Australia’s critical infrastructure laws strengthened

The amendments to Australia’s critical infrastructure laws impose strict obligations on operators and those holding direct interests in critical infrastructure assets to report on operational and ownership information, cybersecurity incidents and, in some cases, to operate and maintain a risk management program. These legislative changes may create material additional compliance expenses for asset operators, which may give rise to change in law claims.

In December 2021, the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) was amended to expand the list of infrastructure sectors deemed to be ‘critical’. These now include the communications, financial services and markets, data storage or processing, defence, higher education and research, energy, food and grocery, space technology, healthcare and medical, transport, and water and sewerage sectors.

The changes to the SOCI Act impose new reporting obligations on ‘responsible entities’, which means the entity with operational oversight and responsibility for the asset; and ‘direct interest holders’, meaning any entity holding at least a 10% interest in the asset, or in a position to directly or indirectly influence or control the asset of critical infrastructure assets.

Under the new amendments, these responsible entities and direct interest holders must provide operational information such as the asset’s name, location, industry sector, Australian Business Number (ABN) and incorporation details, and details on the operators of the assets. ‘Interest and control information’ on how the direct interest holder may exercise voting or veto rights, how these impact the running of the asset, and how it appoints key personnel to run the asset, must also be reported. These initial notifications must be provided before 8 October 2022, and there is an ongoing requirement to notify of any further changes to operational information.

Responsible entities must also now report on critical cybersecurity incidents affecting the critical infrastructure asset to the Australian Cyber Security Centre (ACSC) within 12 hours, and on other cybersecurity incidents within 72 hours of becoming aware of the incident.  This mandatory reporting commenced on 8 July 2022.

Failure to comply with any of these requirements can result in penalties of up to A$55,500 each day of contravention.

The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) came into effect on 2 April 2022. The SLACIP Act requires operators in certain critical infrastructure sectors to create and maintain a critical infrastructure risk management program. It also establishes a new framework for enhanced cybersecurity obligations required for operators of Systems of National Significance.

Establishing and running risk management programs will be costly and involve continual compliance work. Analysis conducted by the Department of Home Affairs reports an expected average one-off cost of $9.2 million and an average ongoing cost of $3.7 million per annum to be borne by operators.

Operators and direct interest holders in critical infrastructure assets should consider whether they might be entitled to make a change in law claim under any contracts or projects.

Co-written by Sarah Chan of Pinsent Masons.