Are you a Relevant Entity under the SOCI Act? What recent amendments mean for your cyber security obligations

The Federal Government’s final amendments to the Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act) have been passed. The legislation represents a set of obligations on organisations (or responsible entities as defined under the Act) that are responsible for critical infrastructure assets (CIAs).

The Act is a reflection of an increasing focus on the security and protection of Australia’s critical infrastructure and those who rely upon it. The recent amendments to the SOCI Act represent one element of the Government’s response to the increasing cyber threat faced by Australian organisations following the findings of the Australian Cyber Security Centre’s Annual Cyber Threat Report issued in September 2021. Recent global events have emphasised the need to protect Australia’s critical infrastructure assets from cyber-attacks.

In this update we report on some of the recent amendments and what they mean for both responsible entities, their service providers and the outlook for cyber security in Australia more broadly.

April 2022 Amendments
The recent amendments require responsible entities to:
  1. Adopt and maintain a risk management program to proactively minimise or eliminate hazards that present a material risk to the availability of their CIAs; and

  2. Submit an annual report to the relevant Commonwealth regulator (as nominated by Government).
A critical infrastructure risk management program must:
  • Identify hazards that present a material risk to the availability, integrity, reliability and confidentiality of critical infrastructure assets;

  • Minimise the risk of incidents (so far as it is reasonably practicable to do so);

  • Minimise the impact of incidents (so far as it is reasonably practicable to do so); and

  • Impose governance and oversight procedures, relating to security including testing and evaluation.

The latest amendments also broaden the definitions of critical infrastructure assets and introduce enhanced cyber security obligations for assets of the highest criticality, as nominated by the Minister. On 8 April 2022, the Application Rules were published and registered. They ‘switch on’ mandatory cyber incident reporting obligations for a number of responsible entities of CIAs.

  • If an entity becomes aware that a cyber security incident has had, or is having, a significant impact on the availability of the asset, it must report this event within 12 hours to the Australian Signals Directorate (ASD) (or another agency nominated in the rules).

  • If an entity becomes aware that a cyber security incident has had, or is having, a relevant impact on the availability of the asset, it must report this event within 72 hours to the ASD (or another nominated agency). The rules break down what constitutes a relevant impact.

The notification obligations come into effect either 3 months after commencement of the rules (i.e. 8 July 2022), or three months after the asset became a critical infrastructure asset (e.g. where a new critical port is built, three months after it becomes a critical asset under SOCI).

A Cyber Security Incident is defined as follows:

one or more acts, events or circumstances involving any of the following:

                     (a)  unauthorised access to:

                              (i)  computer data; or

                             (ii)  a computer program;

                     (b)  unauthorised modification of:

                              (i)  computer data; or

                             (ii)  a computer program;

                     (c)  unauthorised impairment of electronic communication to or from a computer;

                     (d)  unauthorised impairment of the availability, reliability, security or operation of:

                              (i)  a computer; or

                             (ii)  computer data; or

                            (iii)  a computer program.

What are CIAs?
The recent amendments now encompass the following classes of critical infrastructure assets:
  • Critical broadcasting assets

  • Critical domain name systems

  • Critical data storage or processing assets

  • Critical banking assets

  • Critical superannuation assets

  • Critical insurance assets

  • Critical financial market infrastructure assets

  • Critical food and grocery assets

  • Critical hospitals

  • Critical education assets

  • Critical freight infrastructure assets

  • Critical freight services assets

  • Critical public transport assets

  • Critical liquid fuel assets

  • Critical energy market operator assets

  • Critical ports

  • Critical electricity assets

  • Critical gas assets

  • Critical water assets; and

  • Critical aviation assets which are:
    • designated airports;
    • assets used to perform an Australian prescribed air service operating screened air services that depart from a designated airport; or
    • cargo terminals which are owned or operated by a regulated air cargo agent that is also a cargo terminal operator and is located at a designated airport.

Entities which own or operate critical infrastructure assets that fall into any of the foregoing categories should take steps to review and, if necessary, update existing operational information, processes and procedures to ensure compliance with these new reporting obligations before the grace periods end on 8 July 2022 (for the cyber security incident notification obligations) and 8 October 2022 (for the asset register reporting requirements).

What if my organisation is not a Responsible Entity?

While the legislation seemingly applies to a select number of organisations across Australia (falling within the definitions of the Act), other businesses that contract with or provide services upstream to those organisations will likely require the upgrading or implementation of security measures to ensure that the responsible entities with whom they contract comply with their own obligations under the Act.

For example, the Act recognises that a cyber security incident may impact a CIA even if the incident does not involve a compromise of the asset itself. In this regard such organisations may have clients or customers who are owners or operators of critical infrastructure assets. Those entities should ensure that their own suppliers downstream are able to provide them with the requisite notice and information in relation to a cyber incident to ensure compliance with the reporting and information gathering obligations under the Act.

Cyber Security Regulation

Further to the above, the obligations imposed by SOCI inform the broader business community of the breadth of statutory obligations imposed by Government as regards cyber security such that organisations should consider how their respective processes and policies as regards cyber preparedness compare to the obligations under the Act. These statutory obligations are likely to evolve over time following additional stakeholder feedback and public consultation.

There is no question, however, that the risk of cyber incidents is ever growing and legislative obligations across industry generally are on the horizon. Company directors, officers and risk managers should be acutely aware of these amendments to ensure cyber preparedness is improved and developed over time.

Bellrock’s approach to cyber preparedness is set out in our document here. Given the dynamic regulatory changes and imposition of obligations on companies and their directors, we would strongly recommend an independent cyber risk assessment.

For further information and advice relating to cyber preparedness for your business, please contact us via the form below.

Stay informed with our latest articles

* indicates required