The new financial year is always a time of flux—an opportunity for businesses to focus on establishing a stable foundation for the next twelve months. And in the 2025 financial year, preparing for the upcoming changes to the Security of Critical Infrastructure (SOCI) Act should be a priority. With key regulatory reforms scheduled for as soon as August, efficient compliance is a necessity for any critical industry business.
The Soci Act’s Renewed Focus
Introduced in 2018, the SOCI Act provides a regulatory framework to strengthen the security of critical infrastructure assets and protect against increasing cyber threats. In 2022, the SOCI Act was amended to expand the number of sectors it regulates, increasing from an initial four to 11 critical industries.
The 2025 financial year promises an equally logical shift. Throughout the 2024-25 period, the Cyber and Infrastructure Security Centre (CISC) is aiming to balance the previous years’ focus on education and awareness with a new dedication to actively driving compliance. This move seeks to improve knowledge and preparedness, boost levels of regulated entity compliance, and help industry better understand compliance obligations (Cyber and Infrastructure Security Centre, 2024).
In line with the new focus on compliance, trial audits began in the third and fourth quarter of 2023-24, with regular compliance audit activities slated to begin in earnest for the 2024-25 period (Cyber and Infrastructure Security Centre, n.d.). In practice, this change means the SOCI Act is kicking into gear.
The Regulatory Shift Turning Awareness Into Action
Considering the initial focus on education and awareness, the SOCI Act had somewhat of a soft opening for the first few years. And during this time, there were several high-profile cyberattacks that illustrated the need for this new legislation. The 2022 Optus and Medibank attacks were the most severe, with cybercriminals stealing the sensitive details of a combined 20 million accounts (Samios, 2022; Robertson, 2024).
However, while the scale of these attacks is staggering, the continued volume of cyber security breaches has become the major concern. Peter Anstee, First Assistant Secretary of Cyber Security Policy at the Department of Home Affairs, stated that, “In the last 12 months, ASD, the Australian Signals Directorate, has responded to 150 major critical infrastructure-related cyber incidents… That’s a 15% increase on the year previous.”. (Weber, 2024)
The new financial year’s focus on non-compliance moves away from awareness and into action, aiming to improve the security posture of Australia’s critical industries and assets more effectively.
How to Comply With the Soci Act in 2024-25
Reporting will be the main concern for critical businesses in 2024-25. If your business is considered a responsible entity under the SOCI Act, you will be required to submit a critical infrastructure risk management program (CIRMP) report to the Department of Home Affairs between 30 June and 28 September 2024 (within 90 days following the end of financial year).
Your report needs to demonstrate that your CIRMP is up to date, and must outline:
- The perceived hazards your assets face.
- How you plan to minimise or eliminate any risk to these assets, and any impact of the hazard.
- Any hazards that occurred during the reporting period and the action you took to mitigate any impacts. (Lim et al., 2024)
A review of your CIRMP must also be completed by 18 August 2024. During this time, the grace period for meeting the initial SOCI Act requirements will end as well. Any entities who fall under the 11 infrastructure categories must be compliant with all legislation by 17 August 2024 (KPMG, 2024).
The Compliance Roadmap Into 2025
The Department of Home Affairs proposed the 2023–2030 Australian Cyber Security Strategy in February 2023. This document described how the SOCI Act could be improved to boost its clarity, consistency, and coordination of response, and strengthen Australia’s cyber defences. The strategy was open for public comment until 1 March 2024.
If the amendments come into effect, they will:
- Broaden the SOCI Act’s scope to include data storage systems and business critical data.
- Expand the crisis response arrangements to ensure they capture secondary consequences and subsequent consequence management powers.
- Simplify protected information provisions and take a harms-based approach for disclosing information.
- Introduce formal review and remedy powers for Commonwealth regulators, to address deficient elements of CIRMPs.
- Consolidate telecommunication security requirements to align with the same standards as other critical infrastructure entities. (Department of Home Affairs, 2023)
These SOCI Act reforms will likely go live during the 2024-25 period, in alignment with the new financial year’s compliance goals. And with the number of cyber security breaches exponentially rising, the development of this resilient critical infrastructure ecosystem cannot come soon enough. (Weber, 2024)
If your business is becoming overburdened with increasing compliance requirements, the team at Kinatico can provide expert advice and suggest digital solutions to help lighten the load.
References:
Cyber and Infrastructure Security Centre. (2024, March 6). SOCI Compliance Regulatory Posture 2024 and beyond [Press release]. https://www.cisc.gov.au/news-media/archive/article?itemId=1176
Cyber and Infrastructure Security Centre. (n.d.). Our regulatory principles and approach. Australian Government Department of Home Affairs. https://www.cisc.gov.au/legislation-regulation-and-compliance/our-regulatory-principles-and-approach
Department of Home Affairs. (2023, December 18). Australian Cyber Security Strategy: Legislative Reforms | Consultation Paper. Australian Government. https://www.homeaffairs.gov.au/cyber-security-subsite/files/cyber-security-strategy-2023-30-consultation-paper.pdf
KPMG. (2024, June 24.) SOCI Act: Protecting the Security of Critical Infrastructure. https://kpmg.com/au/en/home/topics/critical-infrastructure-reforms.html
Lim, C., Eow, I., and Beh, J. (2024, March 15). SOCI roadmap – Where are we at now, and what’s coming up next? King & Wood Mallesons. https://www.kwm.com/au/en/insights/latest-thinking/soci-roadmap-where-are-we-at-now-and-whats-coming-up-next.html
McElroy, N. (2022, September 2022). Optus says it has been hit by a cyber attack that has compromised customer information. ABC News. https://www.abc.net.au/news/2022-09-22/optus-hit-with-cyber-attack-impacting-customers-/101466036
Robertson, J. (2024, June 22). How Medibank allegedly ignored the warning signs in one of Australia’s worst cybersecurity breaches. ABC News. https://www.abc.net.au/news/2024-06-22/medibank-alerts-australia-cybersecurity-breach/104003576
Samios, Z. (2022, November 10). Optus hack to cost at least $140 million. The Sydney Morning Herald. https://www.smh.com.au/business/companies/optus-puts-aside-140m-to-replace-customers-hacked-identity-documents-20221110-p5bx4g.html
Weber, K. (2024, May 3). Dept Home Affairs continues building out the SOCI Act. Digital Nation. https://www.digitalnationaus.com.au/news/dept-home-affairs-continues-building-out-the-soci-act-607659
