
11
EXPOSURE DRAFT
14 The instrument will be made by the Minister for Home Affairs in accordance with the requirements of
section 30AL.
EXPOSURE DRAFT
12
EXPOSURE DRAFT
Attachment A
Details of the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules
(LIN 22/018) 2022
Section 1 Name
This section provides that the name of the instrument is the Security of Critical Infrastructure (Risk
management program) Rules 2022 (the instrument).
Section 2 Commencement
This section provides that the instrument commences on the day after registration on the Federal Register of
Legislation.
Who will the rules apply to?
As outlined in the Explanatory Memorandum to the Security Legislation Amendment (Critical Infrastructure)
Bill 2022 (the Explanatory Memorandum), it is proposed that the Part 2A of the Act will, shortly after
commencement of the SLACIP Bill, apply to:
• critical electricity assets;
• critical energy market operator assets;
• critical gas assets;
• critical liquid fuels assets;
• critical water and sewerage assets;
• critical financial market infrastructure assets that are a critical payment system (other critical financial
market infrastructure assets will not be captured);
• critical data storage or processing assets;
• critical hospital assets;
• critical domain name system assets; and
• critical broadcasting assets.
As also outlined in the Explanatory Memorandum, it is proposed that Part 2A of the Act will additionally
apply to critical freight services assets, critical freight infrastructure assets and critical food and grocery assets.
Given current supply chain impacts arising from the COVID-19 pandemic, the critical infrastructure risk
management obligation will be delayed until at least 1 January 2023.
EXPOSURE DRAFT
13
EXPOSURE DRAFT
This will be facilitated by rules made under proposed section 30AB of the SOCI Act (the section 30AB rule),
which are proposed to provide that the abovementioned assets will be assets to which Part 2A applies:
• if the asset is a critical infrastructure asset on or before the commencement of the section 30AB rule--
six months after the rule commences; or
• if the asset becomes a critical infrastructure asset after the commencement of the section 30AB rule--
six months after the asset becomes a critical infrastructure asset.
This means that the requirements and matters that must be regarded specified in this instrument will not need
to be complied with until this date, except for the requirement in subsection 6(2) of the instrument for
specified cyber security frameworks, for which an additional 12 months is provided before the responsible
entity needs to be compliant.
Section 3 Definitions
This section sets out definitions of terms used in the instrument.
Section 4 Material risk
Section 5 of the instrument sets out that, under subsection 30AH(8) of the Act, a 'material risk' is taken to
include any risk of the following impacts:
• an impairment of the asset that may prejudice the social or economic stability of Australia or its
people, the defence of Australia or the national security of Australia (paragraph (a));
• any hazard that would cause the stoppage or major slowdown of the asset's functioning for an
unmanageable period (paragraph (b));
• the substantive loss of access to or deliberate or accidental manipulation of a component of the asset
(paragraph (c));
• interference with the asset's operating technology or information communication technology essential
to the functioning of the asset (paragraph (d));
• the relevant impact on the asset resulting from the storage, transmission or processing of sensitive
operational information outside Australia (paragraph (e)) - the term sensitive operational information
is further defined in section 3;
• the relevant impact on the asset resulting from remote access to operational control or operational
monitoring systems of the asset (paragraph (f));
• any other material risks as identified by the entity that affect the functioning of the asset
(paragraph (g)).
EXPOSURE DRAFT
14
EXPOSURE DRAFT
Part 2 Requirements etc. for a critical infrastructure risk management program
Section 5 General
Subsection 5(1) of the instrument specifies general requirements that an entity must comply with when
establishing and maintaining a critical infrastructure risk management program under paragraph 30AH(1)(c)
of the Act. The requirements are that the program contains:
• a process or system for identifying the operational context of each Part 2A asset for which an entity is
responsible (paragraph (a));
• a principles-based risk identification process used to identify risks to the entity's Part 2A assets
(paragraph (b));
• a risk management process or system that includes, for each material risk, a process or system to
consider the risk and minimise or eliminate the risk (paragraph (c));
• a process for reviewing the risk management program so that it remains compliant with the
requirement to review the program in section 30AE of the Act (subparagraph (d)(i));
• a process for keeping the risk management program up to date so that it remains compliant with
requirement to keep the program up to date under section 30AF of the Act (subparagraph (d)(ii)).
