With the risks of cyber security now spanning across different businesses and industries, this law firm partner explains what the newly implemented reforms to the Security of Critical Infrastructure Act mean for firms.
Melissa Tan is a partner and head of cyber insurance at Lander & Rogers. Speaking recently on The Lawyers Weekly Show, she discussed the state of affairs within the cyber security sector — and unpacked the full package of reforms to the Security of Critical Infrastructure Act.
“In Australia, the government defines the critical infrastructure as those physical facilities, supply chains, information technologies, and communication networks, which, if destroyed, degraded, or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security,” she explained.
“From these keywords in this definition, you can tell that critical infrastructure really refers to any sector or any industry which can really impact on the livelihood of Australia as a whole, and the economic and social wellbeing of the citizens within Australia. It’s anything that you can think of that will impact our livelihood, be it utilities, like electricity or gas, or transport, or just food, the basic necessity for survival and healthcare. The idea behind it is that for a nation like Australia or any other country, or any other nation, to be able to survive and defend itself, it needs to protect these different industries which are considered critical for the survival of the country.”
Reforms to the act were flagged about 18 months ago — and have now been implemented, first in December 2021 and then a second tranche in April 2022 with a number of key changes.
“For the survival of the country, it’s really no longer just utilities and transport; it’s more than that. And that’s why the reforms actually extended the reach of the SOCI Act from four sectors, which is your electricity, gas, water, [and] maritime port sector, to 11 sectors and 22 asset classes, and that includes things like food, health, defence, even space. Secondly, the second change was that they imposed three positive security obligations on critical infrastructure owners and operators. This is again, as I mentioned, largely to address a cyber risk that is faced by critical infrastructure.
“These three positive security obligations (PSO) are these three things. Firstly, what I call an information provision PSO, which really imposes an obligation to all these 11 sectors to report their ownership and operational information about their critical infrastructure assets. The second positive security obligation is the mandatory server incident notification PSO, and this imposes an obligation to notify about cyber incidents. Now, the time frame to notify really depends on whether your incident is critical or not. If it’s critical, then you will need to report within 12 hours of becoming aware of the incident. For other cyber security incidents and non-critical, you have about 72 hours to notify,” Ms Tan noted.
“The third PSO is your risk management program PSO, which really imposes an obligation on the responsible entities of critical infrastructure assets to adopt and maintain this risk management program, which will include regular review and updating, constant updating. What this means is that responsible entities are expected to take what I call an all-hazards approach toward, and having such a program to cover four key hazards that are key at the moment. Which is firstly, your cyber information, security hazards; secondly, your personnel hazards, which are basically your insider threats; and thirdly, your supply chain hazards; and fourthly, your physical and natural hazards.”
Furthermore, the reforms also brought in the introduction of a concept called “systems of national significance”, Ms Tan explained.
“Systems of national significance are really a subset of the critical infrastructure assets that have an additional element of criticality to them, based on their national significance. These might be personally and privately declared, and it is an offence to actually disclose it, so there’s an element of secrecy around what these systems of national significance are. But what they do have is that they have enhanced cyber security obligations to them. And some examples are, for example, just undertaking a cyber security exercise, vulnerability assessment, and even to allow the Australian Signals Directorate access to your system information by installing certain software to transmit that system information back to the government,” she said.
“The final key change is the enhancement of the government’s power to intervene and provide assistance in the event of what they call a serious cyber security incident. This will include the power to make information gathering direction, action direction, or an intervention request. And there are actually civil penalties that’s applicable if there’s non-compliance with any of the obligations I just mentioned, or any of the directions from the government. As you can see, the reforms really drill down to these four aspects, which not only increase the reach of the act, but it also increases the positive obligations required, and also the government’s ability to come in to assist and intervene.”
Overall, Ms Tan said that these conversations were especially important to be having as cyber security risks and challenges now span across all sectors and businesses.
“It’s such an important area only because it cuts across every industry, every size of business, and every individual; it really does not discriminate. It’s just an area where, as long as you have an iPhone, as long as you have a connection to the internet, you will be impacted somehow; the question is only when. That’s why it’s so important and so topical. And also, that’s why it’s so difficult to grapple with for some people because it’s so deep and it cuts across everywhere, and it’s broad,” she said.
“So, I think it can be very overwhelming when you try to manage a risk that’s called cyber risk because you probably don’t know where to start. But I think that’s where I think there’s value in people like us who are experts in this area, who are able to guide people along the way, be it a business or an individual, as to what they should be doing around this particular risk.”
The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Melissa Tan, click below: