AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
a critical infrastructure asset, separate to other critical infrastructure, and therefore fall within the scope of the SOCI Act. Specifically, an entity that owns or operates a “data storage or processing asset” will be con - sidered a responsible entity under the SOCI Act and their asset “critical” if: • the entity wholly or primarily provides data storage or processing services that relate to “business critical data”, being “personal infor - mation” (per the Privacy Act – see 6.1 Cyber- security and Data Protection ) relating to at least 20,000 individuals, or otherwise infor- mation relating to any research and develop - ment, needed to operate, systems needed to operate, or risk management and business continuity in relation to a critical infrastructure asset; • these services are provided to certain end‑users, primarily either: (a) the Commonwealth, a State, a Territory, or a body corporate established under such a Commonwealth, State or Territory law; or (b) the responsible entity for a critical infra - structure asset; • the entity knows that the asset is used by the above end-user; and • the asset does not constitute another critical infrastructure asset. Further, the 2024 SOCI Amendment Act clari - fied the SOCI Act so that it included secondary assets who hold business critical data relating to the primary asset. Notably, the intent behind these amendments is not to capture all non- operational systems holding business critical data; rather only those where vulnerabilities could significantly impact critical infrastructure assets. Examples of relevant operational data
included network blueprints, encryption keys, algorithms, operational system code, and tac - tics, techniques and procedures. The regulations may specifically exclude oth - er such assets. See 2. Critical Infrastructure Cybersecurity for their obligations and respon - sibilities. 3.3 Key Operational Resilience Obligations There is no specific legislation for “digital oper - ational resilience” for the financial sector as seen in the European jurisdictions; however, the objectives of enabling the financial sector to be or remain resilient in the face of serious operational disruption and prevent/mitigate cyberthreats are reflected in the patchwork of legislation. SOCI Specifically looking at the obligations under the SOCI Act for the financial sector, although finan - cial business using or constituting critical infra - structure assets have the same incident report - ing obligations already covered (see 2.3 Incident Response and Notification Obligations ), such services do not have the obligations to register as critical assets and to have a CIRMP under the SOCI Act (except where they are “payment services”). As an aside, a financial service can be classified as a SoNS under the SOCI Act, attracting the enhanced cybersecurity obligations. Corporations Act Notwithstanding the position under the SOCI Act, financial services are likely already required to be registered with APRA and/or obtain a form of financial service licensing; and in doing the latter, must, inter alia, provide their services
21
CHAMBERS.COM
Powered by FlippingBook