Bill introducing stricter security obligations for food and grocery wholesalers

On 10 December 2020, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 was introduced to Federal Parliament, requiring food wholesalers and distributors, electricity, defence and data providers, among others, to disclose cyber breaches and conduct regular reporting on ownership, operational and risk management details.

The new legislation increases the scope of the cybersecurity requirements from four sectors to 11, most of which were previously regulated by the states. The industries now required to provide regular reporting under the new legislation are communications, data, defence, research, energy, food and grocery, health and medical, space, transport, and water and sewage sectors.

The laws are expected to be fully operational by July 2021. The legislation will impose sanctions for companies that fail to comply with the new risk management obligations, with civil penalties of up to $42,000 and fines of up to $10,500.

The Bill was introduced to increase critical infrastructure security and resilience and is part of a program presented by the Government known as the Critical Infrastructure Resilience Strategy. The program is designed to provide the Government with economy-wide visibility of infrastructure and security readiness.

Regarding “nationally significant” infrastructure, the legislation will provide the Government with “last-resort” powers to respond to serious cyber incidents impacting critical infrastructure or Australia’s national interests. Similar powers introduced in the US have alarmed major US tech firms due to the potential for such powers to be abused and their reach extended beyond the intended scope.

The Minister for Home Affairs, Peter Dutton, expressed that although the private sector is well-equipped to safeguard critical infrastructure, some cyber-attacks are too difficult to be managed alone..

While introducing the Bill, Mr Dutton discussed the potential widespread impact resulting from failures of key infrastructure, noting that prolonged failures could have disastrous consequences. For example, a failure in the energy sector could also lead to losses in many other industries including medicine, telecommunications, food, water and could have “far-reaching consequences”.

It is curious to see how effective these measures will be in resisting cyber-attacks. Perhaps more importantly, it will be interesting to see whether these laws are fit for purpose or a further increase or revision of regulatory efforts is required.

The content of this article is intended to provide a general guide to the subject matter. Specific advice should be sought about your specific circumstances.