Business Insight

Changes to the SOCI Act are on the horizon 

Flowing data waves

    What you need to know

    • On 9 October 2024, the Australian Parliament introduced the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (Cth) (SOCI Amendment Bill).
    • This SOCI Amendment Bill will amend key parts of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) and is a critical step in the Australian Government's ongoing efforts to implement its 2023-2030 Cyber Security Strategy. The strategy includes a regulatory agenda for reforms to ensure Australia can manage persistent cyber threats of today while simultaneously building a more cyber-secure ecosystem over time.
    • The SOCI Reform Bill comes after months of consultation on the proposed reforms, together with proposals for broader cybersecurity laws (see our related article on these changes). The Albanese government wants to pass the laws through Parliament by the last sitting week for 2024 in November.
    • Below we focus on two key changes that we consider could have a significant impact on how entities make decisions regarding their SOCI compliance, being the treatment of internal data storage systems and the protected information regime.

    What you need to do

    • If you are a responsible entity, determine whether you own or operate a data storage system that is used in connection with your critical asset – if the answer is yes, the SOCI Act obligations for a critical asset will now extend to this data storage system.
    • Review the changes to the protected information regime – the protected information regime is being overhauled to become easier to navigate however entities are required to ensure that they continue to comply with the SOCI Act in how they treat protected information

    SOCI Reforms

    Data Storage Systems

    The SOCI Act currently does not explicitly require critical infrastructure entities to treat data storage systems that hold business critical data as a 'critical asset' in itself, only to notify outsourced data storage service providers that they hold business critical data.

    The concern raised by the government during the consultation process is that hackers may use data storage systems that hold business critical data for an asset as a way to enter into ecosystem of an entity and attack the critical infrastructure asset. Australia has seen a growing number of cyber incidents impacting non-operational data storage systems held by critical infrastructure entities. These incidents did not directly impact the essential functions of critical infrastructure, but rather the non-operational systems that hold large quantities of data related to the asset.

    Under the proposed amendments to the SOCI Act, if an asset is a critical infrastructure asset, then a data storage system in respect of which all of the following requirements are satisfied is taken to be part of the critical infrastructure asset:

    • the responsible entity for the critical infrastructure asset owns or operates the data storage system;
    • the data storage system is used, or is to be used, in connection with the critical infrastructure asset;
    • business critical data is stored, or is processed in or by, the data storage system (whether or not other information is also stored, or is processed in or by, the data storage system); and
    • where there is a material risk that the occurrence of a hazard could have an impact on the data storage system, there is also a material risk that the occurrence of the hazard could have a relevant impact on the critical infrastructure asset.

    Therefore, obligations under the SOCI Act to include information on the Register, develop a Critical Infrastructure Risk Management Program (CIRMP) and notify cyber incidents will all extend to data storage systems that now form part of a critical infrastructure asset. For existing critical infrastructure assets responsible entities should consider whether this will require an update to the operational information already submitted to the Register and any updates to the CIRMP. 

    These obligations will apply from commencement of the SOCI Amendment Bill, including in relation to assets that are critical infrastructure assets immediately before commencement.

    Our view is that this amendment encourages entities to proactively consider how they store business critical data and determine whether this data is currently subject to adequate security controls. The obligation to notify outsourced data storage service providers that they hold business critical data remains unchanged.

    Protected information provisions

    Protecting information and disclosure about the operation, structure and location of critical infrastructure assets is a vital part of the SOCI Act. However, there are concerns that the current provisions limit the sharing of information in circumstances where it may be useful to share that information, such as in a crisis or where a major incident is unfolding. The current protected information regime can also cause confusion, meaning that entities may be in breach of the SOCI Act without realising it.

