In December 2020, the Australian government proposed major changes to the Security of Critical Infrastructure Act. Those changes will soon be released for Royal Assent, the final hurdle before passage into law in Australia. Given that this may or may not come as a surprise to many organisations that work with or own Australian critical infrastructure, it is time to revisit what this will mean for Australian and multinational companies impacted by the changes in terms of scale, depth of requirements, and timing for compliance.
Before we dive into the details, let’s recap the December 2020 amendments – building on the original 2018 legislation, the changes significantly expand the law’s focus from foreign ownership across four sectors into:
- Cyber preparedness
- Vulnerability assessments
- Risk management
- Mandatory cyber incident reporting
The original four sectors are now 22 organisation classes and their related supply chains.
In a nutshell
In a nutshell, this new version captures many more organisations and introduces substantially more security and risk obligations.
The new laws also give the sitting Minister for Home Affairs the power to add and remove individual companies into the Act’s reach and then—with little notice—enforce mandatory security obligations. This means that any organisation could be in scope and that if you’re a supply chain partner to one of the 22 organisation classes, you’re certainly going to be included.
These changes result from the dramatic increase in high-profile cyber breaches across both the Australian public and private sectors and the continuing successes of malicious actors against known, patched, or mitigated vulnerabilities.
What does this mean for your organisation?
This is a smart strategy by a government that wants to respond quickly in an increasingly hostile cyber environment. However, the speed of these changes will catch many organisations and their supply chain partners unprepared.
Prepare now to show proof of compliance with this law when engaging with Australian critical infrastructure. This means that you must be able to show the company or the Australian government your:
- All hazards risk management plan
- Cyber incident response plan
- Proof of vulnerability assessments
- Conduct cyber exercises—possibly conducted under the eye of a government representative
It will be almost impossible for any but the largest of organisations to traverse the Act or to undertake this preparation without professional support. We recommend that you engage quickly, be prepared, and ensure compliance not only with the Act but also with the security of your business, employees, clients, and stakeholders.
Ampion, an Australian-based Wipro Company, can advise you on risk and incident response planning, third-party risk management, as well as to conduct vulnerability assessments and cyber exercises.