Publication
Financial services monthly wrap-up: October 2024
In October 2024, the Australian Securities and Investments Commission (ASIC) was successful in its action against a life insurer in relation to misleading statements.
Author:
Australia | Publication | April 2022
The second tranche of anticipated amendments to the Security of Critical Infrastructure Act (2018) was passed by the Parliament in a flurry of recent legislative activity.
Following on from substantial amendments to the Act in December 2021 (see our December 2021 update), these further changes introduce significant new obligations and powers, including:
The passage of this bill signals the beginning of the journey to uplift risk management across a vast swathe of the Australian economy, including cybersecurity, supply chain and personnel risks in addition to the physical and natural hazard risks that have impacted a variety of services across Australia in recent years.
Most notably, these amendments create a framework to achieve the government’s objective of improving Australian industry’s cybersecurity risk management in support of its Cyber Security Strategy 2020 and the aim to make Australia a leading digital economy by 2030.
The amended Act will require affected entities to create and comply with a critical infrastructure risk management program (RMP). The law further allows the Minister for Home Affairs to mandate certain risk domains that affected entities must consider as part of the RMP, and draft rules included in the explanatory memorandum to the bill demonstrate the breadth of those mandatory considerations, including cybersecurity, supply chain and personnel risks.
Not all critical infrastructure sectors are intended (at least initially) to be subject to the RMP requirements. However, the Government has clearly signalled that those sectors not initially affected could be pulled into the RMP net if their regulatory standards do not match the Government’s risk management expectations.
It remains to be seen whether the Government will issue the new rules required to switch on the various obligations prior to the election being called and the Government entering caretaker mode. Even in that mode, there are avenues for these rules to be issued by a caretaker government. With the heightened risk environment Australia operates in today, especially with mounting reports highlighting the risk of a cyber-attack spill-over from the Russia-Ukraine conflict, the government could well use those alternate routes to protect Australia’s national security interests and the assets vital to our daily lives.
In assessing when the obligations come into force, it is possible that the cyber-incident reporting obligations will commence in the near term (3 months or less), with some of the RMP obligations taking effect within six months of the Act coming into force. These obligations are significant and a six month lead time (to both determine which assets are caught and how to comply within complex organisations) is short.
Organisations should start by understanding whether they are within the expanded definitions, inventory those assets that are mission critical and map the obligations the expanded laws create for them. Organisations should also keep a watching brief on the commencement of the obligations.
Contact us if you have queries about these obligations.
This article was co-authored with Madeleine Barr.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023