Norton Rose Fulbright LLP

10/13/2021 | News release | Distributed by Public on 10/13/2021 20:00

B1 and B2: separating the SOCI regulatory regime

On 29 September 2021, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) published its Advisory Report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Original Bill) and statutory review of the Security of Critical Infrastructure Act 2018 (SOCI Act).

In essence, the PJCIS recommended that the Original Bill be split into two separate bills with the stated purpose of expanding the critical infrastructure sectors covered by the SOCI Act, introducing mandatory reporting obligations and the key purpose of prioritising the Government Assistance Measures. These security upgrade measures are seen as the most urgent and should progress through Parliament 'in the shortest time possible'.1

The PJCIS further recommended that the remainder of the Original Bill, which includes the risk management program and the enhanced cyber security obligations, targeted at attaining an overall security uplift across the critical infrastructure sectors, should be reconsidered and repackaged in consultation with industry before progressing further.2 Table 1 below outlines the PJCIS' recommended approach.

Content

Bill One: Clear and Present Danger

In recommending to split the Original Bill, the PJCIS focused primarily on evidence of an increasing cyber-threat environment. The PJCIS cited the Department of Home Affairs Secretary Michael Pezzullo's submission as informing the recommendation to carve out these Government Assistance powers into a separate bill:3

'...it allows us to activate certain emergency procedures under the government assistance measures, and it is those measures that, frankly, I would prefer to have on the statute books tonight.'

In recommending the carve out approach, the PJCIS included the expanded definitions of Critical Infrastructure Assets and Critical Infrastructure Sectors, as well as the obligation on responsible entities to notify the Government of critical incidents.4 These amendments remain highly relevant to companies in the applicable sectors as the government's assistance powers were concerning to many, both in regard to their reach and application. However, in prioritising the creation of the government's intervention powers, the PJCIS was evidently convinced that the threat was real and present.

Bill Two: Back to the Future

The PJCIS recommended that the remainder of the Original Bill be 'revisited and reconsidered' by the Department in a separate bill, known as "Bill Two".5 This approach recognises the deep 'reservation' and concern from industry and other stakeholders about the wide-ranging scope and the 'unknown or unquantifiable' cost of compliance with the other elements of the Original Bill, including the risk management programs and declaration of systems of national security (and associated enhanced cyber security obligations). Indeed, the PJCIS noted that most, if not all, contributors to the review expressed reservations and concluded that, as currently formulated, the framework was not ready to be progressed at this time.6

In particular, the PJCIS cited several factors including:

  • the over-reliance on delegated legislation to implement the sector-specific rules;
  • the unclear burden of compliance potential to be 'overwhelmed by red tape';
  • the need for industry 'buy in'; and
  • the potential impact on foreign investment and FIRB processes.7

Conclusion

By recommending the separation of the Original Bill, the PJCIS appears to acknowledge the threat environment and provides a pathway for the Government to obtain the emergency intervention powers it wanted without the more controversial elements that may have resulted in Parliamentary deadlock. Sacrificing the more compliance-focused elements of the SOCI reforms in the immediate future is an effective trade-off for the government, especially where alternative regulatory avenues may be available to drive cyber-security uplift.8

And while this may have removed potential compliance burdens on industry for the time-being, the potential for direct Government intervention in respect of critical infrastructure, and the over-arching risk of cyber-threat itself, remains.

Table 1: Recommended Split Response


Status
 Proposed Amendments
Bill One To proceed urgently
  • Government Assistance Measures - Part 3A;
  • Positive security obligations (notification of critical incidents) - Part 2B;
  • Critical infrastructure asset and critical infrastructure sector asset definitions, and other enabling provisions;
  • Schedule 2 - Australian Signal Directors Criminal Code Amendments, preserving the limitation of liability for ASD staff
Bill Two To re-design in consultation with industry
  • Positive security obligations (risk management programs) - Part 2A
  • Enhanced security obligations - Part 2C
  • Declarations of systems of national significance - Part 6A
  • Other amendments as well as rules

Source: Advisory Report

Please see our previous update which provides a broader overview of the SOCI reforms. We continue to monitor and publish further updates. If you have any queries in respect of how the proposed legislation may impact your operations, or how we may be able to assist with your engagement with any consultation processes, please get in touch.

Footnotes

1 Advisory Report, Recommendation 1, [3.21].
2 Advisory Report, Recommendation 7, [3.50], [3.52].
3 Advisory Report, [3.10], [3.13].
4 Advisory Report, [3.15]-[3.16] and Recommendation 2, [3.30].
5 Advisory Report, [3.48].
6 Advisory Report, [3.2], [3.47].
7 Advisory Report, [3.45]-[3.49].
8 For example, the CPS 234 standard relating to financial services, the Telecommunications Sector Security Reforms governed by the Telecommunications and Other Legislation (Assistance and Access) Act 2018 and the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021, which recently passed both houses of Parliament.