SOCI Act - Engagement on critical infrastructure reforms

On 5 October 2022, the Department of Home Affairs (DHA) formally launched the consultation on the draft Risk Management Program rules (RMP Rules) under Part 2A of the SOCI Act. More information can be found here.

RMP Rules

The draft RMP Rules are substantially similar to the draft rules included in the Explanatory Memorandum to the second bill of the amended SOCI Act released in early April 2022. Critical infrastructure responsible entities and operators should closely consider the application to and impact on their assets and operations. The risk management requirements apply across all material risks and mandate consideration of certain risk domains, including Cybersecurity, Supply Chain, Personnel and Natural Hazard risks. The development and implementation of a Risk Management Program is significant and should not be underestimated. The rules provide for a six-month grace period before the risk management requirements will apply. For cybersecurity, there is then a further 12 months to achieve the required cybersecurity maturity level.

In addition, the government has published numerous draft guidance documents for consultation, including:

• Risk Management Programs
• Protected Information
• AusCheck Background Checks
• Annual Report Approval form

Consultation Period

The consultation period provides in-scope entities with the opportunity to submit observations and request amendments to the rules. The publication of the draft rules starts a mandatory consultation period that lasts until 18 November 2022.

Next Steps

Review the RMP rules and associated guidance documents and determine the impact on your organisation. Should you wish to make a submission in respect of any of the documents that form part of the consultation package, our integrated team of SOCI and government risk experts would be happy to assist.

Following completion of the consultation period on 18 November 2022, the Minister for Home Affairs must consider the observations submitted by industry participants and may amend the rules as a result. Once finalised, the Minister for Home Affairs can then issue and register the rules. This will start the clock ticking for the six-month grace period, following which the risk management requirements will be in force. Affected responsible entities will need to ensure that their risk management programs are live and meet the requirements by this time, likely 1 July 2023.

Our Digital Operations Risk Advisory team would be happy to assist you and your organisation as you design and implement your operational risk management program.