On 2 December 2021, the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (the Amendment Act) was introduced to amend the Security of Critical Infrastructure Act 2018 (Cth) (SOCI), resulting in sweeping changes to “critical” business sectors and investment in those businesses under Australia’s foreign investment laws.

The enactment of the SOCI in 2018 aimed to seek to manage the evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia's critical infrastructure. Concerning the increasing cyber threats faced by Australian businesses, the Amendment Act has expanded SOCI’s application coverage from 4 sectors to 11 sectors and 22 asset classes.

Key Changes

1.          The Scope of Application

The Amendment Act applies to 22 asset classes across 11 sectors, which being identified as critical to Australia’s national security:

·            financial services and banking;

·            communications;

·            energy;

·            food & grocery;

·            health;

·            data storage;

·            defence;

·            higher education and research;

·            water and sewage; and

·            airports and air transport and cargo; and transport.

As of 14 December 2021, these new changes will require mandatory FIRB approval in circumstances where an investment is an amount equal to 10% or more or relates to the starting of a new national security business. This is a reduction on the standard mandate requiring FIRB approval of investments 20% and over with the value of the investment being irrelevant.

The changes arise as these new sectors are now captured under the Foreign Acquisitions and Takeovers Act 1975 (Cth) (FATA).  FATA deems any businesses in those sectors as a “national security business”, with the result being that any investment by a foreign person into a national security business of 10% or greater, irrespective of the value of the investments, is subject to mandatory pre-approval.

For investors, this means that stricter due diligence ought to be undertaken as those investments will now be subject to greater scrutiny and stricter obligations.

 2.          Mandatory Cyber Incidents Reporting

The second significant change relates to cybersecurity incidents and the impacts those incidents may have on critical asset industries.  Where a cybersecurity incident happens, irrespective of whether it comprises or significantly impacts the assets, then the Amendment Act requires the entity responsible for that critical asset to report the incident with 12 hours of it becoming aware of the incident.

The aim of this reporting obligation ought to assist in the provision of a clear and comprehensive understanding of ongoing security threats and risks to Australia’s critical asset.  Failing to comply with reporting obligations now imposes a fine of $55,500 or each failure for a corporation, or $11,100 for an individual.

3.          Intervention

Lastly, the third change is the ability of the government to now intervene and give directions to the responsible entity to do, or not do, certain things if it believes that there is likely to be a significant impact on that asset or there is unlikely to be an efficient and effective response to the cybersecurity incident.

These intervention powers include the ability to access or modify current computer systems; install software, or remove, add, or disconnect certain devices.

4.          Impact on business

As these changes significantly widen the scope of what is now “critical infrastructure”, it is important that entities not only understand how this regime may apply to its assets, but that review of their internal policies are performed ensure appropriate compliance.

If you require any assistance on understanding how these issues may impact your involvement in these infrastructure areas, or assistance in undertaking compliance with your obligations, BG Legal & Advisory is able to assist.

*Disclaimer: This is intended as general information only and not to be construed as legal advice. The above information is subject to changes over time. You should always seek professional advice before taking any course of action.*