Brace yourself for the proposed SOCI reforms

Introduction

On 9 October 2024, a number of Australian security reforms were released in draft legislation. This article outlines the key takeaways of the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (Bill) which will amend the Security of Critical Infrastructure Act 2018 (SOCI Act).

The changes contemplated by the Bill give effect to the legislative reforms outlined in Shield 4 (Protected critical infrastructure) of the 2023-2030 Australian Cyber Security Strategy. It is intended to improve the resilience of Australia’s critical infrastructure and essential government systems against increasingly sophisticated cyber-attacks.

Below, we outline some of the key changes that may impact a range of entities, the potential level of impact and our suggestions as to how affected entities can start preparing for these reforms.

01. Expansion of the definition of critical infrastructure assets to include data storage systems which hold “business critical data”

This amendment includes expanding the definition of “critical infrastructure assets” to include data storage systems used in connection with critical infrastructure assets which store or process “business critical data”, where vulnerabilities in those systems could have a “relevant impact” on the primary critical infrastructure.

Impact on: Responsible entities with current critical infrastructure assets

Potential level of impact: Medium

Some practical considerations for your action plan:

• Undertake required analysis to establish if you are a “responsible entity” as a critical infrastructure asset owner, operator or direct interest holder.
• Review current critical infrastructure assets (regardless of the asset’s primary function) for data storage systems that are used in (i) connection with the main asset, and (ii) which hold business critical data and (iii) where impacts to the data storage system could have a relevant impact on the critical infrastructure asset.
  • Examples could include: data storage systems that hold business critical data where there is inadequate network segregation between IT and OT systems, or data storage systems that hold or process operational data such as network blueprints, encryption keys, algorithms, operational system code, and tactics, techniques and procedures.
• If in-scope data storage systems are identified, organisations must update Critical Infrastructure Risk Management Programs (CIRMP) as appropriate for the newly identified assets.
• Implement mitigants to protect identified data storage systems in accordance with CIRMP.

02. Managing consequences of impacts of an “all-hazards” incidents on critical infrastructure assets

This amendment includes expanding the application of current government powers under Part 3A of the SOCI Act from “cyber security incidents” to “incidents” more broadly to allow specific directions to be made to respond to and manage the consequences of a nationally significant incident.

Impact on: Relevant entities (responsible entity, direct interest holder, operator or managed service provider)

Potential level of impact: High

Some practical considerations for your action plan:

• Confirm enterprise-wide understanding of “all hazards” incidents on critical infrastructure assets.
• Amend existing policies and procedures which deal with “serious cyber incidents” to reflect the expanded definition of “serious incidents”.
• Amend existing processes and procedures for reporting of “serious cyber incidents” to reflect the expanded definition of “serious incidents” to Australian Cyber Security Centre.
• Update with the new intervention regime your existing risk management processes which identified potential government intervention.
• Consider interface with existing crisis management or incident response plans with respect to trigger points, roles/responsibilities/accountability of key personnel, and stakeholder engagement.

03. Revision of the “protected information” definition to a harms-based approach

This amendment includes a revised definition of “protected information” which incorporates a harms-based assessment requiring an analysis of the harm or risk caused by the disclosure to the Australian public, the security of the asset, commercial interests, the socioeconomic stability, national security or defence of Australia. The amendment also introduces new authorisation provisions to facilitate more effective and timely sharing of information under the SOCI Act.

Impact on: Holders or recipients of “protected information” (including other entities which may be assisting with the relevant entity’s business, professional, commercial or financial affairs)

Potential level of impact: Medium

Some practical considerations for your action plan:

• Confirm enterprise-wise understanding of “protected information” and how this intersects with other information assets.
• Amend existing policies, procedures and decision-making matrices to reflect the new definition of “protected information”, which includes a harms-based assessment and a non-exhaustive list of “relevant information”.
• Establish processes and procedures to (i) identify what may amount to “confidential commercial information”, and (ii) how to identify this information as “confidential commercial information” to government agencies (e.g. relevant markings).
• Review and uplift processes to reflect the updated authorisation provisions.

04. New review and remedy powers for CIRMPs

This amendment includes the creation of a directions power for the regulator which can be exercised where a CIRMP has been identified as “seriously deficient”.

Impact on: Responsible entities

Potential level of impact: Medium

Some practical considerations for your action plan:

• Independently assess CIRMPs for “serious deficiency” (i.e. material risks to national security, the defence of Australia, or the social or economic stability of Australia or its people).
• Proactively address any potential gaps and keep appropriate records of actions taken.
• Establish processes and procedures for the steps to be taken upon receipt of a direction; identifying ownership and responsibilities for remediating the identified deficiency.
• Establish processes and procedures for the organisation to comply with new obligations to include the receipt of a direction and remediation of the identified deficiency in their annual report.
• Conduct a risk assessment on whether a direction under this part would require notification to other regulators, or would be considered market-sensitive information.
• Delegate authority as necessary to functions to engage with the Cyber and Infrastructure Security Centre (as necessary).
• Note new penalty regime for non-compliance with direction.

05. Security regulation for critical telecommunications assets

This amendment includes integrating various security requirements for critical telecommunication assets in Part 14 of the Telecommunications Act 1997 into the SOCI Act, with enhancements to align key regulatory obligations and clarify telecommunications-specific obligations.

Impact on: Owners and operators of critical telecommunications assets as defined by Part 14 of the Telecommunications Act.

Potential level of impact: High

Some practical considerations for your action plan:

• The telecommunications sector has been subject to security regulation for decades, including recently under Telecommunications Sector Security Reform (TSSR) legislation that pre-dated the SOCI Act. The amendments now harmonise TSSR with SOCI. As such, the key focus of the telecoms sector will be on converting TSSR compliance into SOCI compliance, including implementing migration steps.
• Telecoms sector specific rules are intended to be developed in early 2025 through a co-design process with industry. Carriers and carriage service providers are already engaging with government via the Australian Telecommunications Security Reference Group for this purpose.
• Undertake a gap analysis of the “security obligation” in section 313(1A) of Telecommunications Act against the SOCI Act “all hazards” requirements. There are some definitional nuances arising from the regime migration. Update affected processes, procedures and plans with expanded definition and to address nuances.
• Implement SOCI Act Part 2A: CIRMPs for critical telecommunications assets.
• Critical telecommunications assets must be considered from a SOCI Act compliance perspective: for example, Part 2 (Register of Critical Infrastructure Assets), Part 2B (notification obligations relating to cyber security incidents).
• Note unique penalty regime split across the Telecommunications Act and SOCI Act.

06. Fewer notification obligations for declarations of systems of national significance (SoNS)

This amendment includes streamlining obligations by removing direct interest holders from the administrative obligations relating to systems of national significance (SoNS).

Impact on: All critical infrastructure asset owners and direct interest holders of SoNS.

Potential level of impact: Low

Some practical considerations for your action plan:

• Responsible entities to consider the process and procedure of notification to direct interest holders of asset (if any).
• Responsible entities to update policies and procedures to remove obligations to advise the Secretary of all instances when direct interest holders cease to be responsible for a critical infrastructure asset.

Going forward

Critical infrastructure entities and assets are at risk of being targets for malicious attacks that could result in significant disruptions to the community at large. The introduction of the SOCI Bill represents the priority of the Department of Home Affairs to ensure Australia is well positioned to prevent and respond to evolving security threats, including cyber-attacks.

Norton Rose Fulbright offers one of Australia’s largest and most experienced legal teams to support your SOCI Act risk and security review, compliance, implementation, and assurance needs. Please reach out to any of us below for a confidential discussion regarding your SOCI compliance.