By:
Alec Christie, Partner at Digital Law Team Clyde & Co and Alison Cripps, Legal Writer at Practical Guidance
A crucial step for organisations in the wake of recent events
We are living in a world where a ‘simple’ software hiccup brings entire nations to a grinding halt. At least that’s the reality we faced during the recent ‘CrowdStrike Incident’ – a digital disaster that left airlines grounded, hospitals scrambling and financial institutions in disarray. It was a wake-up call that echoed across the globe, reminding us just how vulnerable our interconnected world truly is.
In the aftermath of the CrowdStrike Incident, Alison Cripps, Legal Writer, Practical Guidance, Data Protection & Privacy sat down with Alec Christie, Partner in the Digital Law team at Clyde & Co, to unravel the tangled web of Australia’s Security of Critical Infrastructure Act (SOCI Act), its role in safeguarding our digital lifelines and the obligations it imposes on those subject to it.
“The recent event and other recent incidents are stark reminders that even a seemingly innocuous glitch can have far-reaching consequences in our digitally inter-connected world” Christie warned. “While the recent event wasn’t a malicious attack, it exposed the ‘fragility’ of the global systems we rely on for everything from healthcare to finance.”
As Christie delved into the intricacies of the SOCI Act, it became clear that the legislation has undergone a metamorphosis (from 2021), evolving to keep pace with the ever‑changing cyber and other threats to our critical infrastructure. “Initially focused on 4 key sectors, the Act now encompasses 11 critical infrastructure sectors, spanning some 22 separate critical infrastructure asset classes within those sectors,” he explained.
Christie stressed the importance of carefully assessing whether organisations may be subject to the SOCI Act’s obligations. “After the 2021 and 2022 amendments, the SOCI Act now applies to a significantly increased number of organisations that carry on, supply to or are connected to medium-to-large business activities operating in (or themselves supplying to) the 11 critical infrastructure sectors now subject to the SOCI Act,” he explained. He also noted that a surprisingly large number of entities remain unaware that their activities may be subject to the SOCI Act obligations and are genuinely surprised when advised that they are. “In particular, the Data Storage and Processing critical infrastructure sector is one that is not well understood and many providers to critical infrastructure clients or Government agencies are oblivious to the threshold test, how to determine if the SOCI Act applies and the requirements of this critical infrastructure sector.”
At the heart of the SOCI Act lie 3 ‘positive’ security obligations which may apply to critical infrastructure assets in the specified sectors. These obligations, when they apply, require organisations to register their critical infrastructure assets, report cybersecurity incidents and develop, and annually report on, a robust risk management program – a ‘suit of armour’ against cyber and other threats to critical infrastructure.
“The recent events have underscored the interconnectedness of our global digital ecosystems and organisations that may have previously not considered themselves subject to the SOCI Act should re-evaluate their potential exposure,” Christie advised.
As we navigate the labyrinth of the SOCI Act, Christie emphasised the importance of understanding what constitutes an ‘asset’ under its purview. “It’s not just physical infrastructure,” he explained. “Software, networks, data – even third-party cybersecurity solutions could be critical infrastructure assets under the Data Storage and Processing critical infrastructure sector.”
The recent events and other recent cyber incidents serve as a clarion call to all to conduct a comprehensive assessment of whether they are subject to and, if so, their obligations under the SOCI Act. Failure to comply with the Act’s requirements could expose the organisation to significant fines (levied on a daily basis), legal and financial risks, underscoring the critical importance of expert guidance to navigate this complex regulatory landscape, mitigate the risks of non‑compliance and, generally, the risks posed by cyber and outage threats to critical infrastructure.
Practical Guidance Cybersecurity, Data Protection & Privacy is an invaluable guide for practitioners who want to follow best practices when preparing to advise on data privacy and cybersecurity matters in today’s rapidly changing legal landscape.
How can you determine if your organisation is subject to the SOCI Act, and what obligations are likely to apply?
This flowchart authored by Alec Christie is designed to help you determine, at a high level, whether your organisation or its assets may be subject to the SOCI Act.
FREE DOWNLOAD
Does the SOCI Act Apply to Your Organisation? (Flowchart)
If you’d like to preview the time-saving resources covering this strategically important practice area request a trial here.