Insight,

Taking stock of the SOCI act - Fireside chat with the CISC

06 October 2023

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Last week, special guests Michael Minns (Assistant Secretary) and Jared Henry (Director) from the Critical Infrastructure Regulatory Operations and Analysis Branch of the Cyber and Infrastructure Security Centre (CISC) at the Department of Home Affairs joined KWM Partners Cheng Lim and Intan Eow for a lively webinar on the Security of Critical Infrastructure Act (SOCI Act).

Resilience of Australian critical infrastructure has been a key focus area for the Australian Government. Following our conversation with the CISC earlier this year on the newly-implemented critical infrastructure risk management program (CIRMP) rules (see our earlier alert here), last week’s discussion focused on the regulatory posture adopted by the CISC, insights on implementation of the SOCI Act so far, and what to expect coming up.

The following topics were discussed:

  • CISC’s current regulatory posture focuses on education and awareness, with a plan to pivot towards a more enforcement-focused approach in 2024/25;
  • In relation to registrations on the SOCI Asset Register, CISC has identified issues such as insufficient information, and untimely updates of changes and a small number of over-registrations;
  • When submitting a Mandatory Cyber Incident Report (MCIR) through the Australian Cyber Security Centre (ACSC) website, entities are encouraged to also agree to share the report with the CISC by selecting the ‘relevant regulator’ on the form;
  • Twenty-six voluntary CIRMP annual reports have been made following implementation of the CIRMP rules; and
  • Clarification on the definitions of data storage or processing assets and direct interest holders.

Regulatory posture

At this initial stage, CISC is primarily focused on education and awareness, aiming to provide critical infrastructure asset owners and operators the support they need to manage risks and ensure the continuity of their operations. Enforcement actions will be reserved for only the most egregious breaches, such as cases where the reporting entity has failed to engage with its obligations entirely, or has intentionally misrepresented its activities when interacting with the regulator. CISC strongly encourages entities that may potentially fall under these obligations to initiate communication with the regulator at an early stage. Additionally, CISC is actively collaborating with entities to help them understand and meet their obligations. The CISC is planning to take on a more proactive role in enforcement beginning in 2024/25.

The SOCI Asset Register

Since the implementation of the SOCI Act in 2018, over 1000 assets have been registered on the SOCI Asset Register, with ten to twenty new asset registration or change forms submitted each week.  There is a good understanding of SOCI Act obligations in industry sectors with existing regulatory frameworks (eg financial services, telecommunications, and ports). However it is less well understood in relation to asset classes sectors which are currently less regulated, such as the new critical data storage or processing asset class. 

Over the past three months, CISC has undertaken a data-cleansing exercise, working with organisations that have registered to improve the quality of the information provided or to remove their registrations from the Register for the small number of cases where they are not in fact required to register.

Areas CISC reminds reporting entities to pay attention to include:

  • sufficient information about critical suppliers and data arrangements, including where outsourced; and
  • timely updates of information, such as contact details, when changes occur.

Information from the Register serves not only to assess the risks of individual entities, but also to establish a holistic understanding by drawing connections across assets classes, entities and sectors. This enables the CISC to identify vulnerabilities in the supply chain, risks facing critical infrastructure assets and their potential implications.

Mandatory Cyber Incident Reports

There has been a large volume of MCIR reporting, totalling 440 reports. However, only a relatively small proportion relates to critical infrastructure (126).

When submitting an MCIR through the ACSC website, CISC strongly encourages entities to agree to share the report with the CISC by selecting the ‘relevant regulator’ on the form to facilitate CISC's monitoring of compliance with reporting obligations under the SOCI Act.

CIRMP and voluntary reports

Responsible entities for certain critical infrastructure classes are expected to have developed and implemented a written CIRMP by 18 August 2023. Whilst the CISC does not have statutory power to grant extensions for compliance, it does encourage parties who are running behind in implementing the CIRMP to proactively inform the CISC about their circumstances and the expected time period for compliance. As mentioned earlier, at present CISC’s compliance posture only involves the taking of actions for egregious breaches. It also plans to initiate trials of its audit capabilities in 2024.

Whilst the first CIRMP annual report for relevant responsible entities is not due until 28 September 2024, the CISC has encouraged voluntary reporting and board engagement as a trial-run in the 90-day period following 30 June 2023. Until 22 September 2023, 26 voluntary reports have been received. The CISC noted that, overall, the quality of the voluntary reports has been good. CISC also recommends entities keep records of the evidence the board relied on in making the annual reports, in the event CISC conducts an audit. 

CISC noted that the CIRMP should not need to be submitted to it, as it is not their role to review CIRMPs. 

Data storage or processing assets

As a new asset class not currently regulated by Commonwealth, State or Territory regulators, the concept of a ‘data storage or processing asset’ under the SOCI Act is relatively more challenging. A key aspect of the definition in section 12F of the SOCI Act is that the data storage or processing asset must be used wholly or primarily to provide a data storage or processing service that relates to business critical data as defined under Section 5 of the SOCI Act to specified end users.

Landlords are generally not expected to register as direct interest holders

Under the SOCI Act, an entity that holds legal or equitable interest in the asset is considered a ‘direct interest holder’, which would on its face include landlords of premises that on which critical infrastructure assets are situated, such as data centres, hospitals, ports and electricity generator.

The CISC’s ‘Register of Critical Infrastructure Assets Guidance’ indicates that it does not ordinarily expect the landlord of an asset to register separately as a direct interest holder, unless the landlord has influence or control over the asset beyond those that are ordinarily part of commercial leases. The focus for CISC is on the level of influence or control the landlord has over the asset. In any event, even if the landlord is not considered to be a direct interest holder, CISC expects that the landlord should be listed as a critical supplier in the operational information provided by the responsible entity. 

Conclusion

Obligations under the SOCI Act are dependent on the factual circumstances and can be difficult to apply. Entities in doubt should therefore seek legal advice and engage with the CISC early.

Categories

MEET THE AUTHORS

LATEST THINKING
Insight
Same same but different: ACCC releases new merger assessment guidelines for public consultation
The ACCC has released its draft merger assessment guidelines for public consultation. The guidelines outline the ACCC’s approach to analysing the potential effects of mergers on competition under the new mandatory merger clearance regime, which will formally commence on 1 January 2026.

21 March 2025

Insight
WA Government releases consultation papers on Pilbara electricity reform
Over recent years, the WA Government has started to focus on facilitating decarbonisation in the Pilbara region, which hosts a significant portion of Australia’s mining sector. This push now continues with the release of two further consultation papers on electricity reform in the Pilbara.

21 March 2025

Insight
Fair, simple and (mostly) nationally aligned: Victoria set to get with the program on SOPA
The Victorian Government has indicated support for significant reforms to the Building and Construction Industry Security of Payment Act 2002 (Vic).

21 March 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
KWM KINETIC
OWL ADVISORY BY KWM
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies