After a lengthy traverse through the various stages of parliament, the final updates to the Security Legislation Amendment of the Critical Infrastructure Protection Act (SLACIP) passed at the end of March, 2022. This Act forms the final part of amendments made to the Security of Critical Infrastructure Act 2018 (SOCI).
These amendments introduced sweeping changes to cybersecurity requirements across critical infrastructure entities, as well as broadening the inclusion of what types of entities are considered to be critical infrastructure.
While the compliance aspects of the changes are considerable, given the ongoing increased cyber threats to this sector the updates have been broadly given the nod of approval from those in the cybersecurity community.
Below we've outlined the pertinent information in terms of who now needs to comply, the types of activities required, and what you can start doing now to ensure you're on track for compliance.
Entities in the immediate commencement group include:
Entities in the secondary commencement group include:
Given that we're still waiting for the Risk Management Program Rules to be released, entities in the immediate commencement group are likely looking at a 6 month grace period once the risk management framework has been released, with a period of eighteen months for those having to comply with specific parts of the cyber framework.
Failure to comply with requirements changes based upon the specific failure and the type of entity, broken up into what's referred to as "penalty units".
These penalties are considerable, with fines for corporations reaching as much as $222,000 and $44,400 for non-corporate entities in the event that they fail to take reasonable steps to comply with the risk management program. Other penalty units attributed to failures to submit annual reports can mean a fine of $166,500 for corporations and $33,310 for non-corporate entities.
It's important to note that any entity or person who holds a 10% or above interest (labelled as a direct interest holder in the legislation) in a critical infrastructure asset may also be held liable for failure to comply.
In terms of what a risk management program must contain, the rules are not overly descriptive. However, a risk management program must:
Additional reporting responsibilities will come into play, with mandatory incident notification timeframes where a significantly impacting incident must be reported within 12 hours, and a relevant impacting incdent must be reported within 72 hours.
Some entities will have to comply with enhanced cybersecurity obligations, these organisations will be contacted directly by the Department of Home Affairs. These enhanced cybersecurity obligations include:
While exact timing for compliance remains relatively unclear, it's important that entities who will be affected by the bill begin preparations. Specifically, all organisations can begin to consider budgetary requirements for the significant amount of costly work that will need to be completed to comply. Estimates by the Department of Home Affairs regarding the average cost required to have full compliance sit at around $9 million to start, with ongoing costs in the arena of $3 million.
Our governance, risk, and compliance team can assist Critical Infrastructure Organisations in line with the new legislation. Contact us to speak to a member of our knowledgeable team.