Boards need to understand their new obligations and the responsibilities created under the Security of Critical Infrastructure Act 2018 (Cth).
Boards of critical infrastructure companies need to understand security risk in the same way they understand other aspects of their business such as financial performance and workplace health and safety. Directors need to be alive to security risk management and be conversant with its concepts to enable their companies to identify, mitigate and respond to security risk to ensure business continuity and to meet new Commonwealth-legislated obligations.
In 2022, to safeguard Australia’s security by maintaining the vital services society and the economy depend upon, the Commonwealth government introduced amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act). They require owners and operators of critical infrastructure assets to develop and maintain a board- (or governing body) endorsed written critical infrastructure risk management program (CIRMP) to protect those assets. The subsequent Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023 (Rules) describe the baseline security components of the CIRMP. The SOCI CIRMP requirement captures thousands of SOCI entities in the current first tranche, with more entities to be captured in subsequent tranches.
The SOCI Act sets out a legislative requirement for critical infrastructure entities to establish and maintain processes or systems that minimise, mitigate or eliminate potential impacts arising from hazards as far as is reasonably practicable. The CIRMP must address risk across nominated hazard vectors — personnel, cyber and information, physical and natural, and supply chain. The process enables the identification of assets, relevant threats and management of risk. Used wisely, the effort to meet CIRMP requirements can offer additional benefits such as informing operational and investment decisions to protect a critical infrastructure asset and better align internal governance processes.
Critical infrastructure asset owners and operators subject to the Rules must provide an annual CIRMP report to the Department of Home Affairs. The report is an in-house assessment of the effectiveness and maturity of the entity’s risk mitigation measures as set out in the CIRMP. This annual report must be approved by the entity’s board or governing body.
There are key areas of focus boards should take account of in meeting their CIRMP obligation, with the first board-approved annual CIRMP report due between 30 June and 28 September 2024.
The annual CIRMP report will require directors to:
- Attest the CIRMP is up to date
Identify any hazards that occurred in the reporting period and the effectiveness of action taken by the entity to mitigate the impact
Approve the annual CIRMP report for submission to the regulator.
Note that while the explicit legislative requirement is approval of the annual CIRMP report, this obligation implies that, in practice, the CIRMP should be subject to a review, as well as approval by a board.
Further, in terms of accountability, the board is to identify each individual in a SOCI entity responsible for developing and implementing the CIRMP, and for reviewing or keeping it up to date. Boards must take an active oversight role — consistent with the expectation that they review and approve key roles and responsibilities across an organisation. Similar practices exist in financial entities through the introduction of accountability obligations under the Banking Executive Accountability Regime (BEAR) in 2018, where the allocation of roles and responsibilities has become a key governance function.
While implementing the security risk management requirements outlined in the SOCI legislation may seem yet another compliance activity being heaped upon boards, it is more than that. The CIRMP presents an opportunity for boards to enhance the resilience of the critical infrastructure asset and so assure business continuity and performance.
It is important to understand that there is no one-size-fits-all template for the CIRMP. The Department of Home Affairs has made clear the CIRMP is not prescriptive, but rather allows SOCI entities freedom to create a CIRMP tailored to their unique operating circumstances, assets, threats and risks.
Strategies for boards
Below are considerations boards may explore to maximise both the effectiveness of the CIRMP and derive enterprise-level benefits from the process:
Integrate security into governance
Integrating security into existing business processes is key to creating a robust CIRMP and reducing unnecessary duplication. Boards should consider who in the organisation is responsible for CIRMP obligations and whether this aligns with existing risk roles and responsibilities. Establishing clear governance at board level promotes accountability and efficient allocation of resources.
Utilise existing resources
Building on existing governance, best practices, standards and procedures provides a solid foundation for an effective CIRMP. Boards should consider integrating the CIRMP under the company’s enterprise risk management framework and evaluating if any change to the risk-appetite statement is required.
Set a realistic budget
Aligning security objectives with adequate resources demonstrates a strong commitment to protecting critical infrastructure assets. It is essential to allocate a realistic budget that supports the implementation of necessary security measures. Understanding the maturity concept underpinning the CIRMP means a measured, flexible approach is permissible relative to other enterprise investment priorities.
Establish reporting and audit
Boards should seek timely and clear reports on the effectiveness of controls. Establishing specific, measurable and achievable metrics is vital to evaluate CIRMP measures. These metrics should provide insights into overall enterprise activity and risk management. In key risk areas, directors also rely on external experts to provide insight into the effectiveness of control and the robustness of the CIRMP. Regular in-house and independent reporting and continuous evaluation are important to inform security maturity and drive security improvements.
Boards routinely utilise specialist expert advice on matters such as legal, finance and human resource issues to inform decisions and manage risk. Security-risk management is a specialisation that critical infrastructure entity boards may not have dealt with before — or if they have, it likely has been focused on cybersecurity. The SOCI CIRMP makes clear that cybersecurity is only one element of risk that must be considered by boards.
A key insight is that all SOCI Act hazards — aside from natural hazards — are people-dependent, so there needs to be a comprehensive approach to personnel security and preservation of human capital. Directors need to determine if they have sufficient understanding to make informed decisions about security risk or if they need specialised expert advice to meet CIRMP requirements, thus bolstering business continuity and protecting their business while contributing to national resilience and security.
Tim Slattery GAICD is senior director, enterprise protective security at Providence Consulting Group.
This article first appeared under the headline 'Mission Critical’ in the November 2023 issue of Company Director magazine.
Already a member?
Login to view this content