{{item.videoDuration}}
{{item.title}}
{{item.text}}
{{item.videoDuration}}
{{item.title}}
{{item.text}}
Australia’s Security of Critical Infrastructure (SOCI) regime has undergone a massive overhaul over the past several years, with the number of sectors captured by the legislation expanding from 4 to 11, substantial new obligations in relation to critical assets introduced, and the creation of a national regulatory body, the Cyber and Infrastructure Security Centre (CISC). The enhanced regime has meant many sectors – which previously were not regulated under the SOCI Act – now are, and many who are now regulated face significant uplift in a relatively short period of time in order to ensure compliance. And the journey is continuing…
In September 2021, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) published its report on wide-ranging reforms to Australia’s critical infrastructure legislation (the SOCI Act). Now, 18 months on, those reforms have passed parliament, risk management program rules have been published and the new regime has come to life.
In this article, we explore some of the key tips, tricks and lessons we have distilled through our work with clients to help them understand their SOCI obligations and progress towards compliance with the new regime.
The below diagram sets out a summary of the key SOCI Act obligations and their status, noting that the positive security obligations are ‘switched on’ for some critical asset classes and not others, and the enhanced security obligations apply only to declared systems of national significance.
General Obligations (which don't need to be switched on)
Responding to government directions in respect of national security events
Notification of data storage and processing providers
Limits to use and disclosure of protected information
Positive security obligations (PSOs)
Cyber incident notification *
Critical asset register **
Risk management planning obligations
Key dates for implementation of obligations:
18.08.23: Risk management program must be in place
18.08.24: Compliance with AESCSF, NIST, ISO27001 or an equivalent standard
28.09.24: Approval of risk management plan by board of directors and provision of relevant annual report to regulators
Enhanced cyber security obligations (ESOs) applicable to and "switched on" on a case-by-case basis for declared Systems of National Significance (SONS)
Cyber security incident response plans
Cyber security exercises
Vulnerability assessments
Provision of system information
*The cyber incident notification obligations have been "switched on" for critical broadcasting, domain name system, data storage and processing, banking, superannuation, insurance, financial market infrastructure, food and grocery, hospital, education, freight infrastructure, freight services, public transport, liquid fuel, energy market operator, port, electricity, gas, water and certain aviation assets.
**The obligation to register critical assets has been "switched on" for critical broadcasting, domain name system, data storage or processing, financial market infrastructure (payment systems), food and grocery, hospital, freight infrastructure, freight services, public transport, liquid fuel, energy market operator, certain electricity and gas and certain sugar mill assets.
What are the key SOCI compliance lessons we have learned so far?
In the past 18 months, we’ve helped a number of organisations grappling with SOCI compliance. Some of the key lessons we’ve taken away are:
Organisations can incorrectly assume they have limited or no regulated assets
Compliance is a whole-of-organisation problem
Assets can technically fall into multiple asset classes making identifying obligations more complicated
Identifying “critical” assets is harder than organisations think
Organisations might have obligations even if they don’t own any critical assets
Competitor compliance may shine a light on an organisation's failure to comply
Compliance can’t be “set and forget”
Implementation takes time
Getting the house in order early can ease the burden
Compliance activities don’t need to be a “big bang”
What should organisations be doing to ensure they comply with the new SOCI regime?
We are still in a phase where it is unlikely the regulator will look to apply an enforcement-based approach to the regulations, but this won’t last forever. It is extremely important that organisations can illustrate they are taking the new legislation seriously and have at least begun a comprehensive compliance exercise to determine where their obligations lie. On this basis, organisations should consider the following:
Undertake a comprehensive assessment of your assets. You should undertake a comprehensive assessment of the SOCI Act and how it might apply to your assets and obligations. The SOCI Act is wide-ranging and includes many vague/broad definitions; in our experience, organisations can be captured in ways they did not expect. Undertaking this assessment requires careful cooporation between legal, business, and IT experts, all of which often takes longer than might be expected.
Register your assets ASAP. If you haven't already done so, you should register any critical assets that you are the responsible entity for as soon as possible. The deadline for registration passed on October 2022 and a failure to register is a breach of the Act.
Review your incident response plans. Most SOCI Act obligations are already in place, mostly relating to incident response. Again, this is an area that requires legal, cybersecurity, and operational expertise.
Consider your risk management policies. The Risk Management Program obligations have been finalised so the 6 month grace period has begun. You should take this as an opportunity to stock-take your risk management planning practices — including benchmarking against the new RMP rules. You should look to identify areas of uplift required in your risk management programs to ensure compliance and begin the uplift process.
Engage with the Department. These new reforms are complex and still evolving. If affected, you should strongly consider consulting with the Department when are unsure of how it might impact your business — whether through formal consultation processes or through informal discussions.
Consider SOCI as part of due diligence in M&A transactions. Organisations who are acquiring new entities and businesses in Australia need to be alive to this regime and its potential wide application. As a result, any due diligence activites should test whether the business that you are acquiring has appropriately considered and complied with any SOCI obligations that it may have.
