Australia is currently implementing cyber reforms to the Security of Critical Infrastructure Act 2018 (SOCI Act) to address evolving security threats posed to Australia's infrastructure providers and the wider community. These reforms are broad reaching, and it is crucial that potentially impacted organisations appreciate the full scope.
The SOCI Act applies to 22 asset classes across 11 sectors, covering organisations, but particularly those operating in the communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage industries. Previously, only four critical sectors were included; the reforms are described to capture broader sectors and assets.
Entities and individuals that are potentially subject to the SOCI reforms must develop strong investigative processes for potential cyber incidents, and internal capacities to promptly escalate and effectively triage cyber events. These processes must also be harmonised with the mandatory incident notification obligations imposed by the SOCI reforms.
The reforms also demand that impacted organisations prioritise cyber governance. There currently exists a requirement to advise government of the individuals and entities owning and controlling regulated assets, as well as relevant board structures, ownership rights, operational material, outsourcing and offshoring information.
From a cyber security perspective these obligations demand that robust processes are adopted across asset identification, risk assessment and situational awareness. The process is also likely to result in regulated organisations imposing heightened cyber security, incident response and risk management obligations on their suppliers and stakeholders, creating far reaching contractual liability exposures.
Organisations subject to SOCI will also need to carefully analyse their approach to risk quantification and insurance. The substantive components of the law will make incident response more costly, and potentially create additional business interruption and operational risks that will influence support needs and insurance drivers. A whole-of-program analysis may also be required, given the additional penalty components contained in the legislation.
A grace period is provided under the legislation to allow entities time to complete their cyber uplift and adopt compliant processes. In many cases uplift work will be substantial and these issues should be considered as a matter of urgency to allow sufficient time to undertake action planning and complete workflows. WTW is currently helping a broad range of organisations address the risk management, security, compliance and insurance challenges created by the SOCI reforms.
The SOCI Act provides a compliance framework for critical infrastructure sectors and assets. The recent amendments build upon the existing framework and add new obligations to strengthen the cyber security, resilience and incident reporting of infrastructure organisations.
The reforms have been broken into two separate pieces of legislation:
Why were the reforms needed?
The risk of cyberattacks impacting critical infrastructure and service providers has grown steadily. Here are three recent events:
The Australian government has said the ongoing security and resilience of critical infrastructure must be a shared responsibility by governments, and the owners and operators of the infrastructure. The SOCI reforms attempt to achieve this.
What was contained in the SOCI 2021 Act?
The enhanced cyber security obligations already apply to assets that were deemed critical infrastructure prior to the commencement of the SOCI 2021 Act.
The expanded industry sectors and assets will be subject to the new obligations via the Security of Critical Infrastructure (Application) Rules 2021 (Application Rules) or a specific declaration made under section 51 of the SOCI Act.
The Application Rules essentially provide the Minister for Home Affairs with the power to ‘switch on’ the provisions for critical infrastructure assets. As of April 2022, these have not yet passed through the parliament, however the Minister is currently reviewing submissions.
The Application Rules will also include the power to exclude assets. For example, as drafted, they recommend the exclusion of specific sugar mill generators which have no impact on the delivery of essential goods and services. It should be noted that the Application Rules also propose a three-month grace period for the notification of cyber security incidents and a six-month grace period for the wider critical asset obligations.
Part 2B of the SOCI 2021 Act requires the mandatory notification of any cyber security incident to the Australian Signals Directorate which has a relevant impact on a critical infrastructure asset. The timelines are strict, as a cyber security incident must be notified:
To comply with these obligations and regulations, organisations will require joined up approaches for incident identification, triage, reporting and notification. This will impose significant strain on incident response teams and governance processes.
A ‘cyber security incident’ is defined broadly to include unauthorised access or modification, unauthorised impairment of electronic communication, and impairment of the availability, reliability, security or operation of a computer, computer data, or a computer program. Unauthorised access includes both the acts of a malicious third party, or of an employee where that person did not have authority to commit the act, causing a cyber security incident.
The reform requires critical infrastructure asset information to be provided to the Register of Critical Infrastructure Assets (Register) identifying who owns and controls assets, together with operational material to assist the government’s understanding of who is in a position to influence the control and operation of critical infrastructure assets and support the development of proactive strategies to manage cyberattacks.
An individual or entity that is a direct interest holder must be recorded on the Register where they either individually or with associates, hold an interest of at least 10% in a critical infrastructure asset, or hold a position of influence and control in the asset. The information provided to the Register must include operational information in relation to the asset and the interest and control information.
Operational information includes the location of the asset, a description of the area the asset services, details of every responsible entity or operator of the asset, the full name and citizenship of the Chief Executive Officer of each responsible entity, a description of arrangements under which each operator manages the asset or a part of the asset, and a description of arrangements under which data prescribed by the rules relating to the asset is maintained.
Significant ministerial powers are given under the SOCI 2021 Act where a cyber incident is likely to have a relevant impact on a critical infrastructure asset and the incident is likely to prejudice the social or economic stability of the wider Australian community. In these situations, the following directions may be given.
The government has stated that these measures will be primarily used to provide assistance to regulated organisations immediately prior to, during or following a cyber event. The focus on gathering information will be to determine if another power in the Act should be exercised, while processes to direct an entity to do, or not do, a specified act will take in account the capabilities of authorised agencies that can provide support.
This includes further powers for incident management, the declarations of systems of national significance and further enhanced cybersecurity obligations. These provisions were split from the SOCI 2021 Act late last year in order to obtain additional stakeholder, industry and government feedback.
On 28 March 2022 the Parliamentary Joint Committee on Intelligence and Security released an advisory report recommending that the SOCI 2022 Bill pass with 10 relatively minor changes. The Bill was subsequently passed on 31 March 2022 imposing further reporting and risk management obligations for critical infrastructure sectors and assets.
While the SOCI reforms do not impose specific insurance obligations, they impact how regulated organisations evaluate overall risk, their potential financial exposures and their incident response needs. Each of these factors will influence insurance drivers, limit requirements and specific program requirements.
A large part of this analysis should focus on whether organisations have effective cyber liability insurance, however wider program requirements may also need to be considered, including risks across insurances for Directors and Officers, Management Liability, Professional Indemnity and Statutory Liability. Whole-of-program and technology-focused insurance analysis will provide organisations with significantly enhanced confidence that their insurance program is fit for purpose in light of the SOCI reforms.
WTW is committed to supporting clients in this challenging data and security environment and sharing our knowledge and insights. The WTW Cyber and Technology Team is uniquely cross functional and made of recognised industry leaders with expertise across data governance, cyber security, legal risk, regulatory obligations, technology procurement and processes, exposure quantification, incident response and insurance.
WTW has unrivalled expertise in the placing of insurance programs for cyber liability, technology risk and infrastructure. Our expert consultants go beyond the placement of insurance and deliver strategic advice and analytical tools to help clients navigate risk assessment, maturity uplift, resilience, governance and risk transfer. If you would like to know any further information on the issues discussed in this article, do not hesitate to reach out to us.
