As the tech world progresses, concern around the potential impact of innovations like AI and the metaverse grows—how do businesses stay up-to-date and arm themselves against new digital threats? Well, the recent amendments to the Security of Critical Infrastructure Act (SOCI Act) work to do just that.
The SOCI Act changes heighten data security and risk management for a slew of new critical industries, working to hold companies accountable and provide a toolkit for staying safe in the digital age. But this movement towards data security didn’t come out of nowhere, rather it was triggered by a series of high-profile events across 2022.
What are the new amendments to the SOCI Act?
The Security of Critical Infrastructure Act (SOCI Act) was created in 2018, as a means of regulating and protecting Australia’s critical infrastructure. Then, with the introduction of Australia’s Cyber Security Strategy 2020, the SOCI Act was updated and expanded to further enhance data security and resilience. After consultation with industry and rounds of potential amendments, the full reforms were implemented in 2022 (Lander & Rogers, 2023).
The new measures outlined in the SOCI Act aim to protect critical infrastructure against potential cyber-attacks and other security breaches, emphasising the importance of proactive risk management strategies. The amendments also introduced a string of critical infrastructure sectors, bringing the total number of industries affected by the act up to 11. And companies in these newly added sectors have been given a deadline for SOCI Act compliance: 17 August 2023. But why is this so urgent? Why has Australia suddenly started cracking down on data security?
What spurred the heightening of data security regulations?
The amendments had been percolating in the background since 2020, but a swathe of high-profile data breaches made the process even more important—and ensured the regulations would be strict and comprehensive.
There have been almost three thousand recorded data breaches in Australia since the start of 2020, but there were two major incidents which propelled cyber security into the public eye (Fell, Liddy, and Piper, 2023). The first occurred in September 2022, when the telecommunications giant Optus was hacked and the personal details of 10 million current and former customers was stolen (Knight, 2023). This was quickly followed by the Medibank cyber-attack, in October 2022, where the data of 9.7 million customers was accessed, including sensitive information like health claims detailing provider names and codes associated with diagnosis and procedures (Taylor, 2022).
And although these two catastrophic data hacks were the ones featured in media coverage, they weren’t isolated events—cyber-attacks aren’t a new problem. The Office of the Australian Information Commissioner (OAIC) has revealed that there have been multiple other unidentified large-scale breaches, one of which affected over 700,000 Australians (Fell, Liddy, and Piper, 2023).
How the SOCI Act changes respond to data security climate
In protecting Australians from the devastating effects of data hacks, the government couldn’t just focus on large companies like Medibank and Optus, they needed to ensure the security of companies across all 11 critical infrastructure sectors.
Every sector defined as ‘critical’ holds the sensitive data of many Australians and a data breach could have dramatic consequences—a problem some companies have already experienced. The SOCI Act’s critical sectors include industries like higher education, which experienced a cyber-attack at the Queensland University of Technology in December 2022 (Utting, 2023), healthcare, which is particularly vulnerable and reports the highest number of breaches (Redrup, 2022), and financial services—where a successful cyber-attack on a bank could destabilise the nation’s entire financial system (Koob, 2022)., 2022).
The amendments to the SOCI Act address data security weaknesses across vulnerable industries, with strict new regulations ensuring companies are working on preventative measures. Companies are required to register critical infrastructure assets, report any cyber incidents, and create a Risk Management Program (RMP) which identifies and mitigates potential risks (Cyber and Infrastructure Security Centre, 2023).
Cyber security is a growing concern, with more reforms to come
Even as companies across the newly defined critical infrastructure sectors hurry to implement the SOCI Act regulations, experts and government officials say more change is necessary.
Home Affairs Minister Clare O’Neil, a vocal advocate for reforms, said that when the Optus and Medibank hacks occurred, “We were meant to have at our disposal a piece of law that was passed by the former government to help us engage with companies under cyber-attack. That law was bloody useless, not worth the ink printed on the paper when it came to actually using it in a cyber incident.” (Evans, 2023)
Amongst this negative commentary, the federal government is looking at overhauling the current cyber security plan. They are going to establish a national cyber office under the Home Affairs Department, which will be run by a new coordinator for cyber security. Prime Minister Anthony Albanese also announced that the country’s security laws need to be rewritten. This will involve reforming the SOCI Act further to include customer data and systems under the critical infrastructure umbrella, so the government has the power to intervene during significant data breaches. (Evans, 2023)
Evans, J. (2023, February 27). Federal government to rewrite cyber laws after Optus, Medibank hacks. ABC News. https://www.abc.net.au/news/2023-02-27/national-cyber-office-to-be-established-in-wake-of-optus-hack/102026156
Fell, J, Liddy, M, and Piper G. (2023, March 28). This is the most detailed portrait yet of data breaches in Australia. ABC News. https://www.abc.net.au/news/2023-03-28/detailed-portrait-data-breaches-oaic-disclosures/102131586
Knight, B. (2023, April 21). Optus data breach class action launched for millions of Australians caught up in cyber attack. ABC News. https://www.abc.net.au/news/2023-04-21/optus-hack-class-action-customer-privacy-breach-data-leaked/102247638
Koob, S. (2022, October 6). Cyberattack on Australian bank could threaten financial system, but risk is low. The Sydney Morning Herald. https://www.smh.com.au/business/banking-and-finance/cyberattack-on-australian-bank-could-threaten-financial-system-but-risk-is-low-20221005-p5bng1.html
Redrup, Y. (2022, November 10). Millions caught in data breaches before Optus or Medibank. Financial Review. https://www.afr.com/technology/millions-caught-in-data-breaches-before-optus-or-medibank-20221109-p5bwsc
“Regulatory obligations”. Cyber and Infrastructure Security Centre. (2023, March 23). https://www.cisc.gov.au/legislative-information-and-reforms/critical-infrastructure/regulatory-obligations
SOCI Act Explained: Cyber security and critical infrastructure law reforms. (2023). Lander & Rogers. https://assets.ctfassets.net/7bkqs8vgq34y/6RojKUv5ZkM50wIzn0BIOX/f69d8e61715496b4a21ac62a6c4a539a/SOCI_Act_Brochure_2022_20230426.pdf
Taylor, J. (2022, December 1). Medibank hackers announce ‘case closed’ and dump huge data file on dark web. The Guardian. https://www.theguardian.com/australia-news/2022/dec/01/medibank-hackers-announce-case-closed-and-dump-huge-data-file-on-dark-web