Contractors may be impacted by Australian security of critical infrastructure reform

The reforms were introduced in 2021 to improve the security and resilience of infrastructure assets critical to Australia’s defence, national security, economic and social stability. The amendments extend the obligations under the Act to companies in the supply chain of critical infrastructure assets in 11 sectors of the economy and adopt an all-hazards approach to managing material risks to the assets. As a result, contractors working on transport, energy and water projects might have to abide by the newly extended obligations.

Positive security obligations

The reforms introduced three positive security obligations (PSOs) for critical infrastructure assets. All three PSOs are now in effect, with the grace period for compliance of the final PSO ending in August.

Information provision

Companies must report who owns and operates critical infrastructure assets in a national register of critical infrastructure assets, to be maintained by the Cyber Infrastructure Security Centre.

Under this PSO, the entity with the ultimate operational responsibility, known as ‘the responsible entity’ must provide operational information. In addition, ‘direct interest holders’ who are any entities holding a direct or joint interest of at least 10% in the critical infrastructure asset, or holding an interest and able to directly or indirectly influence the asset, must provide interest and control information.

Mandatory cyber incident notification

Responsible entities must report actual or imminent cyber security incidents and comply with this obligation from at least 3 months after the asset becomes a critical infrastructure asset. Under the Act, the timeframe for reporting actual or imminent cyber security incidents is quite short, with responsible entities required to report to the Australian Signals Directorate (ASD) all critical cyber security incidents – which are incidents impacting on the availability of an asset used to provide essential goods and services – within 12 hours of becoming aware of the incident. All other cyber security incidents – which are incidents impacting the asset’s integrity, reliability or confidentiality – must be reported to the ASD within 72 hours of the responsible entity becoming aware of the incident.

Risk management program

Responsible entities must adopt, maintain and comply with a critical infrastructure risk management program (CIRMP) for their critical assets which includes achieving compliance with the cyber security framework identified in their CIRMP. The 12-month grace period for compliance with this PSO for most of the relevant sectors and assets concludes on 17 August.

Impact on contractors

The reforms have extended the obligations under the Act to include ‘relevant entities’ which include responsible entities, operators – which are entities that operate a critical infrastructure asset or part of it – and managed service providers – which are entities that manage part of a critical infrastructure asset or the operation of the asset.

The remits of the Act, however, remain unclear, particularly for subcontractors. For example, under the Act, it is uncertain whether a temporary contractor would be considered an operator or a managed service provider.

Given the breadth of the risk-based and reporting obligations in the Act, contractors who operate or manage part of a critical infrastructure asset, or a component of an asset, may now be caught within the definition of ‘responsible entity’ and be bound by the Act, despite not being direct interest holders or the entity with ultimate operational responsibilities. Companies should also consider if a contractor or subcontractor is a ‘critical worker’ needing to be listed in the company’s CIRMP.

Contractors may also be responsible for all three PSOs and this would be particularly relevant if certain obligations from the head contract are passed through to subcontractors.

In addition, the Minister for Home Affairs may notify the responsible entity for a critical infrastructure asset that the asset has been declared a ‘system of national significance’. If this occurs, contractors may see their cyber security obligations enhanced. 

Given the difficulty of establishing whether a contractor is an operator or a managed service provider – including instances where contractors are provided with operational instructions for infrastructure assets like wind turbine generators on a day-to-day basis, but do not have discretion as to how to operate such assets – it is advisable to clearly define who the operator is in the contract and what their obligations are. This includes their obligations when dealing with ‘protected information’ – which includes the CIRMP and all other information obtained in the course of exercising powers or performing duties or functions under the Act – that a responsible entity shares.

Ultimately, contractors may be responsible for some or all of the new positive security obligations. Non-compliance with these requirements could result in up to 1,000 penalty units depending on whether the non-compliance is committed by an individual or a corporation. Currently, for corporations, the penalty could reach as much as AU$192,310 (US$127,849) and from 1 July could reach AU$197,590. A breach of the protection information provisions by an individual or a corporation – such as unauthorised disclosure of information that is, or is included in, a mandatory cyber security report or a CIRMP – may also be subject to criminal charges.

Co-written by EJ Yeoh and Serpil Eastaugh of Pinsent Masons.