Security of Critical Infrastructure, health care and supply chain resilience
The Australian Government has made sweeping amendments to the Security of Critical Infrastructure Act (SOCI) concerning the availability, integrity, reliability and confidentiality of assets that form part of Australia’s critical infrastructure. In this article by Hall & Wilcox and McGrath Nicol, we outline the scope and obligations of the SOCI regime, consequences for a breach, five key challenges for the Australian health sector and SOCI’s impact on cyber insurance.
Overview of the SOCI regime
The threat landscape for Australian entities is wide-ranging and evolving, including:
- geopolitical tensions in Ukraine, Europe and Asia;
- energy dependency and frameworks;
- concern over future sanctions;
- sovereignty and security of critical supplies;
- consideration of all aspects of supply chains and counterparties to build resilience;
- protecting the AUKUS security alliance;
- impact of climate change;
- cyber attacks growing in sophistication and targeted at supply chains;
- threat actors being sophisticated, their motivations varied and their tactics evolving; and
- increased targeting of critical infrastructure, universities, Australian research and development, corporate systems and individual’s data.
In this context, the Australian Government has amended legislation concerning the availability, integrity, reliability and confidentiality of assets that form part of Australia’s critical infrastructure.
What are the changes?
Sweeping amendments to the Security of Critical Infrastructure Act 2018 (Cth) (the Act or SOCI) recently came into force, occurring in two ‘phases’:
- Phase 1: on 22 November 2021, Parliament introduced the Security Legislation Amendment (Critical Infrastructure) Act (Cth) (SLACI Act); and
- Phase 2: on 31 March 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) (SLACIP Act) passed both Houses of Parliament.
The changes include the following:
- On 8 April 2022, the Minister for Home Affairs (Minister) issued the Security of Critical Infrastructure (Application) Rules 2021 (Cth) (the Application Rules), which put into effect positive security obligations.
- The types of entities caught under the Act include national and international conglomerates. Previously only the parent entity or entity which holds a ‘critical infrastructure asset’ may have been subject to the Act. However, changes to the types of assets subject to the Act means subsidiaries or related entities which were not included previously may now be captured, and extends to operators of assets.
- The Act extends to scope of ‘critical infrastructure assets’ to include a ‘critical hospital’, which is defined as a hospital that has a general intensive care unit (ICU).
- The ‘responsible entity’ of a critical hospital under the SOCI is:
- the local hospital network that operates the hospital if the hospital is a public hospital; or
- the entity that holds the licence, approval, or authorisation (however described), under a law of a State or a Territory to operate the hospital, if the critical hospital is a private hospital.
- ‘Critical hospital’ operators should ensure they have the necessary procedures in place to comply with the cyber security notification obligations, risk management programs and potential Ministerial directions. For example, contractual arrangements with subcontractors should address SOCI considerations. This would include arrangements about accessing information for reporting, certain obligations regarding cyber security standards, and incident response and recovery plans.
- The Act also introduces a new concept of ‘critical infrastructure sector assets’, which has a much broader scope than ‘critical infrastructure assets’. A ‘critical infrastructure sector asset’ extends to ‘assets’ in certain industries, including the ‘health care’ sector.
- The ‘health care’ sector includes dental, medical, medical radiation practice, nursing, midwifery, occupational therapy, optometry, pharmacy, physiotherapy, podiatry, psychology and the treatment and maintenance of a patient at a hospital.
Summary of obligations
Under the Act, there are three key positive obligations on responsible entities of critical infrastructure assets. Namely, a responsible entity must:
- notify certain cyber security incidents:
- within 12 hours for incidents with a ‘significant impact’ on the availability of a critical infrastructure asset;
- within 72 hours for incidents with a ‘relevant impact’ on the availability, integrity, reliability or confidentiality of a critical infrastructure asset;
- provide certain information about ownership and operational aspects of an asset for the new Register of critical infrastructure assets (which is not made public). Direct interest holders of critical infrastructure assets also have reporting requirements; and
- establish, maintain, and comply with a ‘Critical Infrastructure Risk Management Program’ (discussed in more detail below).
