7 min read  | Cybersecurity challenges

The critical infrastructure bill is coming – are you ready?

Back in October, the Australian Government introduced a new bill around Cyber Security. This bill is going to change the Cyber Security obligations for lots of businesses – probably including yours! Here’s what you need to know, and what to do next. 

No more wild west 

It’s no secret that Cyber Security is an increasingly important issue. Ransomware attacks are on the rise, and big organisations are compromised on a worryingly regular basis. What’s more, cloud technology, connected devices and our new work-from-anywhere corporate culture mean we are more reliant on technology than ever before.  

This means that everyone – you, me, society in general – is in a heightened state of Cyber Security risk. There are more opportunities for threat actors to cause trouble than ever before.  

At the same time, Cyber Security has been a bit of a Wild West situation for some time now. Since it’s a relatively new field, firms haven’t been subject to the same scrutiny or regulation as they have been in other fields.  

As a comparison, industries such as grocery and transport are both very old, due to the age of their respective industries and the risks they manage.  

Cyber Security is different. It’s a new risk, which means regulations have been a bit slow to catch up.  

The Critical Infrastructure Bill changes that.  


The big changes – and what they mean 

The big changes coming down the line are amendments to the definition of “critical infrastructure.” Under Australian law, industries categorised as critical infrastructure are subject to more stringent reporting requirements around Cyber Security (among other things – more on that in a minute).  

The bill expands the definition of critical infrastructure. It will include: 

  • Energy 
  • Communications 
  • Financial services 
  • Defence  
  • Higher education and research 
  • Data storage or processing 
  • Food and grocery 
  • Healthcare and medical 
  • Space technology 
  • Transport 
  • Water and sewerage 

It’s broad!  

The Government will have the ability to commandeer businesses in these industries if there is an incident, force critical industry businesses to do (or stop doing) something, and analyse their data.  

Down the track, even more stringent rules will come into play – like enhanced cyber obligations. Businesses in critical industries will be required to undertake certain things, such as developing security incident response plans, cyber security exercises and vulnerability assessments.  


Ounce of prevention better than a pound of cure 

If you’re in, or adjacent to, one of these industries, you should start looking at your Cyber Security now to make sure you’re compliant.  

If you don’t know where to start, just get in touch with us – we offer advisory services that are built around helping organisations that don’t know what they don’t know.  

Book a call, and we’ll help you put together a plan to help you comply with the upcoming legislation.