29 June 2022
#Corporate & Commercial Law, #Data & Privacy, #Environmental, Social and Governance (ESG)
As the dust settles on the suite of Security of Critical Infrastructure Act 2018 (SOCI Act) amendments that were finalised earlier this year, we provide some initial observations about how the regime impacts critical infrastructure entities and tips for entities that are newly captured under the legislation.
The definition of ‘critical infrastructure asset’ is sector-specific, and fundamentally relies on a broad definition of ‘asset’.
One question that we have seen arise in relation to the SOCI Act’s application is how to disentangle corporate assets to identify whether the legislation captures one or more of these assets. Entities should keep in mind that ‘asset’ is itself defined extremely broadly and can refer to networks, facilities or computer data, among other ‘things’. This definition informs the further definitions of ‘critical infrastructure asset’ which may be relevant to your sector.
Given the granular detail in the various definitions of ‘critical infrastructure asset’, it is advisable to seek legal advice about the basic question of whether you have critical infrastructure assets in your purview and whether your relationship with those assets incurs particular obligations under the legislation.
Yes, it is. And if that is the case, you will need to meet the reporting requirements for both roles.
Entities that have dealt with or owned critical infrastructure assets for some time will likely be familiar with the obligation under the SOCI Act to report certain information to the Home Affairs Department’s Register.
The information that your entity needs to provide will differ depending on whether you are a ‘responsible entity’ or a ‘direct interest holder’. Whether you fall into one or both of these definitions depends on various sector-specific definitions provided under the Act.
For example, the ‘responsible entity for a critical electricity asset’ will be the entity that holds the licence, approval or authorisation (however described) to operate that asset and provide the service to be delivered by the asset (unless the rules prescribe otherwise). A ‘direct interest holder of a critical electricity asset’ will be any entity that, together with its associates, holds an interest of at least 10 per cent in the asset or holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.
Clearly, it is possible for a single corporate entity to hold the relevant lawful permission to operate an asset and also hold an interest in that asset. In those circumstances, the entity would need to make sure it is reporting the information that is required to be reported by responsible entities, as well as the information required to be reported by direct interest holders.
Many obligations and definitions under the SOCI Act depend on Ministerial rules to identify their scope. Some of these rules have been issued – the application of the reporting requirements and the application of the cyber-security notification obligations are defined in the Security of Critical Infrastructure (Application) Rules 2022. However, the application of the requirement to implement a critical infrastructure management program (CIRMP), arguably one of the more burdensome obligations, is not yet defined under Ministerial rules. That being so, it is a good idea for entities responsible for critical infrastructure assets to consider early what implementation of a CIRMP would look like for their business to prepare for the release of Ministerial rules on this obligation.
Our previous article outlining the CIRMP obligation and what this entails can be read here.
If you are a responsible entity for a critical infrastructure asset, and you use a data storage or processing service that is provided on a commercial basis by a third party, and that service relates to ‘business critical data’, you are currently under an obligation to notify that third party of this fact.
Penalties apply for non-compliance. The rationale for this obligation may be that those data service providers, having been notified of the nature of the data that they store, will then be in a position to comply with their obligations under the SOCI Act to report as a responsible entity for a ‘critical data storage or processing asset’.
The SOCI Act gives powers to the Commonwealth to react to certain security threats in prescribed circumstances by requiring an entity to provide certain information to the Commonwealth, to do or not do something, or, in more drastic circumstances, to have the Australian Signals Directorate (ASD) intervene in the affairs of an entity.
These Commonwealth powers may impact entities that do not have one of the prescribed relationships to a critical infrastructure asset under the SOCI Act. For example, a landlord that has leased their land to an entity that is operating a critical infrastructure asset on the land, and that – outside of the lessor or lessee relationship – has no further relationship to that asset, may be subject to information-gathering directions or intervention by ASD in the event of a cyber-attack on that critical infrastructure asset. While this is a technical possibility, how the Commonwealth will interpret and employ these powers in the event of a serious cyber-security incident is yet to be seen.
Regardless of where your company is based, we can help you understand how these considerations impact your investment, ownership and operation of critical Australian infrastructure assets, and the increasingly complex regulatory environment around cyber and data security, privacy, safeguarding national interest and related ESG (environmental, social and governance) issues.
If you have any questions or need assistance with understanding and implementing your obligations under the SOCI Act, or helping you to prepare for and respond to cyber security incidents., contact us below or get in touch with our team here.
Authors: Carl Hinze, Jeanne Vallade & Jean Lukin
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.