Security of Critical Infrastructure reforms: Impact on the life sciences and pharmaceutical sector

How has the SOCI Act been reformed?

Companies within the pharmaceutical industry may be included in the expanded scope of the SOCI Act that now includes the health care and medical sector (Medical Sector), which includes entities that provide health care or produce, distribute or supply therapeutic goods. The pharmaceutical industry or its research partners may also be included in the higher education and research sector (Research Sector), which is the sector of the Australian economy that involves undertaking Commonwealth-supported research programs critical to a Sector, national security or the defence of Australia.

Broadly, the amended SOCI Act applies to two levels of infrastructure assets:

• critical infrastructure assets (CIAs), which are assets specifically defined by the SOCI Act; and
• critical infrastructure sector assets (CISAs), which are any assets related to a Sector.

This means that the SOCI Act is likely to affect a company in the pharmaceutical industry if it is in the Medical Sector or the Research Sector and it has operational control or ownership of a CIA or a CISA.

What obligations arise under the SOCI Act?

The SOCI Act imposes a range of potentially onerous obligations that may apply to responsible entities for CIAs, if they have been ‘switched on’ by the application rules (see table below), including obligations to: 

• register CIAs with the Department of Home Affairs;
• notify the Commonwealth of critical cyber security incidents which impact the availability, integrity, reliability or information security of CIAs within 12 hours of becoming aware of the incident; and 
• create and implement an all hazards risk management program (RMP) for the CIA that accounts for cyber security, natural disasters, physical security, personnel and supply chain hazards.

The SOCI Act also empowers the Minister for Home Affairs to authorise ‘Government Assistance’ powers to intervene directly with CIAs and CISAs in the event of a critical cyber security incident affecting national security or the defence of Australia.

What is the impact on the pharmaceutical industry?

CIAs within the Medical Sector are hospitals that contain general intensive care units, while CIAs in the Research Sector are universities owned or operated by registered entities on the National Register of Higher Education Providers.  However, CISAs include assets related to a Sector.  This means that companies in the pharmaceutical industry are very likely to be controlling entities for CISAs.

The Home Affairs Minister has authority to declare assets to be CIAs or Systems of National Significance (SoNS).  This means that companies in the pharmaceutical industry may become responsible entities for CIAs or SoNS by government fiat.  

Finally, due to the broad scope of the SOCI reforms, it is likely that companies in the pharmaceutical industry will be interacting with responsible entities for CIAs.  This means that there may be flow-down obligations affecting the industry, including in relation to issues such as supply chain resilience and cyber security risks.

What should you do next?

The SOCI Act reforms are intended to ‘uplift’ the Australian economy in respect of its resilience and responsiveness to a range of risks, including cyber security.  Companies operating in the expanded Sectors should assess the application of these legislative reforms to themselves and their business.  This may require enhanced compliance coverage of new SOCI obligations that now apply to affected entities.

These reforms clearly demonstrate the Commonwealth Government’s focus on risk management and operational resilience across Australian critical infrastructure.  Whether or not the SOCI reforms have a direct impact on the pharmaceutical industry, it may be prudent for companies to undertake operational resilience reviews, including of their business continuity plans, disaster recovery plans and protocols for responding to cyber security incidents.  For example, pharmaceutical industry companies could undertake a gap analysis against the RMP requirements, such as supply chain robustness.  

We would be happy to discuss these issues in more detail or to advise on any next steps.