    The SOCI Amendment Bill introduces a new concept of 'relevant information', which links to the new proposed section 5A, which is as follows:

    Protected information is relevant information:

    (a) the disclosure of which would or could reasonably be expected to prejudice national security or the defence of Australia; or

    (b) the disclosure of which would or could reasonably be expected to prejudice the social or economic stability of Australia or its people; or

    (c) that contains, or is, confidential commercial information; or

    (d) the disclosure of which would or could reasonably be expected to prejudice the availability, integrity, reliability or security of a critical infrastructure asset.

    The introduction of the concept of "relevant information" means that the assessment of what is protected information will now be a two tiered assessment, that includes a non-exhaustive list of relevant information and then a harms-based assessment based on the factors outlined above. The first step is to address whether you have "relevant information" (effectively the previous definition of what constituted "protected information" under the SOCI Act), and then if you do, is it "protected information" – with the concept of protected information linked to the harms-based assessment. This may narrow the scope of what may be considered protected information going forward.

    The next amendment worth flagging is the introduction of two new exceptions that authorise an entity to use or disclose protected information. These are:

    • if the entity makes the record or uses or discloses the information for the entity's business, professional, commercial or financial affairs;
    • where the purpose relates to the continued operation of an asset or to mitigate risks to that asset.

    We think the first exemption in particular will be welcomed by industry. Currently, the exceptions to the protected information regime are more narrowly scoped and can be difficult to navigate. These new exceptions will provide entities with comfort that they are not in breach for disclosing protected information, similar to how a confidential information regime currently works in practice.

    These obligations will apply from commencement of the SOCI Amendment Bill, including in relation to documents or information generated or adopted before that time.

    The protection of our cyber security and critical infrastructure is vital to Australia’s national security and economic stability. This is an evolving space when reforms must be monitored to ensure continuous compliance with the SOCI Act.

    Ashurst Risk Advisory view

    These changes should trigger all entities responsible for critical infrastructure assets, to review their existing CIRMPs and ensure that they adequately satisfy the new requirements.

    The data storage system update demonstrates that government is cognisant of the risk of such systems being used as a potential stepping stone by threat actors, particularly those associated with hostile nation states, who are increasingly targeting critical infrastructure.

    The interconnectedness of modern IT and particularly modern Operational Technology (OT), make them a key target for such individuals and groups, with the risk being that they target systems connected to a critical infrastructure asset and move laterally within the technology environment to access and compromise the asset, or compromise data residing on a data storage system that provides them with sensitive information and knowledge that facilitates a compromise.

    Up to now, critical infrastructure providers' data storage assets would have only been deemed a critical component of the critical infrastructure asset if their absence, damage or compromise would prevent the proper function of the asset, or could cause significant damage to the asset.

    This meant that key data storage systems that did not meet this definition may not have been captured by an entities' CIRMP and may therefore not have had the same level of risk or control scrutiny as other elements of the critical infrastructure asset. With the new definition for data storage systems, responsible entities must think holistically about the way their IT and OT systems interact and interconnect, the data they hold and the risk that hazards impacting their data storage systems could present to their critical infrastructure asset.

    With the new protected information provisions, government has sought to clarify and simplify the assessment of what constitutes protected information and provide new exceptions to the disclosure restrictions. This should make it easier for entities to disclose relevant information when required, such as when working with independent experts during the development of a CIRMP, or sharing information with government during a crisis.

    It is essential that responsible entities conduct the two-tier assessment to identify all of their protected information. Once identified, protected information should be labelled appropriately and a process defined to manage requests to disclose the information. Protected information labelling, which would ideally be rights management-backed in support of data loss prevention controls, should clearly identify the information as protected under the Act to ensure that it is not disclosed without following the due process. A disclosure process should align to the requirements under the Act and include appropriate legal and other approval checks and balances.

    Responsible entities should seek to get ahead of these changes by taking steps now to comply with the new requirements.

    Want to know more?

    Other author: Alex White, Lawyer.

    image

    Business Insight

    Redefining Cyber Readiness

    Understand how you need to manage cyber security risk in light of the new Australian laws and heightened regulator expectations

    How to prepare

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

    This material is current as at 22 Oct 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.