What's new

Updated 06 October 2022

On 5 October 2022 the Department of Home Affairs (DHA) formally launched the consultation on the draft Risk Management Program rules under Part 2A of the SOCI Act. The publication of the draft rules starts a mandatory consultation period that lasts until 18 November 2022.

While the draft rules are substantially similar to the draft rules included in the Explanatory Memorandum to the second SOCI bill, critical infrastructure responsible entities and operators should review the proposals (here) and consider the application to and impact on their assets and operations. The consultation period provides affected entities with the opportunity to submit observations and request amendments to the rules in order to ensure that they are fit for use and achieve the security uplift objective. Should you wish to make any observations our integrated team of SOCI and government risk experts would be happy to assist you in doing so.

Critical infrastructure assets proposed to be included are:

  • critical electricity assets
  • critical energy market operator assets
  • critical gas assets
  • critical liquid fuels assets
  • critical water assets
  • critical financial market infrastructure assets used in connection with the operation of payment systems
  • critical data storage or processing assets
  • certain critical hospitals
  • critical domain name systems
  • critical food and grocery assets
  • critical freight infrastructure assets
  • critical freight services assets
  • critical broadcasting assets

The risk management requirements, across all material risks and requiring specific (but not exclusive) focus on Cybersecurity, Supply Chain, Personnel and Natural Hazard risk domains, are significant and should not be underestimated. The rules provide for a six-month grace period before the risk management requirements will apply. For cybersecurity, there is then a further 12 months to achieve the required cybersecurity maturity level. Our Digital Operations Risk Advisory team would be happy to assist you and your organisation as you design your operational risk management program.

In parallel, DHA has also published multiple draft guidance documents for consultation:


What to know

What's next

Following completion of the consultation period on 18 November 2022, the Minister for Home Affairs must consider the observations submitted by industry participants and may amend the rules as a result. Once finalised, the Minister for Home Affairs can then issue and register the rules. This will start the clock ticking for the six-month grace period, following which the risk management requirements will be in force. Affected responsible entities will need to ensure that their risk management programs are live and meet the requirements by this time, likely 1 July 2023.

Related articles


Australian Chair and Global Co-Head of Restructuring
Global Co-leader, Digital Transformation Practice