The SOCI Act in 2023
What is the SOCI Act?
The Security of Critical Infrastructure Act (SOCI Act) regulates the security and resilience of critical infrastructure in Australia and has recently been amended to include a swathe of new sectors.
Companies affected have been given a six-month window to achieve compliance, ending on August 17, 2023. With this deadline fast approaching, you’ll need to begin actioning the requirements, or you’ll be facing financial penalties for non-compliance.
Key Critical Infrastructure Industries
Disability
As part of the healthcare and medical sector, disability providers are now included under the SOCI Act’s critical infrastructure regulations.
Requirements:
- Create and maintain a critical infrastructure Risk Management Program (RMP)
- Register critical assets and report any cybersecurity events
Aged Care
Also part of an industry in the healthcare and medical sector, aged care providers are now affected by the SOCI Act’s compliance regulations.
Requirements:
- Create and maintain a critical infrastructure Risk Management Program (RMP)
- Register critical assets and report any cybersecurity events
Resources
Under the SOCI Act, a company is considered part of the energy and resources sector if it involves:
- The production, transmission, distribution, or supply of electricity.
- The production, processing, transmission, distribution, or supply of gas.
- The production, processing, transmission, distribution, or supply of liquid fuel.
So, if your company fits those criteria, then you need to:
- Register critical assets and report any cybersecurity events
- Devise a Risk Management Program (RMP)
Finance
Under the SOCI Act, the financial services and markets sector includes companies in:
- Insurance
- Banking
- Superannuation
- Financial markets
- Clearing and settlement facilities
- Derivative trade repositories
- Financial benchmarks
- Payment systems
- Credit facilities
So, if your company fits those criteria, then you need to:
- Register critical infrastructure assets
- Complete mandatory cyber incident reporting
- Create a Risk Management Plan (RMP)
Education
In the education sector, the SOCI Act affects higher education providers—in other words, universities. A university will be considered a critical education asset if it’s owned or operated by an entity that is registered as an Australian university on the National Register of Higher Education Providers.
Requirements for critical education assets:
- Register critical infrastructure assets
- Complete cyber incident reporting
- Create a Risk Management Plan (RMP)
Utilities
Under the SOCI Act’s critical infrastructure, utility providers must now comply with new regulations which require them to:
- Create and maintain a critical infrastructure Risk Management Program (RMP)
- Register critical assets and report any cybersecurity events
Does your sector need to conform to the SOCI Act?
- Communications
- Data storage or processing
- Financial services and markets
- Water and sewerage
- Energy
- Health care and medical
- Higher education and research
- Food and grocery
- Transport
- Space technology
- Defence
What is your responsibility?
The Bill requires owners of certain assets to “adopt, maintain and comply with” an all-hazards critical infrastructure risk management program. Impacted owners operate across multiple sectors including communications, transport, financial services, defence, higher education, energy, health care, water and sewerage.
According to a breakdown of the new laws by, “all-hazards” includes physical security hazards, natural hazards, cyber and information security hazards, supply chain hazards, and (crucially), personnel hazards.
The Bill requires asset owners to create a risk management program that includes a risk identification process, a risk management process for each material risk to an asset that will minimise or eliminate the risk, and a process for reviewing the program. A Critical Asset Register (CAR) includes people risk; the threat of employees, contractors and other personnel exploiting a physical or IT vulnerability.
Achieve Compliance Without The Paperwork
How To Comply With The SOCI Act Requirements
Registering Critical Infrastructure Assets
A reporting entity needs to register the government operational, ownership, interest, and control information of your critical assets.
Cyber Incident Reporting
You must report any cyber security incidents and events, both critical and non-critical via the Australian Cyber Security Centre’s online cyber incident reporting portal.
Create a Risk Management Program (RMP)
You need to identify potential hazards, then minimise or remove the risk of the hazard occurring, and mitigate the impact if it does happen.
How We Can Help
Prepare a risk management plan
Service your SOCI screening requirements
Provide monitored compliance oversight
Provide supply chain monitored compliance oversight
Real measurable business outcomes you can expect
- Ongoing proactive workforce compliance management
- Business process improvements
- Reduced administration
- Reduced complexity
- Successful collaboration across organisations & supply chain
- Report on exceptions across staff and supply chain
- Restrict physical access to assets if non-compliant
Industry Insights
See how organisations across Australia are meeting the requirements of the SOCI Act.
A smarter way to get a check
Leah Egginton
Senior Client Executive
As our key client executive working with organisations across Australia to meet the compliance requirements of the SOCI Act, Leah will work with you to implement and meet the right screening and compliance for your industry and organisation. Leveraging 22 years of experience in Australia’s workforce screening and compliance sector, Leah’s wealth of knowledge makes her one of the most commendable executives working with Kinatico customers.
Book a Call with Leah
Need A Compliance Translator?
Avoid sifting through dense legal jargon, we can explain how the SOCI Act changes apply to you—and help you meet the requirements.