Australia’s updated critical infrastructure regime came into effect this week, with amendments to the Security of Critical Infrastructure Act 2018 receiving royal assent, and banks and financial market operators are covered for the first time.
The new law increases the Federal Government’s power to impose obligations on the owners and operators of critical infrastructure assets, a move that has attracted some criticism.
The new law has been introduced in two parts: Security Legislation Amendment (Critical Infrastructure) Bill 2021 was passed last November; and Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 was passed last month.
The original legislation has been amended to cover additional industry sectors beyond the original electricity, gas, water and ports.
The new sectors include financial services, communications, data storage and processing, defence industry, higher education, energy, health care, space technology, transport, water and sewerage, food and grocery.
Financial services includes banks and other ADIs, financial markets, financial benchmark providers, payments systems, derivatives trading repositories, clearing and settlement facilities, credit facility businesses, insurance and superannuation businesses.
Individual institutions will not know whether they are covered until the Minister for Home Affairs makes rules. Following consultation with industry, the Minister may make rules prescribing particular banks and financial market operators as critical to the sector or establish threshold attributes for determining criticality.
The information memorandum accompanying the legislation says: “A significant disruption to financial market infrastructure assets would have a detrimental impact in terms of public trust, financial stability and market integrity and efficiency.
“A severe compromise of any of Australia’s major banks has the potential for significant and lasting economic and security impacts, given their high volume of retail customers as well as important government and business customers.”
Under the legislation, the government will provide support for critical infrastructure assets in response to significant cyber attacks.
In return, the owners and operators of critical infrastructure have additional security obligations, including developing a risk management program to deal with cyber threats and mandatory cyber incident reporting.
Assets covered by the new law must provide ownership and operational information to the Secretary for Home Affairs for the Register of Critical Infrastructure Assets.
The law also allows the Minister for Home Affairs to require an entity to do or refrain from doing certain things if the Minister is satisfied that there is a risk that the activity or mission would be prejudicial to security.
The Minister has the power to issue a directive to require a reporting entity to take action to mitigate risks that are prejudicial to security.
A “last resort” power would allow the Australian Signals Directorate to take control of critical infrastructure. The law envisages a situation where a company would be ordered to install government software on its network.
The law also gives the government power to monitor compliance.
Some of these powers have been criticised as excessive by the Australian Information Industry Association and the Information Technology Industry Council.