Risk management program obligations have now been ‘switched on’ by the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules), which commenced on 17 February 2023. These obligations recognise the serious implications that disruptions and threats to critical infrastructure can have for the Australian public, economy and national security. In particular, they arise from the concern that “existing regulatory frameworks and market forces are insufficient to protect critical infrastructure against all hazard threats in a consistent and coordinated manner”.[1]
As highlighted in our previous articles here and here, the first two positive security obligations under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) were switched on last year (mandatory notification of cyber security incidents, effective from 8 July 2022, and Register reporting requirements, effective from 8 October 2022). The foreshadowed third obligation under Part 2A of the SOCI Act, requiring certain entities to implement a risk management program, has now been switched on, following industry consultation.
There is no prescribed format for the required written risk management program, given that each asset will have its own operational context and associated risks. Entities have been encouraged by the Cyber and Infrastructure Security Centre (CISC) to supplement and add to any existing frameworks and processes in meeting the new obligation, and adopt a robust, holistic and proactive approach to securing their assets. CISC describes the obligation as “a great opportunity for owners and operators to ‘think big’ and take an ‘all hazards’ approach to safeguarding their business, assets, and people”.[2]
Who is Subject to the Obligation?
The following 13 classes of critical infrastructure assets are specified by the CIRMP Rules:[3]
As such, responsible entities for critical infrastructure assets within any of the above asset classes will be subject to the risk management program obligation.[4]
As noted here, entities should carefully assess whether or not a given asset within these 13 asset classes is a “critical infrastructure asset” by reference to the definitions in both the SOCI Act and the Security of Critical Infrastructure (Definitions) Rules 2021 (Cth). A private Ministerial declaration under s 51 of the SOCI Act may also render an asset critical and subject to the risk management program obligation.[5]
What are the Requirements of a Risk Management Program?
Responsible entities caught by the new obligation must now adopt, maintain, comply with, review, keep up to date and report on a written risk management program.[6]
The program must identify each hazard that, if it occurred, would have a material risk of a relevant impact on the asset. The program must then, so far as reasonably practical, minimise or eliminate any material risk of such a hazard occurring, as well as mitigate its impact should it occur.[7]
“Relevant impact” is defined to include a direct or indirect impact on an asset’s availability, integrity or reliability or on the confidentiality of asset information.[8] “Materiality” of a risk is assessed by reference to the likelihood of the hazard occurring and the relevant impact of the hazard on the asset.[9] Material risks are deemed to include (for example) stoppages or major slowdowns for an unmanageable period, deliberate or accidental manipulation of an asset’s critical component, or storage, transmission or processing of sensitive operational information outside Australia.[10]
The CIRMP Rules specify a number of other particular requirements for a risk management program, such as a risk identification process, a process or system to minimise/eliminate each material risk and mitigate its impact, a risk management methodology, a process for reviewing the program and keeping it up to date, and the designation of responsibilities for these tasks.[11]
More prescriptive requirements apply for four key hazard types:
Personnel hazards – Material risks may arise from both malice and negligence of critical workers, and occur from initial hiring decisions through to the off-boarding process. A risk management program must include suitability assessments for all employees and contractors with access to an asset’s critical components. The CIRMP Rules encourage the use of the AusCheck background checking scheme in assessing the suitability of critical workers.
Supply chain hazards – Threats may include malicious people, both internal and external, who exploit, misuse, access or disrupt the supply chain. Vulnerabilities also arise from over-reliance on particular suppliers. Entities must ensure that their risk management program identifies their major suppliers and the supply chain hazards which could have a relevant impact on the asset.
Physical security and natural hazards – Depending on an asset’s operating environment, material risks may range from oil or chemical spills through to bushfire, flood or biohazard health hazards. Entities must ensure that their risk management program incorporates controls such as restricted personnel and visitor access to an asset’s physical critical components, and testing of security arrangements and breach recovery procedures.
Cyber and information security hazards – In the context of the worsening cyber threat environment, experienced acutely across all Australian industry sectors, risk management programs must ensure compliance with one of the following (or its equivalent):
By When?
In recognition of the substantial nature of the risk management obligation and the significant steps, time and cost that businesses will require to achieve compliance (particularly in bringing their cybersecurity programs up to the required baseline), the following staged timeframes apply:
Responsible entities for assets subject to the CIRMP Rules must submit an annual report on their risk management programs. Reports must be approved by an entity’s Board or other governing body and submitted in approved form to the Reserve Bank of Australia (for payment system assets) or to CISC (otherwise), within 90 days of the end of the Australian financial year.[14] CISC has advised that the first annual report required will be for FY2023-2024, which must be submitted between 30 June and 28 September 2024.[15] However, CISC strongly encourages the voluntary submission of a “[not] overly complex or detailed” report for FY2022-2023, to “provide a ‘pulse-check’” on how entities are progressing with their risk management programs.[16]
On the Horizon: Further Cyber Laws for Critical Infrastructure, Industry and Government
While the risk management program obligation completes the third and final positive security obligation to be switched on under the SOCI Act, more legislative activity can be expected in this space.
Extensive reforms to Australia’s cybersecurity laws have been foreshadowed, with the release of the 2023-2030 Australian Cyber Security Strategy Discussion Paper,[17] and the establishment of the Department for Home Affairs’ new National Office for Cyber Security, to be led by a Coordinator for Cyber Security. Key developments to be aware of include:
For now, affected responsible entities should ensure their risk management programs meet all mandatory requirements within the applicable 6 and 18 month grace periods, and are effectively and consistently complied with, maintained, reviewed, updated and reported on. Doing so will not only satisfy the newest statutory obligations, but assist in safeguarding both the asset and the financial, reputational and other interests of its owner or operator.
[1]Explanatory Statement to the CIRMP Rules, [18].
[2]Cyber and Infrastructure Security Centre, Risk management – frequently asked questions (20 October 2022).
[3]Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (‘CIRMP Rules’) s 4(1).
[4]Security of Critical Infrastructure Act 2018 (Cth) (‘SOCI Act’) ss 30AB–30AD.
[5]SOCI Act s 30AB(1)(b).
[6]SOCI Act ss 30AC – 30AG.
[7]SOCI Act s 30AH(1).
[8]SOCI Act s 8G.
[9]SOCI Act s 30AH(7).
[10]CIRMP Rules s 6.
[11]CIRMP Rules s 7.
[12]CIRMP Rules s 4(2). If an asset later becomes a critical infrastructure asset to which the CIRMP Rules apply, a responsible entity will then have a grace period of 6 months to develop its risk management program from the date on which the asset became a critical infrastructure asset.
[13]CIRMP Rules s 8(3).
[14]SOCI Act s 30AG; CIRMP Rules s 5. Annual reports are also required for certain assets not covered by the risk management program obligation but prescribed by SOCI Act s 30AQ (including where strategic level hosting certificates issued by the Digital Transformation Agency are held).
[15]https://www.cisc.gov.au/legislative-information-and-reforms/critical-infrastructure/regulatory-obligations.
[16]Ibid.
[17]Released on 27 February 2023. See: https://www.homeaffairs.gov.au/reports-and-pubs/files/2023-2030_australian_cyber_security_strategy_discussion_paper.pdf.