Spotlight on the Critical Infrastructure Bill
New national cybersecurity laws designed to boost protection of critical assets may soon be put to a vote in federal parliament.
The Critical Infrastructure Bill, currently under review by a joint Senate and House of Representatives committee, was the subject of scrutiny at a recent public hearing with legal and cybersecurity experts expressing concerns about a number of aspects of the Bill. No date has been set for the Committee’s final report or a vote in Parliament, but it is currently expected to be put to a vote in the second half of 2021.
Of particular interest to Governance Institute members are the potentially wide-reaching governance and risk implications of the Bill, including potential conflicts with directors’ duties, an additional compliance burden for boards, and regulatory overlap.
Governance Institute is monitoring the passage of the Bill closely and will keep members updated on any developments.
The Bill at a glance
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 was introduced to Parliament in December 2020 following public consultation and the receipt of almost 200 submissions, including from Governance Institute of Australia.
The Bill seeks to amend the Security of Critical Infrastructure Act 2018 (Cth) or (SOCI Act’)’. This Act currently provides that certain ‘critical infrastructure assets’ must be included on a national register for reasons related to national security. Currently, only four sectors (electricity, gas, water and maritime ports) are affected.
The Bill would significantly expand the definition of critical infrastructure assets and extend sector coverage to:
- financial services and markets
- the communications sector
- data storage and processing
- energy
- universities
- defence industry
- food and grocery
- healthcare and medical
- space technology
- transport
- water and sewerage.
The Bill has heavy involvement from the Department of Home Affairs and the Australian Signals Director (ASD), the foreign intelligence and cyber defence agency. While the Bill has a cyber security focus, it also adopts an “all-hazards” approach.
Key measures of the Bill
Critical Infrastructure Risk Management Program | Entities that operate assets deemed to be critical infrastructure may need to adopt and maintain an ‘all-hazards’ Critical Infrastructure Risk Management Program that includes both natural and human induced risks. The Government proposes to implement the Critical Infrastructure Risk Management Program with generic Governance Rules that sit alongside sector-specific rules. The Governance Rules were subject to an industry co-design phase in March 2021, in which Governance Institute participated. The sector-specific rules are currently out for consultation. |
Enhanced cyber security obligations | Some critical infrastructure assets will be designated ‘systems of national significance’ and be subject to enhanced cyber security obligations, including cyber security incident response plans and vulnerability assessments. |
‘Last resort’ powers enabling government intervention during cyber attacks | The Minister for Home Affairs will be given authorisation powers, on national security grounds, to:
Concerns have been raised about a lack of checks and balances on these powers or avenues for review or appeal. |
Register of Critical Infrastructure Assets | Where required, entities covered by the Act may need to pprovide ownership and operational information to the Register of Critical Infrastructure Assets, to give visibility to the Government of who owns and controls Australia’s critical infrastructure. |
Governance and risk implications
Sector-wide regulatory duplication | Regulatory duplication is the key issue raised by industry stakeholders who are concerned it may cut across existing requirements in a number of sectors – especially on the Risk Management Governance Rules. Government has responded with a commitment to ‘look to use existing frameworks and avoid duplication where it can be clearly evidenced that such a framework can adequately meet the requirements of the Program’. |
Conflict with directors’ duties in Corporations Act | Several stakeholders have expressed concern that the directors of regulated entities may be exposed to the risk of shareholder legal action for breach of duty if they follow government direction during a cybersecurity incident. There is no legal immunity for directors in the Bill. |
Regulatory overlap for companies operating in Victoria | The Office of the Victorian Information Commissioner, which administers the Victorian Privacy and Data Protection Act (PDPA), is calling for a carveout for Victoria. It is concerned that duplication will ‘confuse the industry’. The PDPA’s protected data security requirements extend to any private company that provides services, functions and software to the Victorian government. Examples are large IT companies and toll road operators. |
Regulatory overlap in the banking sector | APRA regulated entities already need to comply with CPS 234 Information Security. The Law Council has expressed concerns around ’unintended consequences’ that may “detract from the efficiency of organisations having appropriate corporate governance around these matters”. |
Annual risk reporting at board level | Section 30AG of the Bill requires boards of directors of regulated entities to issue annual risk management reports to the Commonwealth Government. |
Compliance-based approach | The Victorian Information Commissioner says the current Bill takes a ‘checklist’ approach to cybersecurity based around compliance with minimum standards, with civil penalties. The Commissioner would prefer a ’security awareness’ and ’capability building’ approach. ’When the stick is applied, people generally try to obfuscate… That’s not necessarily a productive way. It becomes security theatre,’ the Commissioner told Parliament on 11 June. |