Plan for SOCI as part of business operations. SOCI is large, complex and evolving. So are most large organisations. You should consider implementing internal processes to assist with your ongoing SOCI compliance, including processes to identify any changes to your critical asset pools. It is also important for you to educate key stakeholders on the requirements of the SOCI Act, and the compliance obligations that apply to you, as well as to monitor for changes to the Act or Rules.
In our experience, these steps require careful cooperation across the entire organisation – particularly legal / compliance, IT, risk and business stakeholders.
Our DCT Legal team at PwC has a wealth of experience in helping clients to apply and comply with complex regulatory regimes, with a proven record in delivering SOCI asset identification projects and other SOCI compliance activities. We work hand in glove with our cyber and digital trust team to provide a holistic approach and solution to compliance with the SOCI regime. As a firm with broad expertise including lawyers, change management, and cybersecurity specialists, we are well positioned to provide you with full support across your compliance journey.
Further information on our Digital, Cyber and Technology Legal services can be found here.
{{filterContent.facetedTitle}}
{{contentList.loadingText}}
{{contentList.loadingText}}
Organisations can incorrectly assume they have limited or no regulated assets
The new regime expands to encompass a wide range of sectors and related assets (and their supply chains). Given the complexity around the asset class definitions, many organisations may not be aware of what is or is not captured by the legislation. This may result in an incorrect assumption that assets are not covered by the SOCI legislation. Further, many organisations may not fully consider how they could be regulated in forming part of the supply chains for regulated critical assets.
Compliance is a whole-of-organisation problem
Given the breadth of the compliance obligations (particularly under the risk management program draft rules which require an all hazards approach to risk management) compliance is a whole-of-organisation issue. It requires buy-in from legal / compliance, IT, OT and business stakeholders.
Assets can technically fall into multiple asset classes making identifying obligations more complicated
The broad nature of the SOCI Act and Rules means the same asset could technically fall into multiple critical asset classes. This raises some complexity from a compliance point of view, as SOCI Act obligations can be switched on for some critical asset classes but not others. Obligations can also apply to some critical assets in a critical class, but not to others. For example, cyber incident notification obligations have been ‘switched on’ for some critical aviation assets but not others. The devil is in the detail - it is important to have a good understanding of how an asset is captured by the SOCI Act and Rules to then identify the applicable obligations.
Identifying “critical” assets is harder than organisations think
Identifying a company’s assets and obligations is complex and requires detailed analyses of fact and law. A thorough due diligence exercise across an organisation can identify assets in unexpected places. This process takes time and requires comprehensive management, review and support across the organisation, so it’s important to prioritise implementing robust processes to ensure that assets can be identified in future.
Organisations might have obligations even if they don’t own any critical assets
The Act applies to a range of “relevant entities'' for critical infrastructure assets – including service providers and operators of critical assets. So even if the organisation doesn’t own any critical infrastructure assets, it might still be captured and have obligations under the Act. It is also possible for an organisation to be subject to SOCI Act obligations if it falls within a captured sector but has no ‘critical assets’.
Competitor compliance may shine a light on an organisation's failure to comply
Organisations which hold assets that are registrable but fail to engage appropriately with the regime will stand out to the regulator when competitors register their assets appropriately. The regulator may be taking an educational style role at this stage but that won’t last forever and there is always the risk that an incident affecting the organisation will turn the eyes of the regulator.
Compliance can’t be “set and forget”
The legislation is still somewhat in flux, with a raft of obligations being “switched on” at different times for different assets. There is also ongoing discussion as to how certain obligations may be expanded across other asset classes. We expect these rules will continue to change over time – particularly in light of the change of government and evolving threat environment. Organisations will also change over time – adding new assets and removing old ones (including through M&A activity). So comprehensive processes and policies are needed to update compliance activities as the Department continues to issue new regulations and as the organisation evolves.
Implementation takes time
There’s no “quick fix” to compliance and rolling out uplift measures to ensure compliance takes time. There is a need to roll out new contract templates – and amend existing contracts – across the business with clauses that address SOCI compliance obligations and allow the organisation to flow appropriate obligations and compliance mechanisms through its supply chain. The organisation may also need to undertake substantial reforms to its IT / OT structure.
Getting the house in order early can ease the burden
Many of the new obligations in the SOCI Act extend practices that organisations already undertake to some extent. As a result, organisations can leverage existing risk management policies, processes and procedures to minimise compliance uplift and duplication of effort, particularly where they are already compliant with international risk management standards. For example, the new cyber incident notification / response obligations can be tackled as an extension of the organisation’s existing Cyber Incident Response Plan and data breach notification regimes. Having its house in order with clear and up-to-date policies and procedures will mean that the organisation is working from a solid foundation rather than having to grapple with these issues from scratch.
Compliance activities don’t need to be a “big bang”
For example, in response to the new cyber incident reporting obligations an organisation may need to urgently update its own incident response plan, but rolling out new cyber incident clauses to suppliers across the organisation’s procurement suite can be a longer-term project. Careful prioritisation of the highest-risk compliance activities can help the organisation to spread these activities over time and allow it to give each one the time it requires.
Contact us
Partner, Digital, Cyber and Technology Law, PwC Australia
Tel: +61 457 808 068
