Announcement date
9 October 2024
Link to announcement
https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r7255
Problem being addressed
The identification and protection of critical infrastructure is essential for Australia’s social and economic prosperity, national security and defence, and facilitating the provision of essential services. The Security of Critical Infrastructure Act 2018 (SOCI Act) represented a significant enhancement to Australia’s regulatory framework when enacted, however evolving geopolitical and cyber threats requires regular review of existing settings to ensure the security and resilience of our critical infrastructure.
This Impact Analysis (IA) considers potential reforms to the SOCI Act to address three issues with the current regulatory settings.
There are a growing number of cyber incidents which impact non-operational data storage systems held by critical infrastructure entities which can often be a point of entry for malicious actors.
Businesses face difficulties responding effectively in the aftermath of significant incidents because of legal risks and government’s limited ability to support with post-incident consequence management.
When an entity is unwilling to comply with the regulator’s recommendations to enhance a risk management program (RMP), there is limited ability for the regulator to issue a direction that the entity remedy the deficient RMP in a timely fashion.
Proposal
This IA considers three options.
Option 1 – maintaining the status quo (no regulatory change).
Option 2 – Implementing three reforms to the SOCI Act, including:
clarification of definitions to capture systems holding business critical data;
legislating an all-hazards consequence management power; and
a new directions power to address seriously deficient risk management obligations.
Option 3 – enhanced collaboration between industry and Government, through use of the Trusted Information Sharing Network (TISN).
The preferred policy option is Option 2.
Assessed Impact Analysis outcome
Good practice.
Assessment comments
The IA addresses the seven IA questions and follows an appropriate policy development process commensurate with the significance of the problem and magnitude of the proposed intervention. In particular, the IA included a quality process for consulting with stakeholders on the proposed reforms.
Regulatory burden
The Department of Home Affairs anticipated the regulatory costs of preferred Option 2 could range from $0.5m to $50m per cyber incident, with an expected incident frequency of one in every three years, suggesting an increase in average regulatory costs by between $0.1m and $16.7m per year.
Note: any accessibility queries should be directed to the Department of Home Affairs.