Security of Critical Infrastructure Act (SOCI) reforms: Is your business ready?
Businesses contending with Covid, and the end-of-year rush have had another administrative task added to their to-do list, in the form of the federal government’s new Security Legislation Amendment (Critical Infrastructure) Act 2021.
The draft Bill had been expected to pass through Parliament earlier this year. Instead, it has now been split in two, with the less urgent and industry-intensive measures enacted last month, effective immediately.
At first glance, a staged introduction of the Act may appear less daunting in terms of implementation. However, the decision to almost triple the number of sectors deemed “critical” means thousands more businesses can now be subject to government regulators looking over their shoulder, staring down large fines if they fail to dot all the “i’s” and cross all the “t’s”.
As such, it’s important organisations are aware of their obligations, and where the new framework deviates from the draft Bill.
Critical infrastructure assets
Under the revised definition of “critical infrastructure sector”, there are now 11 designated sectors and 22 asset classes. Sectors are:
- Data storage and processing
- Financial services and markets
- Food and grocery
- Higher education and research
- Health care and medical
- Space technology
- Water & sewerage
The timeframe for reporting depends on whether an incident is determined as having “significant impact on the availability of the asset” (disrupting supply of essential goods or services) or having a “relevant impact”.
Register of Critical Infrastructure Assets
The register requires reporting entities to provide to government ownership, operational, interest and control information.
Reporting entities are defined as:
Responsible entities – the body with the ultimate operational responsibility; or
Direct interest holders – those that hold direct or joint interest (at least 10 per cent) in the asset or hold an interest and can directly or indirectly influence or control the asset.
This part of the new framework allows the government to directly intervene where the entity is “unwilling or unable to take responsible steps to resolve the cyber security incident”, and it is considered proportionate and necessary for the purpose of managing the incident.
The government can provide assistance immediately prior to, during or following a significant cyber security incident, with the Minister giving direction to:
- gather information to determine if another power in the Act should be exercised.
- direct an entity to do, or not do, a specified act; or
- request an authorised agency provide support.
So, what does all this mean for you?
The new Act substantially broadens the scope and definition of what has previously been considered “critical infrastructure”. Now the Act is law and penalties are in place for non-compliance, it is imperative that businesses have an expert understanding of their obligations, and even those of their supply partners.
Businesses should also be on the front foot in anticipation of part two of the Act, which will include security obligations that require business to develop a risk management program that incorporates preparation, prevention, and mitigation activities. The Enhanced Cyber Security Obligations clause also has the potential to cause headaches for entities whose assets are declared as systems of national significance and as such can be directed to develop cyber security incident response plans and undertake vulnerability assessments and cyber security exercises.
Secolve is Australia’s next generation OT specialist Cyber Security firm. Secolve can work with you to understand your cyber security requirements and obligations under the new laws and determine the next steps to compliance with part one and two. Reach out to us for any questions at [email protected]