As the regulatory environment for Australian critical infrastructure grows more stringent, boards and directors of ‘responsible entities’ covered by the Security of Critical Infrastructure Act 2018 (SOCI Act) must pay close attention to their oversight obligations in relation to security risks.
As responsible entities are preparing to submit their annual report to the regulator Department of Home Affairs on compliance with Critical Infrastructure Risk Management Program (CIRMP) obligations for board approval, the Pentagram Advisory team explores directors’ duty of care and diligence obligations, and provides practical guidance on report preparation and how responsible entities can support informed board decision-making.
Express and implied board obligations under the SOCI Act
The SOCI Act requires responsible entities for critical infrastructure assets to establish, maintain, and comply with the CIRMP. The CIRMP must address four core hazard (noting that hazard is also commonly referred to as a threat) vectors:
- cyber and information security
- personnel
- supply chain
- physical and natural hazards.
Under section 30AG of the SOCI Act, responsible entities must submit an annual report to the relevant regulator within 90 days of the end of each Australian financial year.
This annual report must:
- be approved by the board, council, or governing body
- be submitted within the statutory timeframe
- confirm whether the CIRMP is up to date
- detail any variations to the program
- demonstrate how the program has mitigated relevant risks during the reporting period.
This approval requirement reflects the Australian Parliament’s clear intent that boards exercise active oversight of security risk management which the SOCI legislation sets out as hazards. It is not sufficient for directors to simply endorse the report.
In Pentagram’s view, the requirement implies that directors must understand and verify the CIRMP’s adequacy and effectiveness, and in doing so, are effectively approving the CIRMP itself, not just the accompanying report. The board cannot reasonably form a view on whether the CIRMP is up-to-date and effective without undertaking an oversight process of confirming that this is the case, including arriving at an appreciation of mitigation of hazards.
CIRMP operation is not a ‘set and forget’ obligation – it necessitates ongoing board engagement to ensure the program remains fit-for-purpose, risk-responsive, and capable of addressing evolving threats.
With that in mind, let us now take a closer look at what is required of directors during this process.
Directors’ duty of care, diligence and regulatory compliance obligations under section 180 of the Corporations Act 2001
Modern directors operate in an environment of intensifying scrutiny regarding their oversight of corporate regulatory compliance obligations. Over the past two decades, this scrutiny has expanded to include non-financial risks, reflecting evolving expectations of directors’ responsibilities.
The Australian Securities and Investments Commission (ASIC) Corporate Governance Taskforce’s 2019 reporton non-financial risk defined three key categories of concern:
- Operational risk – including failures in internal systems or external events
- Compliance risk – exposure to legal or regulatory breaches and related sanctions
- Conduct risk – arising from inappropriate or unlawful employee behaviour.
Section 180 of the Corporations Act 2001 requires directors to exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise in similar circumstances.
According to Hodge-Tame Opinion commissioned by the Australian Institute of Company Directors (AICD) in 2024, this duty of care and diligence explicitly extends to regulatory compliance risks, including those related to environmental, social and governance (ESG), cyber security, modern slavery. In this context, the board’s approval of the CIRMP engages this duty directly.
Directors are expected to be familiar not only with the company’s commercial fundamentals but also with its key compliance obligations and risk exposures. A failure to address foreseeable risks to the operation of a critical infrastructure asset, such as insufficient mitigation of insider threats, insecure supply chain, or outdated cyber security controls, may constitute a breach of the duty imposed by section 180.
To discharge this duty, directors are expected to:
- exercise effective monitoring and oversight of corporate compliance
- make reasonable and informed enquiries of management – asking the right questions
- educate themselves and critically assess internal and external advice
- ensure threats are addressed in a timely and effective manner
- act promptly when faced with risks that could undermine the organisation’s business model or regulatory compliance.
Importantly, liability under section 180 is individual, not collective. Each director is assessed based on their specific role, level of responsibility, and access to information. Directors cannot ignore red flags, close their eyes on corporate misconduct or adopt a passive stance. While directors are entitled to rely on advice from management and external advisers, they must bring independent judgement to bear, evaluate the adequacy of that advice, challenge assumptions where necessary, and ensure that programs such as the CIRMP are subject to robust governance and oversight.
