background-color: transparent; background-image: linear-gradient(-90deg, rgba(221, 221, 221, 100% ), rgba(238, 238, 238, 100% )); color: #333333;

Back to Blog

Regulatory Obligations: There's now an 18-month deadline to implement a critical infrastructure Risk Management Program

The implementation of Australia’s #criticalinfrastructure reforms (SOCI 2018) is continuing and gaining practical momentum. On 17 Feb,...

The implementation of Australia’s #criticalinfrastructure reforms (SOCI 2018) is continuing and gaining practical momentum. On 17 Feb, Minister Claire O’Neil activated the legislation’s Risk Management Program (RMP) obligations for 13 specific critical infrastructure asset classes, including data processing and storage, and payment systems.

Don’t yawn.

The RMP is the requirement that makes cyber security a Board-level concern for critical infrastructure and its supply chain. Why? Because it requires a Board-equivalent to sign off, and report annually on, to the Minister that the RMP is being maintained and complied with (and presumably funded!).

Now there’s some time at play here: 6 months (from 17/02/23) to adopt a written RMP; and another 12 months to implement and ‘comply’ with it. Essentially, that is, to make good on your security promises. Let’s put that into perspective. How’re you going with your 2022 NYE resolutions?

Better than mine, in all probability.

Anyways, ready for another jump scare? Well, the RMP has to manage the ‘material risks’ of ‘hazards’ which could have a ‘relevant impact’ on their critical infrastructure asset. Then the owner/operator has to minimise or eliminate, and mitigate, any identified material risks. So, to help out, Home Affairs has advised that 'the storage, transmission or processing of sensitive operational information outside Australia poses a material risk as declared in the Security of Critical Infrastructure Act 2018 (SOCI) Risk Management Program Rules'. Their italics and underline. My bolds.

The way I read it, a critical infrastructure asset owner or operator now has a HA-advised requirement to consider ANY existence of sensitive operational #data outside Oz as - potentially - a bad thing. Or, at least, that an overseas touch of some types of data is a risk that needs explicit consideration, mitigation, and minimisation in the RMP. Annually. Attested to Government. At the Board-level.

Wow.

And here’s the thing, my impression from the commentary around the government’s review of Australia’s Cyber Security Strategy is that it’ll dial UP the requirements in both SOCI 2018 and in Australia's possible new Cyber Security Act. My italics, underline, bold and caps.

The way I see it, there's a choice. You either procrastinate on this OR see it as a chance to do some good for the national interest AND to get in front of your #cybersecurity obligations. If your gut feel is more aligned to the phrases after my "OR", then hit me up for a discussion … or contact infinitely more capable people, like Hayden Loader and Rennick Rogers, about transformative, future-forward, (N)extgen software and hardware solutions.

Looking for more detail? Either search for it or:

For the RMP: https://www.cisc.gov.au/legislative-information-and-reforms/critical-infrastructure/regulatory-obligations and its child links. This includes details on the asset classes whose RMP has been triggered.

For offshore data risks, either go deep-sea fishing into HA’s nested menus or: https://www.cisc.gov.au/critical-infrastructure-centre-subsite/Files/cisc-factsheet-advice-offshore-data.pdf

Finally, as always, I’m not qualified (nor paid) to be a lawyer.