Australia's second tranche of cyber laws passes both Houses
Critical infrastructure entities will now be required to maintain a risk management program, which Home Affairs has said, on average, will cost organisations a one-off AU$9.7 million for setting it up and an annual ongoing cost of AU$3.7 million.
Australia's second tranche of cyber laws has passed through both houses of Parliament, meaning entities running "systems of national significance" will soon be beholden to enhanced cybersecurity obligations that could force them to install third-party software.
Home Affairs Minister Karen Andrews said the laws would boost the security and resilience of Australia's critical infrastructure.
"Throughout the pandemic, Australia's critical infrastructure sectors have been regularly targeted by malicious cyber actors seeking to exploit victims for profit, with total disregard for the community and the essential services we all rely on," Andrews said.
"The Bill builds on the Morrison Government's strong support for our national security agencies announced in Tuesday's Federal Budget, to make Australia stronger and keep Australians safe in an increasingly uncertain world.
Australia's parliamentary body tasked with reviewing cyber laws threw its support behind these laws last week, saying the laws would create a standardised critical infrastructure framework to make it easier for government and industry to approach cyber attacks in a precautionary fashion.
The laws, packaged in the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, were initially meant to be part of the initial tranche of cyber laws for critical infrastructure entities that were enshrined last year. They were eventually left out of the first set of laws, however, due to the federal government wanting further consultation from industry on how to co-design a critical infrastructure regulatory framework.
Along with enhanced cybersecurity obligations, the critical infrastructure reforms will require critical infrastructure entities to maintain a risk management program for identifying hazards to critical infrastructure assets and the likelihood of them occurring. In addition, entities will have to submit an annual report about the risk management program and if any hazards had a significant impact on critical infrastructure assets.
Home Affairs Secretary Mike Pezzullo previously said the costs for running the risk management program, on average, would set entities back a one-off AU$9.7 million payment to set the program up and an annual ongoing cost of AU$3.7 million.
In terms of where the critical infrastructure reforms sit in the big picture, the reforms and the ransomware action plan will act as the federal government's primary regulatory efforts for bolstering Australia's cybersecurity posture. It sits separate to the Coalition's newly proposed AU$9.9 billion cybersecurity program that was announced in the federal Budget, which is primarily focused on providing more resources to the Australian Signals Directorate.