In December 2020, the Australian government proposed major changes to the Security of Critical Infrastructure Act. Those changes will soon be released for Royal Assent, the final hurdle before passage into law in Australia. Given that this may or may not come as a surprise to many organisations that work with or own Australian critical infrastructure, it is time to revisit what this will mean for Australian and multinational companies impacted by the changes in terms of scale, depth of requirements, and timing for compliance.
Before we dive into the details, let’s recap the December 2020 amendments – building on the original 2018 legislation, the changes significantly expand the law’s focus from foreign ownership across four sectors into:
The original four sectors are now 22 organisation classes and their related supply chains.
In a nutshell
In a nutshell, this new version captures many more organisations and introduces substantially more security and risk obligations.
The new laws also give the sitting Minister for Home Affairs the power to add and remove individual companies into the Act’s reach and then—with little notice—enforce mandatory security obligations. This means that any organisation could be in scope and that if you’re a supply chain partner to one of the 22 organisation classes, you’re certainly going to be included.
These changes result from the dramatic increase in high-profile cyber breaches across both the Australian public and private sectors and the continuing successes of malicious actors against known, patched, or mitigated vulnerabilities.
What does this mean for your organisation?
This is a smart strategy by a government that wants to respond quickly in an increasingly hostile cyber environment. However, the speed of these changes will catch many organisations and their supply chain partners unprepared.
Prepare now to show proof of compliance with this law when engaging with Australian critical infrastructure. This means that you must be able to show the company or the Australian government your:
It will be almost impossible for any but the largest of organisations to traverse the Act or to undertake this preparation without professional support. We recommend that you engage quickly, be prepared, and ensure compliance not only with the Act but also with the security of your business, employees, clients, and stakeholders.
Ampion, an Australian-based Wipro Company, can advise you on risk and incident response planning, third-party risk management, as well as to conduct vulnerability assessments and cyber exercises.
Chief Security Officer and Consultant, Ampion, a Wipro Company
Richard recently joined Ampion, a Wipro company, as Chief Security Officer and Consultant.
Richard is a highly experienced security and intelligence professional with diverse experiences across the Australian Federal Government and the commercial sector. He has an advanced understanding of applying protective and cyber security, intelligence, risk, and governance and has proven experience in delivering high-profile engagements for a wide range of clients up to and including the Prime Minister.
Richard has a friendly and confident persona and a track record of engagement with multinational partners on national security issues. With more than two decades of leadership experience in the direct management and motivation of teams and the application of behavioral psychology, Richard delivers superior security outcomes.