Subsection 5(2) of the instrument specifies that, in deciding to adopt, review or vary a risk management
program, for section 30AKA of the Act an entity must have regard to the matters mentioned in paragraphs (d)
to (i).
Describing outcomes and interdependencies
Paragraphs 5(2)(d) and (e) of the instrument provide that the entity must have regard to:
• whether the program describes the outcomes of the process or system under section 5(1)(a) for
identifying the operational context of their Part 2A assets (paragraph (d)); and
• whether the program describes any interdependencies between their Part 2A assets critical and other
critical infrastructure assets (paragraph (e)).
The purpose of paragraphs 5(2)(d) and (e) is to ensure that the program sets out the entity's process for
identifying risk relating to critical infrastructure assets for which it is responsible. This includes matters such
as how the program will function on a daily basis, the kinds of relevant impacts that are most applicable to
those assets, and interaction with other critical infrastructure assets.
EXPOSURE DRAFT
15
EXPOSURE DRAFT
Positions responsible for risk management
Paragraph 5(2)(f) of the instrument provides that the entity must have regard to whether the program the
program identifies:
• each position within the entity that is responsible for developing and implementing the program
(subparagraph (i));
• each position within the entity that is responsible for developing and implementing the minimisation,
elimination or mitigation, as referred to in subparagraph 5(1)(c)(ii) of the instrument
(subparagraphs (ii)-(iii));
• each position within the entity responsible for reviewing the program or keeping the program up to
date, as referred to in paragraph 5(1)(c) of the instrument (subparagraph (iv));
Under paragraph 5(2)(g), the entity must have regard to whether the program include contact details of the
positions referred to in paragraph 5(2)(f).
The purpose of paragraphs 5(2)(f) and (g) is to ensure that details of the positions (and their contact details)
responsible for developing and implementing a program, and eliminating or mitigating risks, are set out in the
program.
Risk management methodology
Paragraph 5(2)(h) of the instrument provides that the entity must have regard to whether the program
describes a reasonable risk management methodology or principles of a reasonable risk management
methodology.
The purpose of this provision is to ensure that the program contains a risk management methodology, or
principles of risk management methodology. This will be an overview of the process of risk management
methodology that the entity uses. Generally it should cover how risks should be identified, the methods that
should be used, the people who should be involved and other methodological issues.
Review of the program
Paragraph 5(2)(i) of the instrument provides that the entity must have regard to whether the program describes
the circumstances in which the entity will review the program (even if not required to do so by section 30AE
of the Act). Section 30AE of the Act requires a responsible entity for a critical infrastructure asset to review
its program on a regular basis.
The purpose of paragraph 5(2)(i) is to ensure that the program describes how the entity will regularly review
its program in accordance with section 30AE of the Act.
Section 6 Cyber and information security
Section 6 of the instrument sets out the cyber and information security hazard requirements that an entity's
risk management program must comply with under the Act.
EXPOSURE DRAFT
16
EXPOSURE DRAFT
Subsection 6(1) provides that subsections (2) and (3) specify requirements for paragraph 30AH(1)(c) of the
Act.
Subsection 6(2) requires that the entity must establish and maintain a process or system in the entity's critical
infrastructure risk management program:
• to minimise or eliminate a material risk of a hazard that could have a relevant impact on the cyber and
information security of the asset (paragraph (a)); and
• to mitigate the relevant impact of a hazard on the cyber and information security of the asset
(paragraph (b)).
The purpose of subsection 6(2) is to require an entity's program to have the required level of preparedness to
mitigate cyber security threats to their critical infrastructure assets.
