Changes to the SOCI Act are on the horizon
20 December 2024
Article first published on 22 October 2024 to report on critical infrastructure reforms as introduced. It has been updated as the bill has been passed and received royal assent.
The SOCI Act currently does not explicitly require critical infrastructure entities to treat data storage systems that hold business critical data as a 'critical asset' in itself, only to notify outsourced data storage service providers that they hold business critical data.
The concern raised by the government during the consultation process is that hackers may use data storage systems that hold business critical data for an asset as a way to enter into ecosystem of an entity and attack the critical infrastructure asset. Australia has seen a growing number of cyber incidents impacting non-operational data storage systems held by critical infrastructure entities. These incidents did not directly impact the essential functions of critical infrastructure, but rather the non-operational systems that hold large quantities of data related to the asset.
Under the amended SOCI Act, if an asset is a critical infrastructure asset, then a data storage system in respect of which all of the following requirements are satisfied is taken to be part of the critical infrastructure asset:
Therefore, obligations under the SOCI Act to include information on the Register, develop a Critical Infrastructure Risk Management Program (CIRMP) and notify cyber incidents will all extend to data storage systems that now form part of a critical infrastructure asset. For existing critical infrastructure assets responsible entities should consider whether this will require an update to the operational information already submitted to the Register and any updates to the CIRMP.
These obligations will commence on a date to be proclaimed within 6 months, including in relation to assets that were critical infrastructure assets immediately before commencement.
Our view is that this amendment encourages entities to proactively consider how they store business critical data and determine whether this data is currently subject to adequate security controls. The obligation to notify outsourced data storage service providers that they hold business critical data remains unchanged.
Protecting information and disclosure about the operation, structure and location of critical infrastructure assets is a vital part of the SOCI Act. However, there are concerns that previous provisions limited the sharing of information in circumstances where it may be useful to share that information, such as in a crisis or where a major incident is unfolding. The provisions also caused confusion, meaning that entities may breach the SOCI Act without realising.
The SOCI Amendment Act introduces a new concept of 'relevant information', which is then assessed from a harms-based perspective in the new section 5A as follows:
Protected information is relevant information:
(a) the disclosure of which would or could reasonably be expected to prejudice national security or the defence of Australia; or
(b) the disclosure of which would or could reasonably be expected to prejudice the social or economic stability of Australia or its people; or
(c) that contains, or is, confidential commercial information; or
(d) the disclosure of which would or could reasonably be expected to prejudice the availability, integrity, reliability or security of a critical infrastructure asset.
The introduction of the concept of "relevant information" means that the assessment of what is protected information will now be a two tiered assessment, that includes a non-exhaustive list of relevant information and then a harms-based assessment based on the factors outlined above. The first step is to address whether you have "relevant information" (effectively the previous definition of what constituted "protected information" under the SOCI Act), and then if you do, is it "protected information" – with the concept of protected information linked to the harms-based assessment. This may narrow the scope of what may be considered protected information going forward.
The next amendment worth flagging is the introduction of two new exceptions that authorise an entity to use or disclose protected information. These are:
We think the first exemption in particular will be welcomed by industry. Existing exceptions to the protected information regime are more narrowly scoped and can be difficult to navigate. These new exceptions will provide entities with comfort that they are not in breach for disclosing protected information, similar to how a confidential information regime currently works in practice.
Again, the changes commence on a date to be proclaimed within 6 months including in relation to documents or information generated or adopted before that time.
The protection of our cyber security and critical infrastructure is vital to Australia’s national security and economic stability. This is an evolving space when reforms must be monitored to ensure continuous compliance with the SOCI Act.
These changes should trigger all entities responsible for critical infrastructure assets to review their existing CIRMPs and ensure that they adequately satisfy the new requirements.
The data storage system update demonstrates that Government is cognisant of the risk of such systems being used as a potential stepping stone by threat actors, particularly those associated with hostile nation states, who are increasingly targeting critical infrastructure.
The interconnectedness of modern IT and particularly modern Operational Technology (OT), make them a key target for such individuals and groups, with the risk being that they target systems connected to a critical infrastructure asset and move laterally within the technology environment to access and compromise the asset, or compromise data residing on a data storage system that provides them with sensitive information and knowledge that facilitates a compromise.
Up to now, critical infrastructure providers' data storage assets would have only been deemed a critical component of the critical infrastructure asset if their absence, damage or compromise would prevent the proper function of the asset, or could cause significant damage to the asset.
This meant that key data storage systems that did not meet this definition may not have been captured by an entities' CIRMP and may therefore not have had the same level of risk or control scrutiny as other elements of the critical infrastructure asset. With the new definition for data storage systems, responsible entities must think holistically about the way their IT and OT systems interact and interconnect, the data they hold and the risk that hazards impacting their data storage systems could present to their critical infrastructure asset.
With the new protected information provisions, government has sought to clarify and simplify the assessment of what constitutes protected information and provide new exceptions to the disclosure restrictions. This should make it easier for entities to disclose relevant information when required, such as when working with independent experts during the development of a CIRMP, or sharing information with government during a crisis.
It is essential that responsible entities conduct the two-tier assessment to identify all of their protected information. Once identified, protected information should be labelled appropriately and a process defined to manage requests to disclose the information. Protected information labelling, which would ideally be rights management-backed in support of data loss prevention controls, should clearly identify the information as protected under the Act to ensure that it is not disclosed without following the due process. A disclosure process should align to the requirements under the Act and include appropriate legal and other approval checks and balances.
Responsible entities should take steps now to adapt to these changes.
Other author: Alex White, Lawyer.
Understand how you need to manage cyber security risk in light of the new Australian laws and heightened regulator expectations
How to prepareThis publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com
This material is current as at 20 December 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.