How to comply with the SOCI Act
The Security of Critical Infrastructure Act (SOCI Act) was developed to regulate the protection of what the Australian Government considers to be Critical Infrastructure Assets (CIAs).
Under the SOCI Act, owners and operators of CIAs from 15 key sectors must now meet the following requirements and obligations:
Proactive SOCI Act obligations you need to maintain each year
- Develop and maintain a register of CIAs
- Inform the relevant government bodies of any cyber security incidents impacting CIAs
- Report critical and other cyber security incidents to the Australian Cyber Security Centre’s (ACSC)
- Develop and maintain a risk management program (note: not applicable to space technology and defence sectors
- For organisations that have been declared as a System of National Significance (SoNS) by the Minister of Home Affairs (Minister), adhere to further enhanced cyber security obligations
Reactive SOCI Act obligations to prepare for and meet if necessary
- Allow the Secretary of the Department of Home Affairs (Secretary) to conduct risk assessments of CIAs
- Follow directions provided by the Minister to do or omit to do an action to protect CIAs
- Provide information upon request to the Secretary
- Allow the relevant government body to assist in responding to a cyber security incident
Who is required to comply with the SOCI Act?
As of 2022, the obligations apply to responsible entities that have CIAs from any of the following 15 sectors:
- Electricity
- Water
- Maritime ports
- Gas
- Communications
- Data Storage or processing
- Financial services and markets
- Water and sewerage
- Energy
- Health care and medical
- Higher education and research
- Food and grocery
- Transport
- Space technology, and
- Defence
Definitions for each type of CIA are included in the SOCI Act. Entities which operate in these sectors must analyse whether their assets meet any of the definitions provided in the SOCI Act.
Taking a closer look: The proactive SOCI Act obligations
- Develop and maintain a register of CIAs: The register is intended to develop a clearer picture of critical infrastructure ownership and control in high-risk sectors, as well as to provide support for proactive risk management of CIAs. The Secretary of the Department of Home Affairs is responsible for keeping this Register, which contains information in relation to those assets.
- Inform the relevant government bodies of any cyber security incidents impacting CIAs: If a cyber security incident has a significant impact on CIAs, a responsible entity may be required to provide a report on the incident, as well as any operational information relating to the asset to a relevant Commonwealth body.
- Report critical and other cyber security incidents to the Australian Cyber Security Centre’s (ACSC): Owners and operators of CIAs are required to report critical (within 12 hours) and other (within 72 hours) cyber security incidents to the ACSC’s online cyber incident reporting portal.
- Develop and maintain a risk management program (note: not applicable to space technology and defence sectors): Responsible entities of certain CIAs are required to adopt and maintain a risk management program, which they must comply with and maintain to ensure that it remains up to date. Additionally, responsible entities must submit an annual report on their risk management program to the relevant Commonwealth regulator or the Secretary.
- Adhere to further enhanced cyber security obligations (note: this is for organisations that have been declared as a System of National Significance (SoNS) by the Minister of Home Affairs (Minister): The Minister has the authority to privately declare CIAs a System of National Significance (SoNS). The Secretary may require the responsible entity for an asset that has been designated as a SoNS to comply with one or more increased cyber security obligations. The four core enhanced cyber security obligations are outlined below:
- Statutory Incident Response Planning Obligations: If the Secretary concludes that a responsible entity’s assets are subject to the statutory incident response planning obligations, the entity must adopt, maintain, and comply with an incident response plan for those assets, as well as deliver a copy to the Secretary.
- Cyber Security Exercises: Cyber security exercises are required to test a responsible entity’s ability and preparedness to respond to cyber incidents that may have a system-wide impact, as well as to mitigate said impact on the system. The relevant entity may be required to prepare both internal and external reports regarding the exercise, as well as to allow external audits in some circumstances.
- Vulnerability Assessments: The Secretary may direct responsible entities to undergo a vulnerability assessment on the relevant asset with the aim of determining the asset’s vulnerability to cyber incidents.
- Provision of Access by Australian Signals Directorate (ASD) to System Information: If a computer is a SoNS or is required to operate a SoNS, the system’s responsible entity may be required to provide periodic or event-based reports of system information to the ASD or install software that transmits system information directly to the ASD.
Taking a closer look: The reactive SOCI Act obligations
Entities responsible for CIAs should be ready to:
- Allow the Secretary of the Department of Home Affairs (Secretary) to conduct risk assessments of CIAs: The Secretary may conduct an assessment of CIAs to establish if there is a risk to national security relating to the asset.
- Follow directions provided by the Minister to do or omit to do an action to protect CIAs: A CIA owner or operator must adhere to directions given by the Minister, pertaining to national security risks to CIAs. The Minister may direct these responsible entities to do, or not do, a specified thing to mitigate against a national security risk where all other mechanisms to mitigate the risk have been exhausted.
- Provide information upon request to the Secretary: In certain circumstances, the Secretary has the power to acquire more detailed information from CIA owners or operators for the purpose of assisting the Australian Cyber and Infrastructure Security Centre (CISC).
- Allow the relevant body of government to assist in responding to a cyber security incident: If an organisation’s asset is subjected to a significant cyberattack and is unable to respond effectively, the Government may provide assistance as a last resort. This assistance is intended as a way for the Government to respond to serious cyber incidents that affect Australia’s critical infrastructure.
Further info on relevant legislation
After the SOCI Act was first enacted in 2018, there have been two amendments through two separate additional acts: the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act), and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act). Each of these expanded the sectors covered and the requirements for entities with CIAs.
In February 2023, the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (CIRMP Rules) were added which specify how the risk management obligations should be met.
Next steps on the SOCI Act
For now, all organisations listed as holding CIAs should comply with the obligations presented in the SOCI Act. Organisations should also meet the obligations in subordinate legislation like the CIRMP Rules.
The CISC has stated they intend to continue proactively engaging with critical infrastructure providers to protect Australia’s critical infrastructure from all hazards. We can accordingly expect additional rules and guidance to be developed in coming years that further clarifies how entities responsible for CIAs should protect their assets.
Contact our Senior Consultant Samuel Wall about how Sekuro can help your company implement its obligations under SOCI.
Samuel Wall
Senior Consultant, Sekuro
Sam Wall is a Senior Consultant specialising in privacy, governance, risk and compliance for Sekuro. He recently finished working as a Visiting Fellow at the Australian National University, researching developments in governance of artificial intelligence, intellectual property, international trade and national security. He previously spent seven years working in regional legal and policy counsel roles for the film and music industries across 14 countries in the Asia-Pacific. He has primarily worked with clients in the telecommunications, logistics, tech, government and education sectors.
Mia Symonds
Analyst, Sekuro
Mia currently holds the role of Analyst and has experience across a diverse range of industries, organisational sizes, and maturity levels in the Information Technology (IT), critical infrastructure, and legal sectors. She participates in initiatives as a representative of the Governance, Risk and Compliance (GRC) sector, by providing businesses with GRC guidance and interpretation of information security standards, risks and best practices. Throughout her time at Sekuro, Mia has gained a wide range of experience in operations, security, delivery, and consulting.
Martin Hossain
Associate Analyst, Sekuro
Martin Hossain is a recent Law and Security Studies graduate and has joined Sekuro in 2023. As an associate analyst, he is currently working within the GRC spectrum to ensure organisations align themselves with the relevant ISMS certifications. He is also a part of the IMS Compliance team, ensuring Sekuro's internal processes related to information systems are up to date and privacy obligations are being adhered to.
More Articles
In conversation with Nathan Wenzler, Chief Security Strategist at Tenable (Part 1)
Emerging Threat: AI vs. Human Deceit
