Critical Infrastructure Protection extended to payment system

The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 has been passed and commenced on 2 April 2022. It amends the Security of Critical Infrastructure Act 2018 to implement additional obligations on owners of critical infrastructure assets, particularly those assets which are declared to be systems of national significance (SoNS) by the Minister for Home Affairs.

The Rules to be made under the Act will initially specify asset classes ‘where there are not already sufficient regulatory or administrative arrangements in place’, and lists which asset classes are intended to be initially captured:
• critical financial market infrastructure assets that are a critical payment system (other critical financial market infrastructure assets will not be captured)
• critical electricity assets
• critical energy market operator assets
• critical gas assets
• critical liquid fuels assets
• critical water and sewerage assets
• critical data storage or processing assets
• critical hospital assets
• critical domain name system assets and
• critical broadcasting assets.

UPDATE: Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022

Under the Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021 “critical banking asset” is defined as “an authorised deposit-taking institution is critical to the security and reliability of the financial services and markets sector if it has assets over $50 billion.”

The Act imposes the following obligations:
• require responsible entities of certain critical infrastructure assets to adopt, maintain and comply with a critical infrastructure risk management program
• require responsible entitles for certain critical infrastructure assets to provide a report to the Government where the assets are not covered by a critical infrastructure risk management program
• allow for responsible entities to conduct background checks on their employees under the existing AusCheck scheme
• amend the relevant statutory liability exemptions to apply to personnel and associates of entities that are related, or provide contractual services, to responsible entities
• allow the Minister to privately declare critical infrastructure assets to be systems of national significance (SoNS)
• impose enhanced cyber security obligations on entities responsible for SoNS, including undertaking cyber security exercises and vulnerability assessments, and preparing an incident response plan and
• amend the current information sharing arrangements for protected information between the Commonwealth, state and territory regulatory agencies.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.