Board to review and approve roles and responsibilities
Directors’ duty of care and diligence under section 180 also encompasses ensuring that appropriate accountability and responsibility structures are embedded within the organisation. In the context of the CIRMP, this means overseeing the clear allocation of roles for security risk identification, mitigation, and CIRMP implementation.
We expect this will be an area of increasing board focus, consistent with broader governance expectations that directors review and approve role allocations across the organisation. This mirrors developments observed in the financial sector under the Banking Executive Accountability Regime (BEAR), where the formal assignment of responsibilities has become central to board oversight.
Similarly, for critical infrastructure entities, the clarity of responsibility for managing security risks, whether cyber, personnel, physical, or supply chain-related, is important to meeting regulatory expectations and discharging directors’ obligations under section 180.
Questions for Boards to consider when approving the CIRMP annual report
1. How have roles and responsibilities for CIRMP implementation been reviewed and approved by the board, and are we confident that accountability is embedded at the right levels?
2. Who is accountable for each key area of the CIRMP – cyber, personnel, supply chain, and physical risks – and how clearly are those responsibilities defined and understood across the organisation?
3. What people, skills, systems, and funding have been committed to the CIRMP, and are we satisfied that the program is appropriately resourced to meet its objectives and regulatory requirements?
4. What information are we receiving about emerging threats and critical risks, and does that information give us a clear, timely picture of how well those risks are being managed?
5. What systems and processes are in place to ensure that serious risks, incidents, or changes in the threat landscape are escalated to the board promptly and reliably?
6. What assurance mechanisms – such as internal reporting, internal audits, or independent third-party reviews – are in place to confirm that the CIRMP is operating effectively and that the organisation is meeting its obligations?
Supporting the board: recommendations for management
To enable the board and directors to meet oversight obligations when approving the CIRMP annual report, those responsible for preparing the report should:
- Conduct a comprehensive annual review of the CIRMP well in advance of submission, ensuring it reflects current threats, risks, and any program updates (section 30AE of the SOCI Act).
- Clearly identify and articulate material risks, so the board can assess their relevance and impact. While cyber security risks often receive the most attention, other risks, such as personnel security (e.g. insider threats), supply chain vulnerabilities, and physical or natural hazards, must also be clearly communicated to provide a complete picture of the organisation’s risk landscape.
For example, the 2023–24 trial audits undertaken by the Department of Home Affairs revealed common deficiencies in CIRMPs, particularly in personnel management (including the lack of insider threat mitigation and critical worker identification) and in physical hazard preparedness, where formal processes, guidelines, and review mechanisms were often missing.
- Provide evidence of risk mitigation and response activities, including how identified hazards have been addressed and what improvements have been made since the previous reporting period.
- Present information in clear, concise, and jargon-free language to support accessibility and informed board-level scrutiny.
- Avoid overly technical or fragmented reporting that could obscure key issues or hinder the board’s ability to fulfil its responsibilities.
- Establish and present assurance mechanisms, including:
- internal reporting systems that provide regular updates on CIRMP implementation
- internal audits or compliance reviews
- independent third-party review or audit of CIRMP confirming the program’s effectiveness and alignment with regulatory obligations.
By delivering clear insights, supporting evidence, and structured assurance, management plays a critical role in helping directors discharge their duty of care and diligence under the Corporations Act 2001 and meet the expectations set by the SOCI Act.
Meeting security obligations set out in the SOCI Act is not simply a compliance activity, it is fundamental to the successful and cost-effective operation of your business, including the welfare of your employees and needs of your stakeholders and clients.
To conclude, approving the CIRMP annual report is a critical governance responsibility that engages directors’ individual obligations under section 180 of the Corporations Act 2001. It requires informed oversight, clearly defined accountability, and assurance that the program is current, effective, and actively maintained.
In an environment where security risks to Australia’s critical infrastructure are intensifying – a reality made clear in recent years by legislation and advice from numerous Australian government agencies as well as Australia’s allies – boards must act with urgency and vigilance. This need to act is not just regulatory compliance, it is an essential frontline defence of Australian national security.