By Mike Trovato

Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI) - An Act to amend legislation relating to critical infrastructure, and for other purposes

As of December 2021, SLACI is now law. It was the first of two additions to the Security of Critical Infrastructure Act 2018 (SOCI Act) which initially only included four industry sectors. SLACI expanded the law to apply to 11 industry sectors, plus added notification requirements which do not align with, but are generally supportive of, the Notifiable Data Breaches (NDB) Scheme. 

The second bill will start the consultation process shortly and contains additional requirements which could require significant effort for a regulated entity to comply with. Most of the obligations for the first bill still need to be ‘switched-on’ by the Minister for Home Affairs, with assets already proposed by the Cyber and Infrastructure Security Centre (CISC).

The first bill (SLACI):

  • Extends the definition of critical infrastructure from 4 to 11 sectors and extends the existing reporting requirements to those sectors.

  • Mandates timely cyber incident reporting for specified critical infrastructure.

  • Legislates government assistance measures (i.e., gather information, action requests, invention request) by providing powers to respond to security incidents which seriously prejudice Australia’s prosperity, national security, or defence.

The second bill will arguably have a bigger impact to regulated entities and looks to:

  • Introduce additional Positive Security Obligations and a Risk Management Program, which will be applied to entities responsible for critical infrastructure.

  • Introduce Enhanced Cyber Security Obligations, including vulnerability reporting and cyber incident response planning and exercises, for entities responsible for assets most critical to the nation (known as systems of national significance).

Critical Infrastructure owners and operators are required to report a cyber security incident if they are captured by the critical infrastructure asset definitions:

  • 12 hours if having a significant impact on the availability of the asset (up to 84 hours in writing); or,

  • 72 hours if having a relevant impact on the availability, integrity, reliability, or confidentiality of the asset.

These changes are likely to support better privacy though enhanced data protection and urgent notification, increasing the spotlight on assessment for CI and NDB purposes.