The Security of Critical Infrastructure (SOCI) Act 2018 is a newly amended piece of legislation which was introduced in Australia to address the growing cyber risk to critical infrastructure (CI) assets. The Act requires owners and operating of CI assets to comply with a set of security obligations and report any cyber security incidents to the Australian Cyber Security Centre.
As the cyber risk profile to CI continues to grow, it is essential for organisations to take the necessary measures to protect their assets from cyber-attacks. The SOCI Act mandates that owners and operators of CI assets must conduct regular risk assessments and implement appropriate security measures to protect their assets from cyber threats.
The Act applies to a wide range of sectors, including energy, water, transport, telecommunications, and health. New companies operating in these sectors will have to comply with the SOCI Act's requirements from the outset, ensuring that their CI assets are protected. Failure to comply with the SOCI Act can result in significant penalties, including fines and civil penalties.
Entities not only need to comply with the SOCI Act but are bound by a timeframe to implement their risk management program. Entities have 6 months to adopt a written CIRMP then a further 12 months to implement and maintain a CIRMP. Overall, the entity does not have a long period of time before they can be subject to non-compliance under the SOCI Act.
This underscores the importance of compliance with the Act, as non-compliance can have serious consequences for both organisations and the wider community.
It is highly likely that if you're responsible for what is considered critical infrastructure in Australia, you will already have a level of maturity around risk management. Most entities have likely completed an assessment in the preferred standard for your industry such as ISO 27001 (Information security management), Essential 8 or AESCF (Australian Energy Sector Cyber Security Framework). Now that the SOCI Act has increased the obligations on owners of CI assets it will be important to identify your current compliance and maturity level as they pertain to the objectives of both you and your board's accepted risk level and the government's compliance aspirations. For many entities, they would be faced with the following challenges:
- Understanding this relatively new piece of legislation and identifying if any entity is classified as critical infrastructure is a complex and onerous task.
- Where and how will I gather the data to show my board and stakeholders that we are compliant. What if it doesn't exist and how will complex information be presented in such as a way that it builds understanding.
- If I do seek assistance outside of the entity, how will I know that they are both competent in this area and able to genuinely test and assure that the processes are going to withstand a genuine attack or compromise.
The Synergy Law team can provide potential CI entities with assistance identifying if an entity is classified as critical infrastructure as well as provide integrated end to end advisory services and solutions which are legally assured and defensible to meet the requirements of the SOCI Act.
Furthermore, if you are unsure of how to start your security uplift, the Synergy Assurance capability can help. With our vast experience in delivering contemporary security advice and assurance with a risk-based approach to various entities, we can aid new CI entities in creating a comprehensive CIRMP. This plan will provide the board and stakeholders with the necessary assurance and confidence that the entity is fully compliant. Additionally, the security assurance team can complete a variety of services to uplift your entities security aligned with the SOCI Act legislation, including:
- Audit and assurance of existing controls.
- Maturity gap assessments to ascertain the entities and future states
- Policy and Strategy development
- Road mapping.
The introduction of the SOCI Act in Australia highlights the growing importance of cyber security in protecting CI assets. Compliance with the Act's requirements is essential for entities operating in the relevant sectors as well as new entities that must ensure that they have appropriate security measures in place from the outset to protect their assets from cyber threats.
Synergy can work with you to mature and transform your entity to be cyber resilient and meet the ongoing legislative changes to your industry.