What's new

Updated 06 October 2022

On 5 October 2022 the Department of Home Affairs (DHA) formally launched the consultation on the draft Risk Management Program rules under Part 2A of the SOCI Act. The publication of the draft rules starts a mandatory consultation period that lasts until 18 November 2022.

While the draft rules are substantially similar to the draft rules included in the Explanatory Memorandum to the second SOCI bill, critical infrastructure responsible entities and operators should review the proposals (here) and consider the application to and impact on their assets and operations. The consultation period provides affected entities with the opportunity to submit observations and request amendments to the rules in order to ensure that they are fit for use and achieve the security uplift objective. Should you wish to make any observations our integrated team of SOCI and government risk experts would be happy to assist you in doing so.

Critical infrastructure assets proposed to be included are:

  • critical electricity assets
  • critical energy market operator assets
  • critical gas assets
  • critical liquid fuels assets
  • critical water assets
  • critical financial market infrastructure assets used in connection with the operation of payment systems
  • critical data storage or processing assets
  • certain critical hospitals
  • critical domain name systems
  • critical food and grocery assets
  • critical freight infrastructure assets
  • critical freight services assets
  • critical broadcasting assets

The risk management requirements, across all material risks and requiring specific (but not exclusive) focus on Cybersecurity, Supply Chain, Personnel and Natural Hazard risk domains, are significant and should not be underestimated. The rules provide for a six-month grace period before the risk management requirements will apply. For cybersecurity, there is then a further 12 months to achieve the required cybersecurity maturity level. Our Digital Operations Risk Advisory team would be happy to assist you and your organisation as you design your operational risk management program.

In parallel, DHA has also published multiple draft guidance documents for consultation:

 

What to know

Risk Advisory-Cybersecurity-finger print-thumb-personal-identification

Publication

SOCI Act - Engagement on critical infrastructure reforms

We write to inform you about recent developments which may affect your obligations arising under the Security of Critica...

October 10, 2022

purple waves

Publication

Telco update: What you need to know about the new cybersecurity reporting rules and how they interface with SOCI

What you need to know about the new cybersecurity reporting rules and how they interface with SOCI

July 08, 2022

Key board

Publication

Starting gun fired in race to uplift Australia’s infrastructure security

The second tranche of anticipated amendments to the Security of Critical Infrastructure Act (2018) was passed by the Par...

April 04, 2022

Purple keypad

Publication

Are you critical? Amendments to the Security of Critical Infrastructure Act

Significant changes to the law with respect to security of critical infrastructure in Australia, including enhanced cybe...

December 01, 2021

Technology-innovation-codie-binomial-AdobeStock_309311052

Publication

B1 and B2: separating the SOCI regulatory regime

On 29 September 2021, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) published its Advisory Repo...

October 13, 2021

Red zigzag

Publication

With greater risk comes greater responsibility: What amendments to the SOCI Act may mean for you

On March 28 this year, Nine Entertainment (NEC), the broadcaster and publisher, was the victim of a sophisticated cyber-...

May 26, 2021

What's next

Following completion of the consultation period on 18 November 2022, the Minister for Home Affairs must consider the observations submitted by industry participants and may amend the rules as a result. Once finalised, the Minister for Home Affairs can then issue and register the rules. This will start the clock ticking for the six-month grace period, following which the risk management requirements will be in force. Affected responsible entities will need to ensure that their risk management programs are live and meet the requirements by this time, likely 1 July 2023.

Related articles

Proposed new APRA Prudential Standard will impact technology procurement

On 28 July 2022, APRA announced that it is consulting on a new cross-industry Prudential Standard, CPS 230, designed to strengthen the management of operational risk in the banking, insurance and superannuation industries.

Publication | August 03, 2022

Was RI Advice a watershed for cybersecurity law in Australia or a damp squib?

We distil critical lessons from the Federal Court’s recent decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd.

Publication | May 20, 2022
Are directors’ duties in need of a cyber-uplift?

Are directors’ duties in need of a cyber-uplift?

In support of its goal of establishing Australia as a leading digital economy by 2030, the Australian Government has recently launched a public consultation outlining options for regulatory reforms aimed at increasing Australian business’ investment in cybersecurity.

Publication | July 27, 2021

Cyber Security and Government use of cloud

Michael Doyle provides the ins and outs of cybersecurity and cloud computing in the Commonwealth Government context.

Publication | May 13, 2021
Microsoft Email Server Hack: What Boards need to know

Microsoft Email Server Hack: What Boards need to know

The Hafnium exploit of Microsoft Exchange Servers is a global cybersecurity event requiring organisations to patch and examine potentially affected systems.

Publication | March 19, 2021
Australian Government ‘levels up’ its Cyber Security Strategy in a dangerous threat landscape

Australian Government ‘levels up’ its Cyber Security Strategy in a dangerous threat landscape

In 2016, the Australian Government proposed an overhaul of the cyber-security strategy (2016 Cyber Strategy) which was the first update to the nation’s cyber-security since 2009.

Publication | August 18, 2020
The cybersecurity standards set to impact every Australian business and director

Australia: Cybersecurity standards set to impact every business

The Australian Prime Minister announced a new Cyber Enhanced Situational Awareness and Response (CESAR) Package on 30 June 2020.

Publication | August 13, 2020
Wilful blindness no more: The macro and micro impact of cybersecurity breaches and the imperative for all entities to act now

Australia: The impacts of cybersecurity breaches and the imperative to act now

While some have argued that there is need for legislated minimum cybersecurity standards to bring greater certainty to this evolving risk, we believe that endeavour would be diversionary. It would provide directors with a false sense of comfort and an opportunity to treat cybersecurity as another ‘tick the box’ exercise, without properly considering and managing the unique risks specific to their own operations.

Publication | June 12, 2020

Practice areas:

Industry:

Contacts

Scott Atkins
Scott Atkins
Australian Chair and Global Co-Head of Restructuring
Email
scott.atkins@nortonrosefulbright.com
T: +61 2 9330 8015
Nick Abrahams
Nick Abrahams
Global Co-leader, Digital Transformation Practice
Email
nick.abrahams@nortonrosefulbright.com
T: +61 2 9330 8312
Rajaee Rouhani
Rajaee Rouhani
Partner
Email
rajaee.rouhani@nortonrosefulbright.com
T: +61 3 8686 6239
Peter Mulligan
Peter Mulligan
Partner
Email
peter.mulligan@nortonrosefulbright.com
T: +61 2 9330 8562
Ka-Chi Cheung
Ka-Chi Cheung
Partner
Email
kachi.cheung@nortonrosefulbright.com
T: +61 3 8686 6665