In his speech to Parliament on 10 December 2020, Minister of Defence Peter Dutton said most Aussies going about their day don’t spare much thought for our nation’s critical infrastructure. But a disruption to any of the essential services that underpin our way of life could have “catastrophic and far-reaching consequences”.
Although Australia has never suffered a serious cyberattack on its critical infrastructure, Mr Dutton said, we are not immune – and it’s this vulnerability that the revised Critical Infrastructure Bill 2021 is designed to address.
By increasing cyber security and all-hazards preparedness, and by protecting the systems and infrastructure that deliver essential services to our communities, the new reforms aim to enhance the resilience of our critical infrastructure assets.
If you work in one of the sectors named in the Bill, it may mean you are now legally required to undertake background checks for people in your team, among other obligations. Here’s a brief rundown of what you need to know to mitigate people compliance risk associated with this Bill.
What’s the bill about?
As well as protecting and strengthening our nation’s critical infrastructure, and the essential services they provide, the new legislation is designed to give the government greater visibility of cyberattacks.
Reforms to the Bill include:
- A positive security obligation, with sector-specific rules, for critical infrastructure entities. This includes the requirement for organisations to develop and implement an all-hazards risk management program, and mandatory cyber incident reporting.
- Enhanced cyber security obligations for systems of national significance (SONS).
- Government assistance in response to significant cyberattacks on Australian systems.
You also may have heard that the reforms have expanded the definition of critical infrastructure to cover 11 sectors. These sectors are listed as:
1. Communications;
2. Data storage or processing;
3. Financial services and markets;
4. Water and sewerage;
5. Energy;
6. Health care and medical;
7. Higher education and research;
8. Food and grocery;
9. Transport;Space technology;
10. Defence.
Why was this legislation seen as necessary?
In his speech to parliament at the Second Reading of the Bill, Mr Dutton said that rising cybersecurity threats to our nation’s essential services mean the “cost of inaction is far too great to ignore”.
Indeed, “In the past two years we have seen cyberattacks on federal parliamentary networks, logistics, the medical sector and universities,” he told those assembled. While, “Internationally, we have seen cyberattacks on critical infrastructure, including water services and airports”.
To underscore the importance of the reforms, Mr Dutton asked everyone to “Imagine a day without power or water because the systems that reliably deliver these services to our homes and our businesses have been attacked or deliberately disrupted.”
We only need to look at the pandemic, he said, to see “how quickly events can cause widespread physical, financial and indeed psychological damage”.
What are the new requirements around background checking?
The new legislation extends the AusCheck Act 2007 to enable background checks, where required, as part of the critical infrastructure risk management program for each of the sectors named in the Bill.
Under these new reforms, employers are required to conduct thorough checks to “identify each hazard where there is a material risk”. They must also present their board or governing body with “an annual report relating to its critical infrastructure risk management program”.
Mitigating people risk
Organisations must manage and mitigate all types of risks to the critical infrastructure assets they are responsible for. A Critical Asset Register (CAR) includes people risk; the threat of employees, contractors and other personnel exploiting a physical or IT vulnerability.
Through pre-employment background checking and ongoing screening of employees, companies can mitigate people risk and dramatically reduce the chances of a threat to critical assets originating with an employee.
Importantly, people risk data must integrate with other risk, security, IT, and compliance systems to ensure organisation-wide visibility. People risk data should be seen as part of a larger governance, risk, and compliance (GRC) platform.
What does my organisation need to do?
Read over the industry sector definitions and supporting information to see if your organisation is affected by the reforms. Remember, because of a focus on the supply chain, you may still be indirectly impacted if you’re considered a critical supplier to one of those covered sectors.
Ultimately, accountability for compliance sits with the CEO and board. However, important stakeholders from across the business – including in the human resources, technology and security departments – will also play a vital role in ensuring your organisation addresses all the risks and hazards required by the reforms.
Regardless of whether you’re affected by this new legislation, strengthening your business against increasingly sophisticated cybersecurity threats makes a lot of practical sense going forward.
As Mr Dutton said in his speech, greater awareness and on-going risk-management practices in this area will not only help to protect “our standard of living, our wealth and prosperity, and our national security”. It will also guarantee “the continued growth of Australian industry and the ability for businesses to compete in overseas markets”.
For more information about preparing your business for the reforms, check out this excellent breakdown by KPMG, or speak with your business advisor. Get in touch with CVCheck to discover the fastest and simplest solution to achieve compliance under the Critical Infrastructure Bill.