AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
SOCI Act for responsible entities of critical infrastructure assets ( 2.2 Critical Infrastruc- ture Cybersecurity ) and the Corporations Act for financial licensees ( 3.3 Key Operational Resilience Obligations ); • other obligations on certain responsible enti - ties concerning TLPT-like requirements ( 3.6 Threat-Led Penetration Testing ); and • the data protection standards for various types of information such as “personal infor - mation” ( 6.1 Cybersecurity and Data Protec- tion ) and the healthcare sector ( 6.3 Cyberse- curity in the Healthcare Sector ). Further, the Cyber Security Act provided a framework by which the Minister can prescribe mandatory rules for smart devices, which seeks to replace the 2020 voluntary Code of Practice: Securing the Internet of Things for Consumers. The details of the framework are still yet to enter into law, but it will apply to products that are either “internet‑connectable” or “network‑con - nectable”, subject to certain exceptions relat - ing to laptops, medical devices and cars. This framework will be primarily targeted towards manufacturers and suppliers of these devices. 4.2 Key Obligations Under Legislation Cyber-resilience obligations are imposed on cer - tain responsible entities of critical infrastructure asset by way of the Critical Infrastructure Risk Management Program, which must be adopted, reviewed and updated. The purpose of these programmes is to identify each hazard with a material risk and minimise, eliminate or mitigate that hazard (or its material risk). The relevant responsible entities and specific requirements for these programmes are set out in the Securi - ty of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023.
In respect of smart devices, according to the CISC’s explanatory document outlining the Cyber Security (Security Standards for Smart Devices) Rules, their cyber-resilience obliga - tions will include mandatory obligations relat - ing to passwords, procedures to report security issues, support period for security updates, as well as voluntary labelling schemes. However, the regulations are yet to be passed. Other cyber-resilience obligations for critical infrastructure, the broader financial sector and others are discussed elsewhere in this chapter. 5. Security Certification for ICT Products, Services and Processes 5.1 Key Cybersecurity Certification Legislation There is no single legislation in Australia address - ing broad-sweeping information technology and cybersecurity (ITC) certification procedures. However, ITC-relevant certification provisions are relevant to the SOCI Act. Specifically, where a responsible entity holds a certain “certificate of hosting certification (strategic level)” that relates to its critical infrastructure asset, that entity is exempt from needing a critical infrastructure risk management programme. This certificate must be issued under a scheme that is administered by the Commonwealth and known as the host- ing certification framework. At the time of writing, this framework was only available to data centre providers and cloud ser - vice providers; and approximately 11 data centre facilities and 14 cloud services were certified. For additional context, since 30 June 2022, all government contracts for hosting services must
25
CHAMBERS.COM
Powered by FlippingBook