Complex corporate structures at risk in critical infrastructure cyber law change
Critical infrastructure laws governing responses to cyber incidents are about to get an update, and legal experts say companies with complex corporate structures could be most affected.
The government's new seven-year cybersecurity strategy, due to be unveiled on Wednesday, will be closely scrutinised in the wake of the recent high-profile disruptions to telecommunications provider Optus and port operator DP World.
One feature of the new plan will involve making the risk management framework for telcos subject to critical infrastructure laws. But expanding the Security of Critical Infrastructure Act's risk management remit to telcos will not amount to much change in a legal sense, experts say.
Telco providers were already bound by the Critical Infrastructure Act under an expanded list of industries introduced in 2018. The proposed tweak merely tags on extra requirements around risk management, rather than overhauling how telcos approach cybersecurity.
In terms of incident reporting, telcos were already bound by industry-specific regulation. The expansion of the risk-planning aspects of the critical infrastructure law seems to provide the appearance of responding to recent events without actually changing much for industry.
