If you’re involved in critical infrastructure, you’ve no doubt been following the Federal Government’s Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) on its journey to becoming law. Things haven’t necessarily been smooth sailing, with concerns aired by the business community and a number of challenges identified by both the Senate Standing Committee for the Scrutiny of Bills and the Parliamentary Joint Committee on Intelligence and Security. It appears we may have rounded a corner though, with the introduction of a new amendment splitting the Bill in two. This revised approach will see notification obligations and coercive powers prioritised in a first Bill, with the rest to follow in a second after further consultation and refinement. While there’s still a lot of questions and teething issues to resolve, the government’s commitment is clear - critical infrastructure organisations will shortly find themselves facing a range of significant due diligence, risk mitigation and governance obligations.
A combination of new legislation and preparedness raises some interesting considerations from an asset and business finance perspective. How ready are stakeholders to deal with the government’s intervention and the threat environment that prompted it? Obligations under the Bill make the identification and mitigation of hazards mandatory, creating expectations directors will exercise due care and diligence in complying. Boards will be accountable for adopting, reviewing and reporting on their risk management programs, ensuring sufficient resources are allocated toward uplifting security and resilience as intrinsic, core business practices. Given the considerable urgency and focus, it might be time for financiers to also start thinking about how they should evaluate an organisation’s converged, all-hazards approach in better informing investment decisions.