Subsection 6(3) provides that, within 12 months of the compliance day, an entity must comply with either
subsection 6(4) or 6(5).
Paragraph 6(4)(a) of the instrument requires that the entity's program must comply with one of the
frameworks contained in the documents as listed in the table as in force from time to time. Paragraph 7(4)(b)
requires that if there is a condition mentioned in the item associated with the document, the entity must also
comply with the condition. The documents listed in the table are as follows:
• Australian Standard AS ISO/IEC 27001:2015 (item 1);
• the Essential Eight Maturity Model, published by the Australian Signals Directorate, with the
condition that the entity is required to meet maturity level one (item 2);
• Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of
Standards and Technology of the United States of America (item 3);
• Cybersecurity Capability Maturity Model published by the Department of Energy of the United States
of America, with the condition that the entity is required to meet Maturity Indicator Level 1 (item 4);
and
• The 2020-21 AESCSF Framework Core published by Australian Energy Market Operator Limited
(ACN 072 010 327), with the requirement that the entity is required to meet Security Profile 1
(item 5).
A note to this provision indicates that:
• the document listed in item 1 of the table, as an Australian Standard, can be incorporated as in force
from time to time as provided for in subsection 30AN(3) of the Act; and
• the other documents (items 2-5) are defined to be 'relevant documents' in subsection 30ANA(2) of
the Act, and therefore can be incorporated as in force from time to time as provided for in
subsection 30ANA(1).
EXPOSURE DRAFT
17
EXPOSURE DRAFT
Under subsection 6(5), an entity must alternatively comply with a framework that is equivalent to a
framework mentioned in a document mentioned in subsection 6(4). The purpose of this provision is to provide
industry with the necessary flexibility to comply with their statutory obligations by recognising alternative
cyber security frameworks that achieve the desired uplift in security and resilience of the entity's Part 2A
asset.
Subsection 6(6) sets out a matters an entity must have regard to when adopting, reviewing or varying a critical
infrastructure risk management program for section 30AKA of the Act. Under this provision, the entity must
have regard to whether the cyber and information security risks, the occurrence of which could have a relevant
impact on the asset, are described in the program. 'Cyber and information security risk' is defined in section 3
of the instrument.
The matter that the entity must have regard to is whether the cyber and information security risks, the
occurrence of which could have a relevant impact on the asset, are described in the program.
Section 7 Personnel hazards
Subsection 7(1) of the instrument provides that subsection 7(2) specifies the personnel hazard requirements
that a critical infrastructure risk management program must comply with under paragraph 30AH(1)(c) of the
Act.
Subsection 7(2) provides that an entity must establish and maintain a process or system in the entity's
program:
• to identify the entity's critical workers (paragraph (a)). 'Critical worker' is defined in section 3 of the
instrument;
• to assess, on an ongoing basis, the suitability of a critical worker to have access to the critical
components of the asset (paragraph (b));
• to minimise or eliminate material risks that negligent employees and malicious insiders may cause to
the functioning of the asset (paragraph (c));
• to minimise or eliminate material risks arising from the off-boarding process for outgoing employees
and contractors (paragraph (d)).
Subsection 7(3) provides that the process or system for considering the suitability of a critical worker to have
access to critical components of an asset may be a background check under the AusCheck scheme.
Subsection 7(4) provides requirements for a background check of a critical worker under subsection 8(3). The
requirements are that the background check must:
• provide that such a background check must include assessment of information relating to one or more
of the matters mentioned in paragraphs 5(a), (b), (c) or (d) of the AusCheck Act 2007 (AusCheck
Act)--relating respectively to a criminal history check, an ASIO security assessment, an immigration
status check and an identity check (paragraph (a));
EXPOSURE DRAFT
18
EXPOSURE DRAFT
• provide that if a background check includes a criminal history check pursuant to paragraph 5(a) of the
AusCheck Act--the criteria must be assessed against criteria that will be set out in the instrument at a
later date (paragraph (b)); and
• if the background check includes an identity check pursuant to paragraph 5(d) of the AusCheck Act--
provide for how that check will be conducted, as an electronic identity verification check, in person
identity verification check, or both (paragraph (c)).
