The Australian Department of Home Affairs (DHA) and the Reserve Bank of Australia (RBA) have jointly signed a Memorandum of Understanding (MoU) to enhance the security of critical infrastructure. The agreement formalizes the collaboration between the department and the RBA in regulating entities with obligations under the Security of Critical Infrastructure Act 2018 (SOCI Act). The MoU represents a pivotal step towards bolstering the resilience of critical infrastructure, particularly for Critical Payment System Assets. It is designed to foster transparency, prevent redundant efforts, and reduce the regulatory burden on entities responsible for these assets.
The MoU includes a commitment to:
- consult and inform each other on significant issues concerning Critical Payment System Assets or their responsible entities
- the department notifying and consulting with the RBA when exercising enforcement powers about the SOCI Act for Critical Payment System Assets
- avoid the department and the RBA collecting the same information and data from responsible entities, preventing duplication of effort
- the RBA receives critical risk management annual reports from Critical Payment System Assets and will liaise with the department to ensure a common approach to receiving and reviewing these reports
An important consideration in this and future MoUs is to prevent unnecessary regulatory burden on responsible entities. The department will continue to work with other regulatory bodies to reach an agreement on managing security for critical infrastructure assets.
The R​BA is the relevant Commonwealth regulator for Critical Payment System Assets. Under the SOCI Act, non-compliance by Critical Payment System Assets is addressed by the Secretary of the Department of Home Affairs and delegated departmental officers. This agreement facilitates the collaborative regulation of these assets by the department and the RBA.Â
In 2023, the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules) commenced. As a result of the CIRMP Rules, require responsible entities for specific critical infrastructure asset classes to adopt, maintain, and comply with a critical infrastructure risk management program (CIRMP) using an all-hazards approach to managing the material risks of cyber and information security, personnel, physical and natural and supply chain hazards. A responsible entity’s board, council, or other governing body must also submit an annual report certifying various matters relating to compliance with the CIRMP to the relevant Commonwealth regulator using the approved form. The first mandatory annual reports must be submitted within 90 days after the end of the 2023-2024 Australian financial year.Â
The DHA’s Cyber and Infrastructure Security Centre (CISC) drives an all-hazards regime for critical infrastructure based in Australia. The CISC works in partnership with government, industry, and the Australian community. It also actively assists critical infrastructure owners and operators to understand and manage risks and hazards through the implementation of the SOCI Act regulatory requirements, including by having arrangements in place to enforce compliance with SOCI Act obligations.Â
Signed by Justine Jones, first assistant secretary of the CISC, and Bradley Jones, assistant governor for Financial System Group at the Reserve Bank of Australia, the October memo identified that the DHA and the RBA agree to cooperate and collaborate to promote effective management of risks relating to Critical Payment System Assets, including by requiring responsible entities for Critical Payment Systems Assets to identify and manage risks relating to those assets under the SOCI Act’s critical infrastructure risk management program obligations.Â
The memo prescribed that to promote the development of regulatory policy, the DHA and the RBA will inform each other on significant issues for Critical Payment System Assets or their responsible entities that may have an impact on, or may otherwise be relevant to, the regulatory responsibilities of the other agency. Each agency will, where appropriate, provide an opportunity for consultation on the issue (including the opportunity for private discussions and/or to provide written comments) before industry consultation, and before any finalized outcome.Â
It also stipulated that any information shared under this MoU will be disclosed and received on the basis that it will be handled in a manner that complies with Commonwealth legal and policy requirements for security, privacy, and official disclosure. This includes compliance with the Commonwealth Protective Security Policy Framework (PSPF) as well as the Privacy Act 1988 (Cth), the Crimes Act 1914 (Cth) and the Freedom of Information Act 1982 (Cth).
Also, the DHA and the RBA may disclose protected information (as defined under the SOCI Act) to each other as permitted under the SOCI Act in order to support the regulatory functions of each agency.
In addition to the exercise of formal powers and requests, DHA and the RBA will, subject to any restrictions imposed by law (whether under the statute, contract, equity, or otherwise), share information that the agency believes would be of assistance to the other agency in undertaking its responsibilities under the SOCI Act. Wherever possible, DHA and the RBA will avoid separate collection of the same information and data from the responsible entity for a Critical Payment System Asset.Â
The memo also added that the DHA and RBA will work together to minimize the reporting burden on responsible entities for Critical Payment System Assets.Â
Earlier this week, the CISC announced the designation of 46 additional critical infrastructure assets as Systems of National Significance. The initiative is part of the Australian government’s ongoing efforts to enhance the cyber resilience of the nation’s vital infrastructure. With this latest declaration, the total number of such systems now exceeds 200, spanning sectors like energy, communications, transport, financial services, food and grocery, and data storage or processing. This collaboration between the government and businesses aims to strengthen national security.