The Security of Critical Infrastructure Risk Management Program Rules (CIRMP) commenced on 17 February 2023 and was signed off by The Minister for Home Affairs the Hon Clare O’Neil MP (the Minister). This marks the beginning of the six-month transition period for responsible entities to adopt a written CIRMP.
These rules enable the Government to provide meaningful assistance and advice to entities on ways to further enhance the security and resilience of critical infrastructure assets. These assets are defined by the Federal Government as systems and services that are vital to our way of life and include physical facilities, supply chain and information technology.
The Responsible Entity or Direct Interest Holders of critical infrastructures are now subject to the recent legislative changes including the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) (the SLACIP Act) amendments to the Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act).
What is the SOCI Act?
The SOCI Act is a market-wide framework used to define critical infrastructure and improve the security and management of risks relating to critical infrastructure.
What is the SLACIP Act?
The SLACIP Act amends the SOCI Act by introducing additional risk management requirements including that critical infrastructure entities are now obligated to create and maintain a critical infrastructure risk management program (CIRMP).
These reforms aim to strengthen the information exchange between industry and government to mitigate risk and protect against threats to essential services.
Complying with the risk management requirement
The SLACIP requires each Responsible Entity to create and maintain a risk management program that covers the critical infrastructure asset(s).
The risk management program must consider four areas of operational and security risk:
- Cyber and information security hazards – any risks to the digital systems and networks.
- Supply chain hazards – risks to the disruption of supply chain.
- Physical and natural hazards – includes access to control rooms or facilities that is critical to the functionality of the asset.
- Personnel hazards – any workers or ‘trusted’ insiders who have access to disrupt the asset.
In order to comply with the risk management program requirement, entities will need to submit to their relevant regulator an annual report on their risk management program within 90 days of the end of the Australian financial year. The purpose of the annual report is to summarise risk management efforts during the year and the report must be approved by the entity’s board, council or other governing body.
The Cyber and Infrastructure Security Centre (CISC) regulatory obligations state that the SOCI Act requires the annual report to be in an approved form and to include the following:
- A declaration that the CIRMP is up to date at the end of the Australian financial year.
- Whether a hazard occurred that had a significant relevant impact on an asset during the year.
- Whether any variations to the CIRMP were made during the year.
- Whether the program was effective in mitigating any significant relevant impact that a hazard may have had on an asset during the year.
- An attestation that the information contained within the annual report was approved by the board or governing body of the entity.
The first annual report required under the CIRMP Rules is for the 2023-2024 Australian financial year. The report must be submitted within 90 days after the end of each financial year, with the first to be submitted between 30 June 2024 and 28 September 2024. Although it is not a requirement, the CISC strongly encourage entities to voluntarily submit an annual report for the 2022-2023 financial year, to provide initial feedback on the implementation of the CIRMP.
Learn more about how our Risk management services can help you
How Grant Thornton can help you comply
The critical infrastructure reforms represent a step change in the regulation and protection of Australia’s most key market assets. Whilst organisations in more heavily regulated industries may already be meeting some or all of the risk management requirements, there are others who currently have a more ad hoc or decentralised approach to risk management.
Grant Thornton is helping clients to implement and uplift of their CIRMP programs to meet the new requirements and comprehensively address the four risk categories outlined in the reform. This includes implementing a top down and consistent risk management program across the various hazards, as well as improving documentation of existing risk management activities that are already taking place.
We are also helping Boards and governing bodies to gain internal assurance that the information included in their annual report is valid and has a reasonable basis for their sign off.
Regardless of the maturity of your organisation, we are here to help you comply with the new reforms and encourage you to get in touch.