With the Australian Government on the cusp of finalising the Security Legislation Amendment (Critical Infrastructure Bill) 2020, company directors and senior leaders across many organisations need to reconsider their personal level of accountability and how they will manage a significant cybersecurity event that might impact critical infrastructure.
The new Bill, if passed as expected, will have broad impact and give the Federal Government unprecedented powers to intervene in the security response of private organisations.
The very definition of critical infrastructure, is being questioned with the legislation capturing a broad swathe of different organisations. Traditional utilities such as power, water, gas and telecommunications are obvious candidates for inclusion in the legislation, there are many others such as medical, food supply, transport and traffic management, finance and banking, retail and higher education are now impacted by the proposed new laws.
The Government defines critical infrastructure as “those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.”
The very definition of critical infrastructure, is being questioned with the legislation capturing a broad swathe of different organisations.
Amongst revisions proposed in the Bill, company directors will be held personally accountable for a cyber breach. This will require senior leaders and boards to understand the consequences of a cyber attack, contribute to establishing a risk appetite for cybersecurity and prioritise funding and resourcing accordingly.
Boards have traditionally been strongly armed with skills in finance, law and marketing but technical knowledge is often a blind spot. Unless boards want to be in the challenging position of a federal government agency, swooping in and taking control of their systems, eroding confidence and affecting reputation, they must ensure they understand the risks they are facing and have appropriate mitigations in place to manage those risks.
The new Bill, once passed, will give the government the authority, under a Government Assistance Regime, to take the cyber security response out of the control of the affected organisation. Although the government notes that this would only happen under severe circumstances, there is no test or threshold that defines what such a situation may be.
All board members now need a working knowledge of the cybersecurity risks faced by their organisations and have access to specialist knowledge, either on the board or within close access, to provide accurate and timely advice on how to manage any emerging risk.
A significant element of this new act is an enhanced regulatory framework based on the requirements of the existing Security of Critical Infrastructure 2018 (SOCI) Act. That Act was limited to just four sectors; electricity, gas, water and ports. But the new Critical Infrastructure Bill covers a much broader number of industry sectors.
Under the expanded compliance regime, there will be a Positive Security Obligation requiring organisations to take specific ‘always on’ steps to protect systems. This includes a register of critical assets, a critical infrastructure risk management program and notification of cybersecurity incidents that is considerably broader than the existing provisions of the Notifiable Data Breach scheme.
Board members must not only be aware of the risks and their compliance obligations, but have an understanding of the threat environment they operate in.
Boards must also ensure they comply with Enhanced Cyber Security Obligations. These include having incident response plans, running regular cyber security exercises, conducting vulnerability assessments and having access to system information to respond to requests from the Secretary of Home Affairs.
While it’s possible some organisations will have some of these things already in place, it’s likely that many will need to invest resources to fulfil the full suite of regulations.
Since the release of Australia’s first national cyber security strategy in 2016 and the establishment of the Australian Cyber Security Centre, boards have been on notice that cyber security is no longer purely a matter for technology teams; it is now a major component of organisational risk management. These new laws elevate and expand the obligations to a broader cross-section of organisations.
The prospect of the government sending in its own team to take over an organisation’s response should inspire every Australian board member to gain more confidence in their internal risk management activities and ensure this won’t be necessary. The risk of a cyber security incident is ever present.
Board members must not only be aware of the risks and their compliance obligations, but have an understanding of the threat environment they operate in. Just as they can see the impact of financial markets or broader economic indicators as risk to a business, they must acquire the skills they need to recognise and react to cyber security threats.
This new legislation must act as a wakeup call to the critical infrastructure sector and, indeed, all organisations.
Claire Pales and Anna Leibel are co-authors of The Secure Board book and Directors of The Secure Board advisory firm
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.
Sign up to the Government News newsletter