The Minister has also been provided with vastly enhanced powers, including the power to:
- privately declare that a critical infrastructure asset is a ‘system of national significance’. This will trigger enhanced cyber security obligations;
- seek information about a wide range of topics relating to critical infrastructure systems, controls, assets or an incident;
- issue directions that require certain actions in response to serious cyber security incidents; and
- issue an intervention order, which includes the ability to add computers or software to a network, or remove computers from a network.
When do the changes commence?
Some of the changes are already in effect, with others to follow shortly. The commencement dates for the new positive obligations are as follows:
- notification of certain types of cyber security incidents was switched on three months after the commencement of the Application Rules, ie 8 July 2022, or three months after the asset becomes a critical hospital asset;
- registration obligations commence six months after Application Rules commence, ie 8 October 2022 or six months after the asset becomes a critical infrastructure asset; and
- risk management will, according to the draft Rules, switch on within six months of the commencement of the Risk Management Program Rules – those rules are yet to commence following mandatory consultation.
Read on for more information
Given the detail of the SOCI regime, we have divided this article into five sections. These are:
- scope of the SOCI regime;
- obligations under the SOCI regime;
- consequences for a breach of the SOCI regime;
- five key challenges for the Australian health sector; and
- SOCI’s impact on cyber insurance.
What is an asset?
The term ‘asset’ is broadly defined to include a system, network, facility, computer (including devices or programs or data), premises and even ‘any other thing’. The definition does not chart the metes and bounds of where an asset begins or where it ends; rather it tells us the types of things that can constitute an asset.
The explanatory memorandum further expounds that ‘asset’ may refer to individual components or a collection of components of infrastructure. As such, individually something could simply be an asset, but together a collection of things could interact to provide or support the provision of a service or thing.
This raises the question of whether assets providing back-end services in a business can combine with other assets to ultimately support the provision of a service or a thing, and, in doing so, be considered a critical infrastructure asset, or at the very least a critical infrastructure sector asset.
The answer to this question is likely to be dependent on the facts and circumstances of the service or thing being provided. Organisations should seek legal advice if they are unsure about whether they possess or control assets that may be subject to SOCI.
What is a critical infrastructure asset?
Most obligations for responsible entities relate to critical infrastructure assets. There are 22 types of critical infrastructure assets, such as a critical electricity asset, critical hospital, critical superannuation asset, and further types of critical infrastructure assets can be declared or prescribed. The types of critical infrastructure assets generally relate to the ‘assets’ used in the various industries outlined above.
The specific definitions for each type of critical infrastructure asset do not focus on describing what the asset is, so much as it is about describing the threshold for when an asset becomes critical to infrastructure. To use our example of an electricity producer, section 10 of the Act provides an asset will be a critical electricity asset where it is:
‘a network, system, or interconnector, for the transmission or distribution of electricity to ultimately service at least 100,000 customers […]; or
an electricity generation station that is critical to ensuring the security and reliability of electricity networks or electricity systems in a State or Territory […].’
In the Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021 (Cth) (Definition Rules), the second limb of the definition of ‘critical electricity asset’ includes an asset that:
- provides a system restart ancillary service in the State or Territory, under contractual arrangements; or ‘it is an electricity generator, in the State or Territory, that has an installed capacity of at least 30 megawatts’; and
- is connected to a wholesale electricity market.
As seen regarding the definition of a ‘critical electricity asset’, the specificity of the definition and focus on a size threshold for criticality makes it unlikely that an asset providing ‘back-end services’ (like ERP software) would be captured.
Analogous thinking can be applied regarding each of the 22 types of critical infrastructure asset, but there may be exceptions to the rule.
What is a critical infrastructure sector asset?
A critical infrastructure sector asset is an ‘asset’ (as defined above) which relates to a critical infrastructure sector. This definition provides greater flexibility than the narrow concept of ‘critical infrastructure asset’, since the term ‘asset’ is so broad and there is a variety of relevant industries. For example, a computer program which is being used for researching the effective provision of insurance services would be a ‘critical infrastructure sector asset’.
