We invite you to either listen to the article or read the below.
Data storage systems that hold business critical data
On 29 November 2024, the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (ERP Act) received Royal Assent, introducing changes to the Security of Critical Infrastructure Act 2018 (SOCI Act).
In this article, Pentagram Advisory team focuses on the key change that impacts the majority of critical infrastructure owners and operators. We also provide practical guidance on the steps organisations should take to address these changes. For a broader overview of the amendments introduced by the ERP Act and the new Cyber Security Act 2024, please refer to our detailed summary.
What has changed?
The ERP Act amends the definition of a critical infrastructure asset in section 9 of the SOCI Act to include certain data storage systems that hold business critical data.
If a responsible entity for a critical infrastructure asset owns or operates a data storage system used in connection with that asset, and the system stores or processes business critical data related to the asset, this data storage system now forms part of a critical infrastructure asset. As a result, it must be protected to the same level.
Why?
The purpose of this amendment is to establish a direct connection between business critical data and the functioning of a critical infrastructure asset. By ensuring that this data is safeguarded, the measure aims to prevent scenarios where the compromise of business critical data could lead to the failure or compromise of the broader critical infrastructure asset.
What is business critical data?
Section 5 of the SOCI Act defines business critical data as:
- personal information (within the meaning of the Privacy Act 1988) that relates to at least 20,000 individuals; or
- information relating to any research and development in relation to a critical infrastructure asset; or
- information relating to any systems needed to operate a critical infrastructure asset; or
- information needed to operate a critical infrastructure asset; or
- information relating to risk management and business continuity (however described) in relation to a critical infrastructure asset.
Practical examples of business critical data include large volumes of personal data, research or operational data, such as network blueprints, encryption keys or algorithms, plans or schematics for operation of a critical infrastructure asset.
What do I need to do next?
If you are a responsible entity for a critical infrastructure asset that owns or operates a data storage system used in connection with that asset, and the system stores or processes business critical data, you will need to take the following steps:
1. Update the Register of Critical Infrastructure Assets (ss 23 and 24, SOCI Act)
- Assess whether there are any differences between the beneficial ownership, direct interest holders, or operational and control information related to the data storage system holding business critical data and the information already provided to the Register.
- If any discrepancies exist, update the Register immediately to ensure compliance with the SOCI Act.
2. Ensure compliance with mandatory Cyber Security Incident Reporting (Part 2B, SOCI Act)
- Update your internal policies to reflect that certain cyber security incidents affecting the data storage system must now be reported under the SOCI Act.
3. Critical Infrastructure Risk Management Program (CIRMP) (Part 2A, SOCI Act)
- For the 13 critical infrastructure asset classes required to have a written CIRMP, responsible entities will be explicitly required to identify and control risks to their data storage assets as part of their CIRMP.
- This will require responsible entities to identify material risks to data storage systems that store or process business critical data related to critical assets and minimise or eliminate those risks across ‘all hazards’, including cyber, personnel, supply chain, physical security and natural hazards.
Note: This requirement has not commenced yet. On 16 December 2024, the Department of Home Affairs (DHA) released an exposure draft of the Security of Critical Infrastructure (Critical infrastructure risk management program) Amendment (Data Storage Systems) Rules 2024 (Data Storage Systems Rules 2024) for consultation.
The Data Storage Systems Rules 2024 propose amendments to the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules 2023 to clarify circumstances in which risks to certain data storage systems should be considered material risks under CIRMP obligations.
The Cyber and Infrastructure Security Center (CISC) of the DHA is inviting industry submissions by Friday, 14 February 2025. This requirement is proposed to commence within six months from the date of the Rules proclamation.
What if my business critical data is outsourced to a third-party data storage and processing provider?
The amendments introduced by the ERP Act do not apply to scenarios where business critical data is stored or processed by third-party providers. However, the following considerations are important to note.
- If your third-party data storage or processing provider is operated by the Commonwealth Government, it falls under the Australian Government Hosting Certification Framework and is considered protected at the required level.
- If any of your business-critical data is produced or stored within the systems or cloud of a contracted service provider, and you are a responsible entity subject to CIRMP obligations, you must manage this supply chain security risk through your CIRMP.
- If your third-party data storage or processing provider is owned or operated by a commercial entity, subsection 12F(3) of the SOCI Act requires responsible entities to notify their third-party providers if they store or process business critical data on behalf of a critical infrastructure asset. By issuing such notification, you ensure that the providers are fully aware of the importance of the data they manage and are equipped to protect it accordingly. This requirement has been in effect since December 2021.
For additional information please refer to the CISC factsheet.
Summary and next steps
The amendments introduced by the ERP Act mark a significant shift in how critical infrastructure owners and operators must manage their data storage systems. These changes reinforce the importance of safeguarding business critical data to protect Australia’s critical infrastructure assets.
Pentagram Advisory strongly encourages all responsible entities to review their compliance with the SOCI Act, update their CIRMP when required, and take proactive steps to address these changes. If you have questions or require tailored advice, please reach out to us at [email protected].