With cyber threats increasing year on year, the SOCI Act is likely just the beginning of government measures to protect the country from cyber crime. Whether you're a big multinational or a small local business, it is important to be aware of what is going on. By staying up to date, you will be prepared when change does occur. Even better, act now by putting proactive cyber security measures in place, and you will be way ahead of the curve.
Introduced in 2018, The Security of Critical Infrastructure (SOCI) Act aims to help mitigate the growing threat of attacks against the country’s most important systems, such as those in the electricity, gas, water and maritime sectors.
It imposes very strict requirements on the critical infrastructure sector, setting out cyber resilience measures that must be taken.
The Act also mandates stringent reporting obligations to the Government by these organisations.
The basic idea is - hackers are likely to be interested in disrupting societies through critical infrastructure. This is very much an element of modern warfare. To secure our country and the economy, the law must protect our critical infrastructure from digital attacks.
The Act was amended in 2021 following 18 months of community and industry consultation. The amendments mean the Act is now relevant to a total of 11 sectors, instead of the previous four. These sectors include health care and medical, the defence industry, higher education and data storage and processing.
Critical infrastructure is the assets and services which we rely on for our everyday business and lives. They underpin society.
The Australian Government defines critical infrastructure as: "Those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security."
These include:
Newest amendments to the SOCI Act set out the following obligations for the critical infrastructure sector:
To read more about these obligations and what the SOCI Act entails, you can view our previous blog here.
Following the Optus and Medibank hacks, there has been concern that the SOCI Act does not effectively work in practice.
Rob Nicholls, Associate Professor of Regulation and Governance at UNSW Business School, explains to the Law Society Journal:
“SOCI is basically associated with systems in terms of the definition of critical assets, and those systems don’t necessarily include the data which is protected by the systems… If our data is caught in a breach, it doesn’t matter what the systems are. If they had taken a photocopy of the 100 points of ID and left those in a paper file, my personal data would be safe still."
Home Affairs Minister Claire O’Neil has also released a discussion paper - the 2023-2030 Australian Cyber Security Strategy Discussion Paper - delving into how current legislation and policy can be streamlined.
There are 21 questions in the paper, including whether payment of ransoms and extortion demands by cyber criminals should be banned; the scope of the powers of intelligence agencies to intervene; and whether a standalone Cyber Security Act should be considered.
This is very much a developing issue and evolving space, so stay tuned.
If a standalone Cyber Security Act was implemented, stringent cyber diligence measures would likely apply not just to critical infrastructure entities but small to medium-sized businesses too.
There could also be a greater onus placed on smaller businesses with ties to critical infrastructure.
Either way, cyber security and due diligence to protect any data held by your business is an increasingly hot topic.
It's only going to become more and more important for businesses to tighten their cyber security measures.
It's likely only a matter of time before all Australian businesses are required to adhere to strict cyber security guidelines by law.
Waiting until the last moment to put cyber security measures in place puts your business at risk of cyber attack. It could also cause undue stress, resources and financial strain.
This is too big of an issue to put on the back-burner. We would advise all businesses to be proactive and act now.
Do you need help keeping your business secure or adhering to regulations? The Diamond IT team specialises in reviewing cyber security strategies to ensure they are fit-for-purpose, align with government recommendations and include the necessary defences required to best protect your business from malicious threats.
We can support you by establishing your Essential Eight maturity level and improving your overall cyber security posture.
Our Business Technology Managers (BTMs) and Business Technology Consulting team are specialists in improving your internal cybersecurity and are ready to speak with you. Contact our team on 1300 307 907 today.