The ability to make Ministerial directions regarding an inadequate response to a serious cyber security incident applies to critical infrastructure sector assets – provided an incident response is not already adequately addressed through other regulations.
To begin with, organisations will need to determine:
- if any of its assets are ‘critical infrastructure assets’ (or captured under the broader ‘critical infrastructure sector assets’); and
- whether the organisation is considered a ‘responsible entity’ for that critical infrastructure asset (or that critical infrastructure sector asset).
If your organisation is captured by the SOCI regime, then you will have certain obligations. We detail these below.
A responsible entity for a critical infrastructure asset must report operational information in relation to that asset. This includes information about the location of the asset, the area which is serviced by the asset, the operational arrangements in place for the asset (including data collection and storage) and more.
A direct interest holder for a critical infrastructure asset, namely someone or a group of associates that holds an interest of at least 10% in such an asset or is otherwise able to influence or control the asset, must report interest and control information in relation to that asset.
If particular events occur in relation to the critical infrastructure asset, such as a change of control event for the responsible entity or direct interest holder, then updated information must be reported to the Secretary of the Department of Home Affairs (Secretary). There is a grace period of 30 days for providing updated information.
Registration for critical infrastructure assets is due by 8 October 2022, or six months after the asset becomes a critical infrastructure asset.
The register and reporting requirements do not apply to critical infrastructure sector assets.
Cyber security notification
The notification requirements regarding cyber security incidents apply in relation to ‘critical infrastructure assets’ and came into effect from 8 July 2022.
Once aware of a cyber security incident (ongoing or not), a responsible entity must report:
- within 12 hours of becoming aware, where the cyber security incident may have a ‘significant impact’; or
- within 72 hours of becoming aware, where the cyber security incident may have a ‘relevant impact’.
Cyber security incidents include:
- unauthorised access to or modification of data or a computer program;
- unauthorised impairment of electronic communications to or from a computer; or
- unauthorised impairment of the availability, reliability, security or operation of a computer (including regarding a program or data).
An incident will have (or be likely to have) a ‘significant impact’ on the availability of an asset if:
- it is used in connection with the provision of ‘essential goods or services’ (an undefined phrase); and
- the availability of those essential goods or services are materially disrupted.
The notification obligations also extend to incidents which have a ‘relevant impact’ – this appears more far reaching than a ‘significant impact’. A relevant impact includes the impact (whether direct or indirect) on the availability, integrity, reliability and confidentiality of information about or stored in an asset.
For example, where back-end services of an entity are impacted, you may still have an obligation to notify, provided such services have a direct or indirect impact on the availability, integrity, reliability and confidentiality of a critical infrastructure asset.
There are some boundaries to the scope of a ‘relevant impact’ extending to back-end services. As noted in the explanatory memorandum:
‘… an impact on customer service or the quality of the service being provided will not necessarily be regarded as a relevant impact unless it also impacts the availability, integrity, reliability or confidentiality of information about the asset.’
This should encourage organisations to take a whole of business approach to cyber risk.
Critical Infrastructure Risk Management Program
The responsible entity for one or more critical infrastructure assets (such as a hospital with an ICU) must have, and comply with, a critical infrastructure risk management program unless an exemption applies. The responsible entity must also give an annual report relating to its critical infrastructure risk management program.
These requirements will come into effect when the ‘Risk Management Program Rules’ are registered by the Minister.
The purpose of the risk management program is to do the following for each critical infrastructure asset:
- identify each hazard which, if it occurred, there is a material risk it would have a relevant impact on the asset;
- so far as it is reasonably practicable to do so – minimise or eliminate any material risk of such a hazard occurring; and
- so far as it is reasonably practicable to do so – mitigate the relevant impact of such a hazard on the asset.
It is anticipated that the Ministerial rules addressing the contents of critical infrastructure risk management programs will relate to a ‘hazard’ approach, based on the explanatory memorandum.
