First reporting deadline for critical infrastructure assets looms large

Annual reports relating to critical infrastructure risk management programs in FY23/24 must be submitted by 28 September 2024.

Australia has been racing past key deadlines for the Security of Critical Infrastfructure Act 2018 (Cth) (“SOCI Act”). From 17 August 2024, a “critical infrastructure risk management program” (CIRMP) had to comply with one of five nationally or internationally-recognised cyber security standards, in the hopes of neutralising cyber threats to major infrastructure.

Now, from 28 September 2024, “responsible entities” that have a CIRMP which operated in the 2023/24 financial year will be required to submit an annual report, detailing how well that CIRMP dealt with hazards to critical infrastructure assets.

Who is a “responsible entity” for a critical infrastructure asset depends on what type of asset it is, but it generally means the operator of the asset.

More specifically, the annual report must be approved by the responsible entity’s board or governing council, and must state:

• whether the CIRMP was up to date at the end of FY23/24; ?
• if a hazard had a significant “relevant impact” (on the availability, integrity and reliability of their critical infrastructure asset, or the confidentiality of information about the asset, stored information or computer data): ?
• what the hazard was; ?
• how effective the CIRMP was in mitigating the significant relevant impact; and ?
• if the CIRMP was varied as a result of that hazard, what that variation was.

Annual reports must be submitted through this approved form. The process of gathering information takes time, so start as soon as possible. Even if you don’t have to submit an annual report now, this will have flow-on effects to you, as:

• if you are a responsible entity that didn’t have a CIRMP for FY23/24, your first report will be due on 28 September 2025; and ?
• if you are not a responsible entity, but you work with them as a supplier, contractor or service provider, you may be asked to assist with their SOCI Act obligations through the contracts you sign.

The Cyber and Infrastructure Security Centre (CISC), part of the Department of Home Affairs, says it’s are part of a “journey toward an uplifted [critical infrastructure] security posture”, and that it wants to work closely with industry to help industry understand these requirements.

It’s clear that protecting critical infrastructure assets will need the effort and cooperation of businesses across Australia’s economy, so be ready.

Questions? Give us a call.