The increased and alarming nature of cyber attacks on Australian organisations has prompted the Federal Government to step in to strengthen our national resilience through significant regulatory reforms and amendments to what is known as the Security of Critical Infrastructure (SOCI) Act 2018.
Defined by the Department of Home Affairs as "services that are essential for everyday life such as energy, food, water, transport, communications, health and banking and finance", critical infrastructure, if disrupted, can have serious implications for business, governments, and the community.
The amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) provide the Government with the ability to provide assistance to critical infrastructure entities in response to serious cyber-attacks on Australian systems, while compelling infrastructure stakeholders to uplift the security of their assets through a range of new due diligence, risk mitigation and governance obligations.
So what sectors are covered by the SOCI Act? What are the obligations of applicable organisations?
Here we take a further look into what you need to know about the SOCI Act.
The Australian Department of Home Affairs states that "the SOCI Act seeks to manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia's critical infrastructure."
The SOCI Act specifies requirements for owners and operators of critical infrastructure assets to provide information on the Register of Critical Infrastructure Assets. The Register maintains information on who owns, controls and has access to critical infrastructure assets.
The SOCI Act was amended in 2021 to expand coverage to ensure the Government has access to information necessary to conduct risk assessments (on relevant people, systems and data, physical and strategic categories) and the power to enforce mitigations on organisations if they are not implemented through collaboration.
Australia’s critical infrastructure regime now encompasses 11 broadly framed sectors and 22 critical infrastructure asset classes. Critical infrastructure assets included are:
The amendments to the SOCI Act impose three key obligations on the organisations responsible for critical infrastructure assets.
Reporting entities must provide interest, control and operational information to the Cyber and Infrastructure Security Centre, with compliance deemed compulsory after 8 October 2022. Non-compliance can result in a maximum penalty of 50 penalty units (currently $11,100).
This obligation requires that:
A ‘significant impact’ is one that has materially disrupted the availability of essential goods or services provided by the asset. A ‘relevant impact’ is any other impact on the availability, integrity, reliability or confidentiality of the asset. Non-compliance can result in a maximum penalty of 50 penalty units (currently $11,100).
This obligation requires responsible entities to establish, maintain and comply with a risk management program that manages and mitigates prescribed risks associated with its critical infrastructure assets.
A risk management program must:
Failing to adopt, maintain or comply with a critical infrastructure risk management program can result in a maximum penalty of 200 penalty units (currently $44,400).
More information about coverage and obligations under the Act is available in the following fact sheets:
Our team of Business Technology Consultants are currently working with key organisations across a range of sectors to ensure they are meeting specific compliance requirements. Ensuring your organisation is compliant with applicable reforms and regulations doesn’t have to be a complex process. Our team are here to guide you through. Contact us today on 1300 307 907.