The Australian Government is amending the Critical Infrastructure Bill 2018 to address the increasing threat environment the nation is facing.
The revised bill introduces an enhanced regulatory framework which now applies to 11 sectors and requires an all-hazards approach to risk management, with a focus on cyber and information, physical, personnel, supply chain, and natural hazard risks.
In summary the new reform includes:
- A positive security obligation for critical infrastructure entities, supported by sector-specific rules. This includes developing and implementing an ‘all hazards’ critical infrastructure risk management program, to manage and mitigate risks to the asset you are responsible for. This obligation will only apply to sectors without a comparable regime in place, and only when the rules are ‘switched on’ by the Minister.
- Enhanced cyber security obligations for those entities deemed to be systems of national significance (SONS).
- Government assistance for entities in response to significant cyber attacks on Australian systems.
Ensuring organisational compliance
Setting up your organisation to meet the core requirements.
The board will be required to sign-off on their organisation’s risk management program and compliance with the rules through an annual attestation.
KPMG is working with Department of Home Affairs and Industry cohorts to co-design the rules underpinning the reforms. Combined with our broader experience working with critical infrastructure entities, KPMG has deep understanding of the intent of the reforms and what is required for organisations to comply.
To be successful, organisations will need to meaningfully engage with the reforms to give boards and relevant regulators the assurance they require. Rules for individual sectors are being developed on a staged basis and the Department of Home Affairs is adopting a principle of co-design with industry to this development process.
This is an important part of the overall programme. Ensuring that the right representatives from your business are meaningfully engaged will help to ensure the rules are practical and implementable and that your organisation’s perspectives and operating context are considered.
Ensuring your organisation is well set-up to meet the core requirements is essential and, if done well, will offer organisations many additional benefits and help embed overall operational resilience and excellence.
What can I do to get my organisation ready?
Actions you can take now to help prepare.
Scope: Is my organisation captured by the reform?
Consider the industry sector definitions and the supporting guidance to understand if your organisation will be covered directly. Even if you are not covered by the legislation directly, the legislation has a new focus on supply chain. That means that if you are considered a critical supplier to one of the sectors that is covered, there may be implications for your organisation.
Awareness: How will being captured by the reform affect my organisation?
These requirements won’t just affect the risk, compliance or cyber teams, nor are they a one-off response. The reform will require a cross-organisational response (ending at the executive and board level) which is sustainable. Performing an early diagnostic to identify key gaps will help organisations identify what operational, technological and cultural changes need to be made to ensure compliance in the short and longer term. Leading organisations will be looking at how to embed compliance within wider operational excellence and transformation programmes.
Accountability & Governance: Ensure you define who is accountable for your organisation’s response and how it will be governed.
While ultimate accountability will sit with the CEO and board, there will be a number of important stakeholders from across the business (e.g. technology, security, risk, facilities, human resources), who will be key to ensuring your organisation’s response reflects the wide range of risks and hazards the legislation is intending to address.
While many organisations will need to treat the initial compliance phase as a large-scale programme of work, it will ultimately need a longer-term governance structure that will fall under the accountability of a business function (e.g. risk, compliance).
Your organisation’s response doesn’t need to be overengineered, and many won’t have to start from scratch, but all will need a strong level of governance and accountability to demonstrate sustainable, long term delivery of outcomes.
Clarity: Why an enterprise-wide view of critical assets will be a pre-requisite to success.
Meeting the requirements of this reform will be very difficult in the absence of a clear view of critical assets across the organisation. If a critical asset register (CAR) does not exist, it is inherently difficult for any organisation to demonstrate that security risks are fully understood and that the risk management plans are adequate. Not having an up to date CAR is commonly a major barrier to success. Any work which can be done now, will be an accelerator towards delivering a successful program.
The process to develop a CAR should consider:
- All company assets – information, personnel, physical facilities and critical suppliers.
- How the CAR will remain a live document and how it will be kept current to reflect key changes in the business.
- Who in the organisation will own the CAR as the program develops.
Support: How do we optimise the supporting functions such as risk management and compliance?
Lack of integration between the various risk, compliance, IT, security functions can become a major impediment to success.
It is not uncommon to find that dimensions of risk (e.g. enterprise risk, IT risk, cyber risk) are handled by separate teams using different approaches and methodologies. Given the wide scope of the obligations, it will be important to ensure that there is a common language of risk throughout the business.
Security risk assessment is a specialist skill set and, in many cases, may require industry specific (or even facility specific/device specific) skills. Consider your current capability and where you may be able to source expertise to help.
Enablement & Reporting: How do we establish the reporting capabilities to demonstrate compliance?
Reporting back to the regulator on your critical infrastructure risk management program will require input from across many parts of the organisation.
Understand what reporting is required, and what internal processes will need to be necessary to established. Many large organisations are already running multiple compliance, risk management and assurance programmes. It is becoming increasingly challenging to manage these using fragmented and/or manual processes. Now may be the right time to revisit the technology platforms used for these programmes.
Establishment of a governance, risk and compliance (GRC) platform or better integration of existing systems in use can offer significant benefits in the timeliness and quality of compliance and risk management related information.
Education & Awareness: How do we ensure that across the organisation individuals are aware of their roles and responsibilities?
Every part of your organisation will play an important role in meeting the critical infrastructure requirements – from front line operators through to corporate functions and assurance providers.
Clearly defining everyone’s respective roles and responsibilities, and then educating them, will be critical. People will be an organisation’s number one asset in meeting the critical infrastructure requirements and ensuring there are no surprises.
Keeping the nation safe
Increase the security and resilience of critical services.
This package of reform is intended to increase the security and resilience of services that are critical to the wellbeing and prosperity of all Australians. It is essential that, as a nation, we take this opportunity to make meaningful change to protect us all against the ever-increasing range of threats and risks that we face.
Success is not just about an organisation achieving compliance. Success is developing the culture, processes, controls and supporting systems for your organisation to be able to anticipate risks, and make proportionate changes, to manage them transparently and effectively. More broadly, being an integrated economy, collective uplift across sectors will be required – individual uplift within an entity will not be sufficient to meet the legislative intent.
It’s clear in the current threat environment that prevention and mitigation can only be effective through increased awareness of what the threats are, and through strong leadership by the government and industry.
While the details and sector specific rules are still being defined, organisations can start to move forward on a number of no-regret activities (many of which may already be work in progress). Early consideration will give your organisation more time to prepare, identify the resources required and plot the path that is right for your organisation both to comply and drive enhanced operational excellence in the longer-term.
Related services and insights
KPMG services, insights and thought leadership related to critical infrastructure.