The Australian government has recently introduced new positive security obligations for owners of critical infrastructure assets. The new laws require owners and operators of critical infrastructure to take a more proactive approach to security.
Critical infrastructure includes assets and systems that are essential to the functioning of Australia’s economy and society, such as electricity grids, broadcasting, domain name systems, water supply networks, and telecommunications networks. These assets are often owned and operated by private companies.
Under the new laws, owners and operators of critical infrastructure will be required to conduct regular security risk assessments and develop plans to address any identified risks. This will be in the form of a critical infrastructure risk management program. As relevant risks may include cybersecurity intrusions, and deliberate or accidental interference, amongst other things, the businesses will also be required to report any security incidents or breaches to the Australian Cyber Security Centre. The organisation’s risk management program must also meet particular baseline maturity obligations to ensure that assets are sufficiently protected.
The government has emphasised that these new obligations are not intended to place an undue burden on businesses, but rather to ensure that they are taking appropriate steps to protect their assets and the wider community.
The new laws are part of a broader effort by the Australian government to strengthen the country’s cybersecurity posture. In recent years, Australia has experienced a number of high-profile cyberattacks, including attacks on government agencies and private companies. By requiring owners and operators of critical infrastructure to take a more proactive approach to security, the government is taking an important step towards protecting Australia’s economy and society from cyber threats. While the new obligations may require additional resources and effort from businesses, the benefits of improved security will be felt by all Australians.
The new legislation came into effect on 17 February 2023 and provides a 6-month grace period for adopting a written risk management program and a 12-month grace period to update an organisation’s baseline cybersecurity maturity.
We regularly advise clients on the regulatory issues that apply to them, including under the Telecommunications Act, the Corporations Act, the Privacy Act and the Security of Critical Infrastructure Act.
If you are looking for a lawyer who truly understands the space that you operate in, please do not hesitate to contact us for a free legal strategy session today.
Find out more: arnotts.tech
