The Remarkables podcast: Stories of people improving communities and inspiring youth. Listen now.
These rules enable the Government to provide meaningful assistance and advice to entities on ways to further enhance the security and resilience of critical infrastructure assets. These assets are defined by the Federal Government as systems and services that are vital to our way of life and include physical facilities, supply chain and information technology.
The Responsible Entity or Direct Interest Holders of critical infrastructures are now subject to the recent legislative changes including the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) (the SLACIP Act) amendments to the Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act).
The SOCI Act is a market-wide framework used to define critical infrastructure and improve the security and management of risks relating to critical infrastructure.
The SLACIP Act amends the SOCI Act by introducing additional risk management requirements including that critical infrastructure entities are now obligated to create and maintain a critical infrastructure risk management program (CIRMP).
These reforms aim to strengthen the information exchange between industry and government to mitigate risk and protect against threats to essential services.
The SLACIP requires each Responsible Entity to create and maintain a risk management program that covers the critical infrastructure asset(s).
The risk management program must consider four areas of operational and security risk:
In order to comply with the risk management program requirement, entities will need to submit to their relevant regulator an annual report on their risk management program within 90 days of the end of the Australian financial year. The purpose of the annual report is to summarise risk management efforts during the year and the report must be approved by the entity’s board, council or other governing body.
The Cyber and Infrastructure Security Centre (CISC) regulatory obligations state that the SOCI Act requires the annual report to be in an approved form and to include the following:
The first annual report required under the CIRMP Rules is for the 2023-2024 Australian financial year. The report must be submitted within 90 days after the end of each financial year, with the first to be submitted between 30 June 2024 and 28 September 2024. Although it is not a requirement, the CISC strongly encourage entities to voluntarily submit an annual report for the 2022-2023 financial year, to provide initial feedback on the implementation of the CIRMP.
The critical infrastructure reforms represent a step change in the regulation and protection of Australia’s most key market assets. Whilst organisations in more heavily regulated industries may already be meeting some or all of the risk management requirements, there are others who currently have a more ad hoc or decentralised approach to risk management.
Grant Thornton is helping clients to implement and uplift of their CIRMP programs to meet the new requirements and comprehensively address the four risk categories outlined in the reform. This includes implementing a top down and consistent risk management program across the various hazards, as well as improving documentation of existing risk management activities that are already taking place.
We are also helping Boards and governing bodies to gain internal assurance that the information included in their annual report is valid and has a reasonable basis for their sign off.
Regardless of the maturity of your organisation, we are here to help you comply with the new reforms and encourage you to get in touch.
Proactive stress testing to manage macroeconomic risk, strengthen financial stability and banking
Grant Thornton worked with AUSTRAC (the federal Anti-Money Laundering regulator) to support the development of their new AML/CTF Starter Kits released this week, designed specifically for Tranche 2 sectors including lawyers, real estate professionals, accountants, and conveyancers.
The Federal Court’s $5.8M ACL decision signals a new era for privacy, cybersecurity, and governance in Australia. It reinforces that privacy and cyber obligations start Day 1 of any acquisition, governance failures will be scrutinised, and accountability cannot be outsourced. Boards must ensure robust oversight, deep cyber due diligence, and forensic incident response. With OAIC escalating regulatory enforcement, organisations face heightened legal, financial, and reputational risks.