Four key domains of risk were identified as potential hazards for critical infrastructure assets if an entity has inadequate protections. These are:
- Cyber – the digital systems, computers, datasets, and networks that underpin critical infrastructure system, and protecting them from cyber threats;
- Supply chain – the systems of organisations, people, activities, information, and resources that support Australia’s critical infrastructure, and protecting their operations by understanding supply chain risk;
- Personnel – the employees, owners, operators, contractors, and subcontractors engaged with Australia’s critical infrastructure, and the policies supporting these personnel; and
- Physical & Natural – the organisation’s systems and networks, specifically protecting and mitigating them from natural, and human-induced threats.
Realistically, it is not expected that the Ministerial rules will be too prescriptive. We suspect the approach will be focused on adequately protecting an entity and its assets to a reasonable standard given the size and nature of the asset (considering the nature of the data or significance of the goods or services). For example, a ‘critical hospital’ has a general intensive care unit. This may require a best of class security approach for any asset that goes to the life support system, since there is a potential for harm to a person or loss of life if the operation of the asset is compromised.
Given precursors like the data breach notification regime in the Privacy Act 1988 (Cth) (Privacy Act) and cyber security CPS 234 from APRA, it is likely expert advice from lawyers and IT specialists will assist in the creation and maintenance of risk management programs for the SOCI regime.
Ministerial authorisation for cyber security incident responses
Where a cyber security incident has occurred, is occurring or is imminent and has had, is having or is likely to have a ‘relevant impact’ on a critical infrastructure asset, then the Minister may authorise the Secretary of the Department of Home Affairs to order certain directions against a relevant entity. This includes:
- an information gathering direction requires the relevant entity to give information to the Secretary;
- an action direction, which requires the relevant entity to do, or refrain from doing, a specified act or thing in response to the cyber security incident; and
- an intervention request, which is a request that the authorised agency do one or more specified acts or things in relation to the asset and in response to the cyber security incident.
Although the powers only arise when a cyber security incident is affecting a critical infrastructure asset, they can be applied very broadly to any ‘relevant entity’ of a 'critical infrastructure sector asset'. This extension applies only where the cyber security incident is also affecting a critical infrastructure asset (not just a critical infrastructure sector asset).
These authorisation powers require that the Minister is satisfied regarding certain things, including that:
- an entity is unwilling or unable to take all reasonable steps to respond to a cyber security incident;
- the Secretary’s directions are reasonably necessary for the purposes of responding to the cyber security incident;
- a direction is a proportionate response to the incident; and
- compliance with a direction is technically feasible.
For the Minister to use this power, they must be satisfied that no existing regulatory system of the Commonwealth, State or Territory could be used to provide a practical and effective response and the cyber security incident presents a material risk that has seriously prejudiced, is seriously prejudicing or is likely to seriously prejudice:
- the social or economic stability of Australia or its people;
- the defence of Australia; or
- national security.
Systems of national significance
The Minister may privately declare a particular asset to be a system of national significance, which triggers enhanced cyber security obligations.
This can include requiring a responsible entity to:
- make certain cyber security incident response plans;
- undertake a cyber security exercise;
- undertake a vulnerability assessment of systems; or
- (for a computer) give periodic reports of system information or events, including requiring the installation of reporting software.
The Act sets out the process for how the Minister makes declarations and impacted organisations are given an opportunity to respond if they do not agree with the declaration.
There are a number of penalties that can be issued for breaches of the Act, most civil and some criminal.
Civil penalty limits include:
- $11,100 for a failure to comply with notification obligations about a cyber security incident (50 penalty units at a current rate of $222 per penalty unit);
- $11,100 units for a failure to comply with registration obligations relating to an asset (50 penalty units);
- $33,300 for a failure to comply with a request for information from the Minister (150 penalty units);
- $26,640 for a failure to comply with a direction to take certain action from the Minister (120 penalty units); and
- $26,640 for the unauthorised use or disclosure of protected information (120 penalty units).
