The Australian Government will announce reforms to the Security of Critical Infrastructure (SOCI) Act 2018


Get in touch with vault

How Critical Industries Can Prepare for SOCI Act Reforms

Linton Burling- General Manager
Reading Time: 4 minutes

Our nation’s critical infrastructure is a highly connected system – one that supports and drives our day-to-day operations as businesses and as a nation. However, connectivity without security creates vulnerabilities that can have immense repercussions.

With this in mind, this June, the Australian Government will announce reforms to the Security of Critical Infrastructure (SOCI) Act 2018 that will impose new obligations on organisations covered by the legislation to manage the security and resilience of owned assets. 

Introduced into Parliament in December 2020, the new legislation widely expands the number of affected industry sectors from electricity, water, ports and gas to now include data storage, communications, transport, energy, financial, higher education, energy, food and grocery, healthcare, space, water and sewerage and defence sectors. 

Public hearings into the new Bill are currently underway at The Parliamentary Joint Committee on Intelligence and Security (PJCIS).

Proposed new regulatory requirements include mandatory cyber incident reporting, the implementation of risk management programs, and enhanced cyber security obligations for systems deemed to be of ‘national significance.’

However, as new requirements are implemented, entities that fall under the act will face a number of challenges they will need to overcome, such as regulatory compliance, risk mitigation, and cost management. To avoid this pitfall, there are three steps businesses in these sectors can take to stay ahead:

Assess your security reporting processes 

The draft bill introduces positive security obligations that may require entities to adopt, maintain and regularly review how their security measures stack up against the newly formed critical infrastructure risk management program.

Ahead of the introduction of this program and its official requirements, businesses must assess their current security reporting processes and where they might be able to improve their processes after the amendments are made to the Act. 

As it stands, the SOCI Act 2018 requires critical industries to provide interest and control information to the Secretary of the Department of Home Affairs on an ongoing basis. According to the act, once an entity is aware of a cyber incident, it must be reported within either 12 hours if having a significant impact on the availability of the asset, or 72 hours if it has a relevant impact on the availability, integrity, reliability or confidentiality of an asset.

As new critical industries fall under this act and amendments will be made, now is the time for entities to adjust or upend their incident reporting structure to ensure they are able to meet these time frames in the event of an incident, and to ensure they are up to standard. They can do this by setting up organised team structures that follow a detailed step by step guide on how to monitor and report potential incidents.

Review your current security provider

While security reporting is a key step in mitigating cyber threats, another vital component for these organisations is ensuring they have a cloud service provider that can securely store valuable data –  preventing threats before they happen. 

Last year, IDC predicted that by the end of 2021 80 per cent of Australian enterprises will put a mechanism in place to shift to cloud-centric infrastructure and applications, at twice the rate of pre-pandemic years. In short, 2020 was a massive year for cloud migration. However, the security of these enterprises is only as strong as the cloud providers and the security partners they select. 

That is why, as these businesses review their reporting processes, it’s also key to ensure that they have a strong security provider that can support them while they adjust to changes to the SOCI Act.

When selecting a provider, they must look for accredited solution providers that can accommodate their unique needs. One such accreditation is the ASD standard, which defines the roles, capabilities and skills that are essential to Australia’s cyber missions. 

The bar for achieving ASD certification was extremely high and provides certainty into data protection. By meeting compliance requirements, entities can ensure they are adhering to the same standards our very own federal government adheres to.

Manage costs and save time 

Regularly assessing the performance of cyber security tools provided by vendors and partners is an essential step in ensuring you are combating the latest cyber adversaries, and ensuring all services are performing at their best to save on costs and protect your organisation.

In line with the updated act, new industries that fall under the SOCI act must consider how they can optimise their cyber security tools to be as cost effective and secure as possible.

Armed with the right tools and processes, industries will be prepared to meet the standards set by the SOCI act with confidence. 

Subscribe to our newsletter