New Cyber Risk Mitigation Rules for Entities in Critical Infrastructure Sectors

Written by staff writer.

Australian entities working in particular critical infrastructure sectors are now subject to a new cybersecurity risk management program protocol after Clare O’Neil signed off on the new regime last week.

Officially known as the ‘Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023,’ or the CIRMP Rules, the new protocol is the last of three preventative elements stemming from the Security of Critical Infrastructure Act 2018.

Entities and their board members working across 13 sectors, such as gas and electricity, healthcare, communications, and food retailing, are now required to identify potential cybersecurity weaknesses in their organisation and take tangible steps to minimise or eliminate the risk of cyber-intrusions.

“As a nation, we must continue to ensure the security of our essential services and to protect them from a range of threats, including cyber, physical, personnel, supply chain and natural hazards,” said O’Neil. “The rules will strengthen the resilience of essential services by embedding preparation, prevention and mitigation activities into standard business practices and provide responsible entities greater situational awareness of threats to critical infrastructure.”

The CIRMP Rules took effect on February 17, 2023, after what the minister calls an “extensive consultation process” that saw changes to the original draft protocols after talks with approximately 1,000 people across 300 organisations.

Industry estimates the cost to Australian entities to implement the new rules will be around AU$9 billion over a decade. However, this figure is less than the projected cumulative costs of a major incident caused by cybersecurity breaches. In 2022, the high-profile Medibank Private and Optus incidents were reported to have cost those entities AU$150 million and AU$140 million in customer remediation expenses, with the amounts expected to be much higher if class action lawsuits progress.

The affected entities now have six months to implement the new protocols. That will involve them compiling CIRMP documentation that both complies with the CIRMP process and demonstrates that appropriate risk mitigation actions have occurred. Entities must submit that documentation to the relevant regulator as an annual report signed by the entity’s board or governing body.

“The rapid response by Minister for Home Affairs and Cybersecurity, Clare O’Neil, is a necessary step forward in protecting critical infrastructure and the data of all Australians,” said Trellix ANZ managing director Luke Power. “Minister O’Neil’s focus on key sectors will strengthen the nation’s stance on cybersecurity by keeping us on the front foot as we see new trends and increased aggression from global ransomware groups targeting Australians.”

The new regime intends to improve government and industry cooperation on cybersecurity matters, with O’Neil admitting individual entities are usually best placed to know how to identify and minimise the cyber risks in their organisation. However, the government can impose fines of over AU10,000 for non-compliance.

“The increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences to our security, economy and sovereignty,” argues O’Neil.

On the same day the government rolled out the new CIRMP rules,  it also initiated a new Critical Infrastructure Resilience Strategy, which updates the 2015 version. The strategy sets out a regulatory framework for minimum risk management standards across various industrial and critical infrastructure classes.