There are also criminal offences provided under the Act. These include (in addition to the civil penalties) imprisonment for two years for:
- breaching an action direction given by the Minister, unless the organisation took all reasonable steps to comply with the direction;
- failing to provide information requested by the Minister, unless the organisation took all reasonable steps to comply with the request; and
- using or disclosing protected information unless the organisation was permitted to do so. One of the exceptions to this offence is that an entity can disclose protected information to the entity to whom the information relates or with consent from that entity to which the information relates.
With the change to the legislation, we see five key challenges faced by the Australian health sector, which are set out in the graphic below.
There are also a number of areas which remain uncertain.
The draft risk management rules state that responsible entities for critical infrastructure assets must, within six months of the commencement of this Rule, ensure that their Risk Management Program includes details of how the entity identifies their critical positions and/or critical personnel and includes a list of these positions and/or personnel, as appropriate.
The definition of critical position includes (but is not limited to) a position in a responsible entity which has responsibility, access, control or management of the essential components or systems of the asset and where the absence or compromise of the position or its holder would prevent the proper function of the asset or could cause significant damage to the asset, as assessed by the responsible entity.
The definition of critical personnel includes, but is not limited to, any employee of a responsible entity with responsibility, access, control or management of the essential components or systems of the asset and whose absence or compromise would prevent the proper function of the asset or could cause significant damage to the asset, as assessed by the responsible entity. The definition of personnel includes, but is not limited to, direct employees, interns, contractors and subcontractors.
Therefore, who would be the critical personnel of a hospital with an ICU? Arguably the Chief Information Officer, senior IT support team and key clinical personnel.
In summary, operators of public hospitals with ICUs should prepare for the amended critical infrastructure legislation if they have not done so already. Efforts should be focused on how to measure the impact and management of risks identified hazard areas, so that Executives can ensure that appropriate action is taken. Further, undertaking an assessment of your procedures and operations that may be affected by the Act is greatly important to ensure that your business is resilient to attack.
For organisations in the health sector that hold policies of cyber insurance, SOCI may have an impact, depending on the type of cyber incident and the policy wording.
Various cyber insurance policies provide cover for the legal costs of receiving regulatory notification advice. While this has typically applied to receiving legal advice under the notifiable data breach scheme set out in the Privacy Act, cover may be available to receive legal advice about whether a cyber incident requires notification to the ACSC under the SOCI regime.
Cover may also be available to organisations to:
- seek legal advice if they receive a request for information from the Secretary, or the Secretary initiates an investigation into an organisation; and
- cover penalties for breaches of the SOCI regime.
Again, while a number of cyber insurance policies specify that legal costs are only available in relation to investigations by the privacy regulator, others may more broadly cover regulatory investigations that relate to the use, disclosure or possession of personal information. This may overlap with an incident that triggers obligations under SOCI.
Health sector organisations with cyber insurance should discuss with their broker whether their current policy would provide cover for costs of complying with the SOCI regime.
If a health sector organisation has a cyber security incident, it should promptly follow its incident response plan, immediately engage its incident response provider, and notify its insurer as soon as practicable.
Hall & Wilcox and McGrathNicol can help you understand if and how your business is affected by these economy-wide reforms of the SOCI Act and assist if you experience a cyber security incident. For more information and guidance, please contact any of the people listed below.
 Explanatory memorandum to the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), .
 SOCI Act, s 9.
 Definition Rules, s 17.
 SOCI Act, s 26.
 Ibid, s 30BC.
 Ibid, s 30BD.
 Ibid, s 8G.
 Ibid, Part 2A.
 Ibid, s 30AG.
 Ibid, s 30AH.
 Explanatory memorandum to the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), .
 SOCI Act, s 35AB.
 Ibid, s 35AB(2).
 Ibid, ss 35AB(6), (7) and (10).
 Ibid, s 52B.
 Ibid, Part 2C.
 Ibid, s 46(3).
Hall & Wilcox key contacts
Eden is a leading cyber, privacy, disputes and insurance lawyer who heads the Hall & Wilcox cyber practice.
More about Eden
Alison specialises in advising clients in the health, aged care, disability, life sciences and community sectors.
More about Alison
McGrathNicol key contacts