Amendments to SOCI Act flagged in Australian Cyber Security Strategy

John Dieckmann, Margaret Gigliotti
24 Nov 2023
2 minutes

The recent Australian Cyber Security Strategy flags changes to the Security of Critical Infrastructure Act 2018 (Cth) which appear likely to be implemented as part of phase 1 of the 2023-2030 Cyber Security Strategy Action Plan.

On 22 November 2023, the Federal Government released the Australian Cyber Security Strategy and associated 2023-2030 Action Plan. The strategy and action plan address a wide range of practical and regulatory measures proposed to be taken to improve Australia's cyber resilience. Among the proposals are commitments to clarify and strengthen aspects of the Security of Critical Infrastructure Act 2018 (Cth) (the "SOCI Act").

As part of the strategy, the Federal Government has made five commitments involving further refinement of the SOCI Act.

The changes, described below, are only one aspect of the strategy – which sets out an ambitious slate of planned initiatives intended to create six "cyber shields" to protect Australia from cyber risks. While the action plan released alongside the strategy covers the period 2023-2030, the timing for implementation of specific items is not yet clear.

1. Ensure we are protecting the right entities

Currently, cyber security requirements for telecommunications providers are found in both the Telecommunications Act 1997 (Cth) and associated legislative incidents and the SOCI Act. To avoid duplication and reduce complexity for telecommunications providers who operate in multiple critical infrastructure industries, these obligations are proposed to be consolidated within the SOCI Act.

Obligations will also be clarified for entities who are a "managed service provider" for a critical infrastructure asset. While the strategy does not provide further detail regarding how the obligations will be clarified, it is possible that new standards for the management of security risks developed as part of shield 2 will apply to managed service providers.

Legislative reform is also expected to introduce stronger cyber security obligations in the aviation and maritime sectors. However, it appears that these reforms will sit outside of the SOCI Act in existing industry-based legislation.

2. Ensure we are protecting the right assets

Further industry consultation will be undertaken in relation to the application of the SOCI Act to data storage systems. Currently, the definitions of "critical data storage or processing asset" and "business critical data" present challenges for businesses providing data hosting or processing services, as they involve some ambiguity and may result in the legislation applying to a service provider with little or no forewarning. Clarification of these concepts, and the mechanisms by which the provisions become binding on a service provider, would provide greater certainty for data hosting and processing providers regarding the scenarios in which they will become subject to obligations under the SOCI Act.

3. Enhance cyber security obligations for Systems of National Significance

The SOCI Act already contemplates a regime to apply specifically to systems declared by the Minister for Home Affairs as being "systems of national significance". To date, no systems have been declared as such. As part of the strategy, the Government now plans to expedite the implementation of the 'systems of national significance' framework, which would include identification of assets to fall within the scope of the regime.

4. Ensure critical infrastructure is compliant with cyber security obligations

The strategy flags that the Government will continue to encourage awareness of existing obligations under the SOCI Act (including requirements relating to risk management programs). To achieve this, the Government will implement a compliance monitoring and evaluation framework. The framework is likely to include various compliance powers, including an ability for the Government to direct responsible entities to uplift any risk management plans which are considered seriously deficient.

5. Help critical infrastructure manage the consequences of cyber incidents

The strategy proposes that a new legislative power be introduced to allow the Government to help organisations deal with consequences of significant cyber incidents where no other Federal or State legislative levers are available. The power would allow the Government to authorise actions to be taken to manage consequences of nationally significant incidents. We expect that the power is also likely to include an ability for the Department of Home Affairs to provide binding directions to organisations in relation to their management of cyber security incidents, similar to the powers included in the existing SOCI Act.

Industry consultations will also be held to determine how the Government can assist organisations to better managed cyber incidents.

Key takeaway

It is expected that further detail will emerge over the coming months as the Government seeks to implement its strategy. While not stated expressly in the action plan that has been released, it appears changes to the SOCI Act will take place as part of phase 1, termed "strengthening our foundations", which is due to be implemented over the course of the next two years. Organisations that are subject to the SOCI Act should monitor these developments carefully and consider taking part in any further industry consultation undertaken as the Government pursues its strategy.

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.