SOCI update: Exposure draft enhancements to CIRMP Rules and consultation on proposed amendments to Ministerial Directions Powers

All-Hazards Material Risk (s 6A)

• Consider, in the CIRMP, risks that could impair the asset’s functions in a way that prejudices Australia’s social stability, economic stability, national security or defence, including relevant government risk advice on those matters.
• Consider compromise or impairment of the asset’s functions arising from, or in connection with, foreign ownership, control or influence (FOCI).

The consultation paper proposed a requirement to consider ‘specified risk advice’ issued by the Department as part of the CIRMP which has not expressly been included (the broad all hazards risk above being proposed instead). This should also be considered in the context of the proposed ministerial directions powers in respect of vendor risks described below.

Cyber and Information Security Uplift (s 8A)

• Establish and maintain processes to minimise or eliminate specified cyber material risks, including risks associated with unsupported or legacy systems, delayed patching, advanced and emerging technology, and offshore remote access to operational technology control systems and business-critical data.
• Comply with a listed cyber framework, or an equivalent framework, and implement more detailed controls around phishing-resistant MFA, authentication logging and review, critical system identification, network segregation, and recovery and restoration capability.

The exposure draft broadly implements the proposals in the consultation paper. In doing so, the Department has adopted terminology used in APRA standards around maximum tolerable outage for the management of these risks.

Personnel Access Management and Critical Worker Suitability (s 9A)

• Maintain controls to manage access-related risks for critical systems and the asset more broadly, including unauthorised or unsupervised access, compromise or misuse of credentials and privileged access, and access by persons other than critical workers.
• Assess, monitor and manage the ongoing suitability of critical workers with access to critical systems and their components, including risks associated with incoming and outgoing personnel.
• Require onshore critical workers to satisfy prescribed suitability requirements before access is granted, being either an AusCheck background check plus suitability assessment or an existing AGSVA NV1 clearance.
• Require offshore critical workers to satisfy those same suitability requirements before access is granted, and if they are unable to do so, record in the CIRMP the relevant employment risks and mitigation steps.
• Where an AusCheck background check is required, repeat it at least every five years for workers requiring ongoing access, and reassess NV1-cleared workers before that clearance lapses or expires.

The exposure draft focuses more on worker suitability, ongoing monitoring and access related controls. The Department resisted requests for greater clarity around the definition of critical workers.

Supply Chain Mapping and Vendor Assessment (s 10A)

• Map major suppliers and critical systems across physical and cyber supply chains, identify vulnerabilities and risks, and determine the maximum tolerable outage for the asset and relevant systems, components, suppliers or providers.
• Assess existing and proposed major suppliers by reference to factors such as legal requirements, jurisdictional constraints, supplier access, influence and control, and include mitigation measures so far as reasonably practicable.

The exposure draft broadly reflects the approach proposed in the consultation paper, again adopting terminology from APRA Standards. 

Physical Security and Natural Hazards (s 11A)

• Centrally manage physical security and natural hazards, including the physical-security consequences that may arise from cyber, personnel and supply-chain hazards.
• Ensure the CIRMP addresses matters such as site characteristics, critical components, sensitive areas, access controls, surveillance and response measures for unauthorised access.

These requirements have been added. The consultation paper did not propose any additional physical security and national hazard amendments.

6 months

Enhanced all-hazards material risk requirement

S 6A

18 months

Initial enhanced cyber risk minimisation and personnel access-management requirements, plus enhanced supply chain and physical security requirements

ss 8A(2), 9A(2), 10A and 11A

24 months

Remaining enhanced cyber and personnel requirements

s 8A (other than s 8A(2)); s 9A (other than s 9A(2))

Amendments to the existing section 32 directions power

• The Minister would no longer need an Adverse Security Assessment before issuing a direction and would instead obtain and have regard to tailored ASIO advice.
• The paper also proposes recalibrating the current “regulatory exhaustion” test so the Minister would consider whether other regulatory mechanisms could address the risk more effectively, while retaining negotiation, consultation and judicial review safeguards. 

New conditions power

• The Minister could impose targeted conditions on reporting entities where ownership, control or governance arrangements create a material risk to national security that cannot be sufficiently mitigated through existing obligations or voluntary measures.  
• The paper indicates this power is intended to sit alongside, rather than duplicate, the FATA regime. In the foreign investment context, FATA conditions would continue to address national security risks identified at the transaction stage, while the proposed SOCI power would allow conditions to be imposed where ownership, control or governance risks emerge, persist or intensify after the acquisition, or arise outside the foreign investment approval process altogether.

Vendor-risk direction power

• The vendor-risk direction power would allow coordinated action where a vendor, or its products, equipment, services or technologies, presents a material risk to national security.  
• The proposed power could support directions to responsible entities individually or by class, including to cease using specified products, restrict future procurement, remove or remediate technologies, or implement compensating controls where immediate removal is not feasible. 

Delayed continuous disclosure mechanism

• The introduction of a limited, time-bound mechanism to delay disclosure obligations in rare high-risk cyber incidents where public disclosure would threaten national security or public safety. 
• The paper proposes either using ASIC’s existing exemption power under section 111AT of the Corporations Act or creating a new SOCI-based directions power under which the Minister could direct an entity not to publicly disclose the existence of the cyber incident for a prescribed period.

Increased civil penalties

• Increasing the civil penalty for non-compliance with a Ministerial direction under Part 3 from 250 penalty units to 2,000 penalty units.  
• The paper says this is intended to create a more credible deterrent, align Part 3 more closely with the enforcement framework already operating in Part 2D of the SOCI Act, and preserve the courts’ discretion to calibrate penalties to the seriousness of the misconduct.