What’s new
Updated 06 October 2022
On 5 October 2022 the Department of Home Affairs (DHA) formally launched the consultation on the draft Risk Management Program rules under Part 2A of the SOCI Act. The publication of the draft rules starts a mandatory consultation period that lasts until 18 November 2022.
While the draft rules are substantially similar to the draft rules included in the Explanatory Memorandum to the second SOCI bill, critical infrastructure responsible entities and operators should review the proposals (here) and consider the application to and impact on their assets and operations. The consultation period provides affected entities with the opportunity to submit observations and request amendments to the rules in order to ensure that they are fit for use and achieve the security uplift objective. Should you wish to make any observations our integrated team of SOCI and government risk experts would be happy to assist you in doing so.
Critical infrastructure assets proposed to be included are:
- critical electricity assets
- critical energy market operator assets
- critical gas assets
- critical liquid fuels assets
- critical water assets
- critical financial market infrastructure assets used in connection with the operation of payment systems
- critical data storage or processing assets
- certain critical hospitals
- critical domain name systems
- critical food and grocery assets
- critical freight infrastructure assets
- critical freight services assets
- critical broadcasting assets
The risk management requirements, across all material risks and requiring specific (but not exclusive) focus on Cybersecurity, Supply Chain, Personnel and Natural Hazard risk domains, are significant and should not be underestimated. The rules provide for a six-month grace period before the risk management requirements will apply. For cybersecurity, there is then a further 12 months to achieve the required cybersecurity maturity level. Our Digital Operations Risk Advisory team would be happy to assist you and your organisation as you design your operational risk management program.
In parallel, DHA has also published multiple draft guidance documents for consultation:
This post was originally published on the 3rd party site mentioned in the title of this this site