Skip to main content

New laws will add millions in compliance costs for critical infrastructure owners

by Cameron Sinclair •
Free resource

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) released a report on Friday 25 March recommending the Senate pass the remaining measures to expand the legal obligations on owners of critical infrastructure, contained in the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the SLACIP Bill). 

The SLACIP Bill includes new powers to: 

  • Ensure that government directions in the event of a serious cyber security incident “prevail over the requirements of a risk management program” 

  • Enable the minister to declare a critical infrastructure asset to be a system of national significance  

  • Add further cyber security obligations on systems of national significance 

  • Require annual reporting obligations for assets that have an exemption from the national register (a list that currently includes only sugar mills) 

The PJCIS report acknowledges that the changes will come with an administrative cost borne by industry, but that this would be outweighed by the “resultant security uplift”, which will “offset potential losses were a serious cyber incident to occur”. 

The report presents an average estimated one-off cost to assets of $9.2 million to develop a Risk Management Program (RMP), with ongoing costs of $3.7 million per annum. While expensive, the report notes that the alternative is worse: a “severe incident” in either the electricity or gas sector could cost in excess of $1 billion. 

The new PJCIS report notes that “the introduction of the SLACIP Bill, and the referral to the Committee to report before the 2022 Budget sitting week has occurred against the backdrop of a further deteriorating global security environment, underscored by Russia’s invasion of Ukraine and the subsequent global response to this aggression”. 

In late 2020 the Morrison Government introduced draft legislation to introduce new reporting and risk assessment requirements and expand the number of industries covered under existing critical infrastructure laws (the SOCI Act 2018). 

The draft bill was split in two, with some measures being passed in November 2021, and others being referred back to the PJCIS for further consultations with the affected industries. 

These remaining measures have been re-drafted into a fresh draft bill, known as the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the SLACIP Bill). 

As Intermedium noted in February, over 700 people attended Home Affairs online ‘town hall’ meeting as part of the consultative process on the SLACIP Bill, indicating an extraordinary level of interest. 

The SLACIP Bill was introduced into the House of Representatives soon after this consultation, on 10 February 2022 by the Minister for Home Affairs, Karen Andrews, and was referred to the PJCIS on the same day. 

The PJCIS is recommending the passage of the SLACIP bill. The recommendations of the PJCIS are generally regarded as bipartisan, indicating that the bill has a strong chance of passing if introduced. 

The PCJCIS emphasised that it is committed to closely monitoring implementation, undertaking further industry consultations, and its (already legislated) statutory review obligations no later than December 2024. 

Its report also includes a highly unusual recommendation that the government commission a further independent review of the operation of the legislation within one year of its commencement (report to the Minister for Home Affairs, who must then present the report to parliament within 30 days). This may be due to the pushback and requests for further consultation on the bill that it has received from industry. 

Jurisdiction
  • Federal
Category
  • Hardware
  • Software
  • Telecommunications
Sector
  • Defence
  • Health
  • Industry & Investment
  • Infrastructure
  • Resources