A note to this provision for the purpose of the exposure draft indicates that subsections (3) and (4) have been
included in the instrument to indicate how background checks under the AusCheck scheme will be enabled.
The specific operation of the AusCheck scheme, including the criteria against which the background check
will be conducted and the associated amendments required for the AusCheck Regulations 2017 to enable such
background checks, will be the subject of further consultation before being finalised
Subsection 7(5) sets out the matters an entity must have regard to when adopting, reviewing or varying a
critical infrastructure risk management program for section 30AKA of the Act.
Under this provision, the entity must have regard to:
• whether the program lists the entity's critical workers (paragraph (d)); and
• whether the personnel risks, the occurrence of which could have a relevant impact on the asset, are
described in the program (paragraph (e)).
Section 8 Supply chain
Section 8 sets out the supply chain hazard requirements that an entity's critical infrastructure risk management
program must comply with under paragraph 30AH(1)(c) of the Act (see subsection (1)).
Subsection 8(2) provides that an entity must establish and maintain in its program a process or system used to
minimise or eliminate the material risk of, or mitigate, the relevant impact of:
• unauthorised access, interference or exploitation of the asset's supply chain (paragraph (a));
• misuse of privileged access to the asset by any provider in the supply chain (paragraph (b));
• disruption and sanctions of the asset due to an issue in the supply chain (paragraph (c));
• threats to people, assets, equipment, products, services, distribution and intellectual property
within supply chains (paragraph (d));
• high risk vendors (paragraph (e)); and
• any failure or lowered capacity of other assets and entities in the entity's supply chain
(paragraph (f)).
The purpose of subsection 8(2) is to ensure that an entity's program contains necessary detail regarding the
steps they are taking to secure the supply chains necessary for the operational continuity of their critical
EXPOSURE DRAFT
19
EXPOSURE DRAFT
infrastructure asset, as well as the practices they are implementing to continually monitor and enhance their
supply chain security.
Section 9 Physical security hazards and natural hazards
Section 9 of the instrument sets out the physical and natural hazard requirements that an entity's critical
infrastructure risk management program must comply with under paragraph 30AH(1)(c) of the Act (see
subsection (1)).
Subsection 9(2) provides that an entity must establish and maintain a process or system in the entity's
program:
• to identify the parts of the asset that are critical to the functioning of the asset (the critical sites)
(paragraph (a)); and
• to minimise or eliminate a material risk of, or mitigate, a relevant impact of a physical hazard on a
critical site (paragraph (b)); and
• to respond to incidents where unauthorised access to a critical site occurs (paragraph (c)); and
• to control access to critical sites, including restricting access to only those individuals who are critical
workers or accompanied visitors (paragraph (d)); and
• to test that security arrangements for the asset are effective and appropriate to detect, delay, deter,
respond to and recover from a breach in the arrangements (paragraph (e)); and
• to minimise or eliminate a material risk of, or mitigate, a relevant impact of a natural hazard on the
asset (paragraph (f)).
The purpose of subsection 9(2) is to ensure that an entity's program contains necessary detail regarding their
processes for managing and mitigating a variety of physical and natural hazards to their critical infrastructure
assets, as well as recovery procedures for circumstances where a natural hazard disrupts the business
operations of the asset.
Subsection 9(3) sets out the matters an entity must have regard to when adopting, reviewing or varying a
critical infrastructure risk management program for section 30AKA of the Act.
The matters that the entity must have regard to are:
• whether the asset's critical sites are described in the program (paragraph (d));
• whether the physical hazards, the occurrence of which could have a relevant impact on a critical site,
are described in the program (paragraph (e));
• whether the security arrangements for the asset are described in the program (paragraph (f));
• whether the natural hazards, the occurrence of which could have a relevant impact on the asset, are
described in the program (paragraph (g)).
EXPOSURE DRAFT
20