Regulatory Obligations: So…what’s a SOCI?

Like other countries, Australia’s economic, social, and political futures will be significantly digital. To help secure these futures, Government has strengthened the Security of Critical Infrastructure Act (SOCI) through two large amendments.

These two amendments are broad and far-reaching in their impact on business in Australia’s 11 new critical infrastructure sectors. This impact includes:

• A requirement to give specific business information to Government.
• A requirement for a Risk Management Program, endorsed and annually reported on by the Board-equivalent.
• A requirement to notify government about cyber incidents, between 12–84 hours in.
• The creation of a new super class of critical infrastructure called “Systems of National Significance” (SONS). SONS have enhanced security obligations, including exercises, incident response plans and Government’s right to gather technical information from a SONS’s IT systems. FYI, in March 2023, the Government had declared 82 SONS under SOCI, with another 90-odd being considered.¹
• Civil and criminal penalties for violations.

11 new sectors! What’s defined as critical infrastructure?

Unfortunately, I’ve got bad news for you. The definition of critical infrastructure is broad, it’s complex, AND it flows down into supply chains. In fact, there’s 236 pages of legislative goodness to talk to your highly paid lawyers about – of which pp. 41-62 are definitions of what critical infrastructure sectors and their assets are.

But, to help out, the ‘asset’ firstly has to be in one of the new critical infrastructure sectors: Energy; Communications; Data storage or processing; Financial services and markets; Water and sewerage; Health care and medical; Higher education and research; Food and grocery; Transport; Space technology, and; Defence industry.

Second, the asset has to be a specific type listed in one of the 24 sub-sub (and sub-sub-sub) paras of Section 9.(1) of SOCI. Yep, I’m thinking the same thing. SOCI has more subs than the Royal Australian Navy ever will.

Here’s three examples:

1. ‘A critical data storage or processing asset’.
2. ‘A critical financial market infrastructure asset’.
3. ‘A critical food and grocery asset’.

The nearest I can find to a summary of all this is in a HA Factsheet which says: ‘the meaning of an asset includes a system, network, facility, computer, computer device, computer program, computer data, premises and “any other thing”.

I did say it was broad.

What I take from this is that SOCI substantially expands the scale and scope of business that’s now considered to be critical infrastructure and whose security has become more regulated. This should be a conversation starter, internally, with supply chains, and with HA. For vendors and partners, it’s also an opportunity to talk to critical infrastructure businesses and ask how’re they going with their Risk Management Program?

You had me at “penalties”!

There’s plenty of evidence of the reputational damage that results from a cyber security incident, including critical commentary by politicians. Additionally, SOCI has teeth in the form of civil and criminal penalties.

The civil penalties come as “penalty units” under the Regulatory Powers Act. Under SOCI, violations range in penalty between 50 to 250 units and, if I’m counting right, apply to 43 violations. At $222 for each penalty unit² that’s a fine of $11.1k to $55.5k for each violation. And what’s the chance that there’ll be only one violation? Less than the chance of a breach, imho.

SOCI also has two criminal penalties, essentially for not complying with a direction or leaking sensitive information, of 2 years imprisonment. Presumably these’d only be sought in egregious circumstances. Kind of strangely – 2 years imprisonment is supplemented by an “and/or” of 120 penalty units.

There’s also an (implicit) carrot here – of sorts. Elevating a business’ cyber security should help avoid the customer, reputational, and financial damage that flows from a breach. And, just maybe, becoming SOCI compliant might prepare your business for further Government legislation to ‘shift cyber security risks … towards those who are best placed to manage it’.

I’d bet on that last circumstance.

A brief history of time

Now there’s some time at play for business to implement SOCI. But, for 13 asset classes, it’s a clock that started ticking on 17 Feb 2023, when Minister O’Neil triggered the Risk Management Program:

• 6 months to adopt a written RMP, and
• another 12 months to implement and ‘comply’ with it.

Essentially, these businesses have until roughly May 2024 to make good on their security plans to address SOCI. Let’s put that into perspective. How’re you going with your 2022 NYE resolutions?

Better than mine, in all probability.

Regardless, can I suggest that critical infrastructure businesses have commercial and moral reasons to comply with both the spirit and letter of SOCI. And, if they fail, there are penalties. Moreover, this race has a finish line that’s 18-odd months away for some critical infrastructure or – for asset classes not yet triggered – coming in around X+18months.

Giddy–up.