null

With increased threats to critical infrastructure worldwide the Australian Federal Government has heightened cyber security requirements for service providers critical to Australian infrastructure.

Regulatory changes made to the Critical Infrastructure Bill expanded the scope to apply to more industries. The changes also make company directors personally accountable for cyber security failures in these areas.

The amendments to the Security of Critical Infrastructure (SOCI) Act 2018, which came into effect 1 April 2022, give the Federal Government unprecedented powers to enforce the obligations of the organisations concerned. The act governs domestic national security risks presented by foreign interference such as espionage, sabotage and coercion in our national critical infrastructure.

There is a mandatory reporting obligation amendment in the event of a cyber incident with an impact deemed critical or relevant, whereby service providers under these obligations are required to report within 12 to 72 hours.

What are the critical infrastructure sectors with cyber security obligations in Australia?

The scope of what is considered critical infrastructure and assets includes 11 essential sectors.

  1. Communications — critical telecommunications, broadcasting, domain name system
  2. Data storage or processing
  3. Defence industry
  4. Energy — critical electricity, gas, energy market operation, liquid fuel
  5. Financial services and markets
  6. Food and grocery — critical food and grocery assets
  7. Healthcare and medical — a critical hospital
  8. Higher education and research — a critical education asset
  9. Space technology
  10. Transport — critical port, freight infrastructure, public transport, aviation assets
  11. Water and sewerage.

What are the critical infrastructure cyber security obligations?

The act significantly increases the Federal Government's ability to enforce obligations for critical infrastructure assets and to intervene in the security response of private organisations.

Under the SOCI amendments owners or operators of critical infrastructure assets are required to develop a cyber risk management program and have this signed off by their board, council or other governing body before registering it with the government's Cyber and Infrastructure Security Centre.

In developing these measures the organisations concerned must also comply with a set of risk management rules focusing on cyber and information security, as well as personnel hazards, supply chains, physical security and natural hazards.

Reporting of cyber incidents in these industries to the Cyber and Infrastructure Security Centre is obligatory, with hefty penalties for failure to comply. Significantly, company directors can be held personally accountable if the response to cyber breaches is found to be lacking.

Providers of key public services that fail to register their critical infrastructure assets, risk management and continuity plans for protecting them potentially face governmental intervention under extraordinary powers.

Extra government powers over infrastructure cyber security

The revised SOCI act provides for intervention measures giving the government last resort powers in cases where no existing regulations apply to a cyber incident likely to seriously affect national social or economic security, defence or security.

Under these powers the Minister of Home Affairs can authorise the Secretary of Home Affairs to direct an organisation to take specific actions in response to incidents, provided the organisation is consulted and/or is unwilling or unable to take the action deemed necessary.

Cyber security a board level management issue

This legislation extends responsibility for cyber security from the IT division to the boardroom, putting the focus on cyber security strategy and protection, affecting how businesses approach risk management and the need for documented protocols for responding to cyber incidents.

As well as implementing measures to prevent cyber attacks, businesses also need to address data cache and supply chain risks. They will need to know what information they hold, where it's stored, how it's secured and what the procedure is for protecting and disposing of it.

Similarly they need to ascertain the cyber security provisions in place in their supply chain and ensure that they too are adequate.

How Gallagher can help

In addition to cyber insurance protection Gallagher offers expertise, advice and resources for building business resilience to withstand cyber security incidents.

CONNECT WITH US

Disclaimer

Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312

MORE NEWS & INSIGHTS