In response to the growing number of cyber-attacks against Australia’s critical infrastructure, the Parliamentary Joint Committee on Intelligence and Security has introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 which expands Government powers to assist, intervene, and direct critical sectors (e.g. healthcare, transport, financial services, and defence) in respect to cyber threats and risk management.
WHAT ARE THE PROPOSED CHANGES?
The Joint Committee has recommended the Bill be separated into two Bills. The first Bill would implement the Government’s extended powers, whilst the second would impose risk management obligations on critical sectors. If passed, Bill One would grant three additional powers to the Government to intervene in the event critical infrastructure is under threat. It would:
- require a business to disclose information that may assist in responding to an incident;
- necessitate a business take certain action in circumstances where the business is unwilling or unable to resolve the incident itself; and
- authorise the Australian Signals Directorate to step in to act where the business is unwilling or unable to act, or directing the business to act would not be practical or effective.
Bill One would also mandate oral notification of a cyber-attack to the Government body within 12 hours, with possible removal of the written notification requirement or at least an extension from 48 to 84 hours. Bill One will also identify and define the critical infrastructure sectors and the relevant critical assets affected. This is important because it has the potential to widen the scope of “national security business” under the Foreign Acquisitions and Takeovers Act, resulting in more transactions being subject to approval under the Foreign Acquisitions and Takeovers Act.
Bill Two will likely be deferred to enable industry consultation and to deal with the more critical areas covered under Bill One. However, Bill Two will propose to establish an obligation on national security businesses to adopt and maintain a critical infrastructure risk management program, including physical security, personnel security, and supply chain security. The risk management program will have commonalities across all industries but will also be specifically tailored to certain sectors. Particular sectors may be nominated by the Minister as having the highest criticality, meaning these assets are required to cooperate closely with the Government on cyber security matters through the ‘enhanced cyber security obligations’.
NEXT STEPS FOR YOUR ORGANISATION
Businesses or entities in critical infrastructure should prepare to comply with the new measures. A full review of current risk management programs, particularly cyber-attack response plans, business continuity planning, and contractual obligations regarding the supply chain should be reviewed and updated. We encourage you to consult your broker about your insurance program to ensure your coverage is adequate. You may also consider undertaking a cyber pre-loss review through an industry specialist.
The Government is currently in consultation with the financial services and payment systems sector and the food and grocery sector. Updates on the consultation process are available via the Department of Home Affairs website and the Cyber and Infrastructure Security Centre website.