What is being consulted on?

The Minister for Home Affairs has released an exposure draft of the risk management program rules (Rules) that will apply to entities who own or operate certain classes of critical infrastructure assets regulated under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).

Consultation on this exposure draft of the Rules commenced on Wednesday, 5 October 2022 and is open for 45 days until Friday 18 November 2022.

Boards and other governing bodies should take note of this process, as they will ultimately need to report and sign off on their organisation’s risk management program.

What are the draft critical infrastructure risk management program rules about?

As mentioned in 'The curtain falls - Final reforms to Australia’s critical infrastructure laws', under Part 2A of the SOCI Act, the Minister has the power to require responsible entities – being owners or operators of critical infrastructure assets – to develop and comply with a Risk Management Program (RMP) in respect of their critical infrastructure assets (unless an exemption applies).

The purpose of a RMP is to ensure that businesses who own or operate relevant classes of critical infrastructure assets:

• have a formal process in place for identifying hazards where there is a material risk that the hazard may impact the availability, reliability, or integrity of their critical infrastructure assets or the confidentiality of information about the assets; and
• have a documented plan with steps for eliminating, mitigating or minimising the impact of such risks (so far as is reasonably possible).

The draft Rules cover certain key matters, including:

• which classes of critical infrastructure assets the RMP obligations in Part 2A will apply to (see below);
• the requirements with which a responsible entity’s RMP must comply; and
• the four key ‘hazard domains’ that a responsible entity’s RMP must contemplate (being cyber and information security, personnel hazards, supply chain and physical security and natural hazards).

Which critical infrastructure asset classes do the Rules apply to?

The RMP requirements in Part 2A only apply to a “critical infrastructure asset” if they have been applied to that class of assets by the Rules, or if the Minister has declared that the requirements apply to that asset.

Based on the draft Rules, the Minister is proposing that the RMP obligations will apply to the following asset classes:

The Rules will apply to an asset class from 6 months after the Rules come into effect (or 6 months from when the asset becomes a ‘critical infrastructure asset’), giving entities a grace period in which to prepare a RMP and ensure compliance.

Relevance to boards and governing bodies

Once developed, a RMP must be signed off by the responsible entity’s board, council or other governing body and must be regularly reviewed and updated.

The entity must also prepare a report on their RMP at the end of each financial year, as evidence of its compliance with obligations under Part 2A and the Rules. This annual report must also be signed off by the entity’s governing body.

What do businesses interested in participating in the consultation process need to do?

Responsible entities for the classes of critical infrastructure assets listed above have the opportunity to participate in the ongoing consultation process in relation to the draft Rules. As noted, the consultation period is already open and runs until Friday, 18 November 2022.

In addition to making a written submission with feedback on or suggested changes to the draft Rules, interested stakeholders have the opportunity to participate in town hall meetings, Q&A sessions and roundtable discussions in order to better understand what is required for compliance.

Further information in relation to the consultation process and these activities is available at 'Engagement on critical infrastructure reforms' on the Department of Home Affairs’ website.

Authors: Lesley Sutton, Karen Fanning and Ethan Huang