It’s been a tough few years for universities—with the pandemic stemming the flow of international student fees and adding to the financial pressures caused by consistent funding cuts. And after a string of high-profile data breaches, the government is cracking down on data security and risk management, which means new responsibilities for an already overwhelmed higher education sector.
Under new amendments to the SOCI Act, universities are now considered part of a ‘critical infrastructure’ sector and must comply with the related regulations.
What are the changes to the SOCI Act and which higher education providers are affected?
In 2022, the Security of Critical Infrastructure Act (SOCI Act) 2018 was amended to ‘strengthen the security and resilience of critical infrastructure’, broadening the number of sectors affected to include 11 critical industries (Cyber and Infrastructure Security Centre, 2023). If your company is part of one of these newly included sectors, then you have been given a six-month grace period to comply with the regulations outlined in the SOCI Act—this began on 17 February and comes to a close on 17 August 2023.
Higher education providers are considered part of a critical sector if they are a university that is ‘owned or operated by an entity that is registered as an Australian university on the National Register of Higher Education Providers’ (Cyber and Infrastructure Security Centre, 2023).
How can higher education providers comply with the requirements?
Once you’ve determined whether the new SOCI Act regulations affect you, then you can move on to implementing the required changes. The 2022 amendments have introduced three main requirements for higher education providers:
- Register the operational, ownership, interest, and control information of your critical infrastructure assets with the government.
- Report cyber security incidents and events, both critical and non-critical through the Australian Cyber Security Centre’s online reporting portal. (Cyber and Infrastructure Security Centre, 2023)
- Develop a Risk Management Program (RMP) to identify and mitigate hazards that are risks to the availability, integrity, reliability, or confidentiality of your critical asset.
The RMP is the most challenging requirement you’ll have to implement before the August 17 deadline. Higher education providers must take a holistic and proactive approach, taking all ‘reasonably practicable’ measures to prevent and mitigate risks that could have a ‘relevant impact’ on their critical asset. You must also review the RMP on a regular basis and provide an annual report to the government. (Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, 2022)
Pushback from universities across Australia
When the changes to the SOCI Act were first proposed and universities around the country learnt of the potential requirements, the response was quite unfavourable. Universities Australia (UA), the peak body for the higher education sector, made a submission to the Protecting Critical Infrastructure and Systems of National Significance consultation in 2020—this was when the government was accepting feedback concerning the changes.
Universities Australia argued that the sector was struggling due to the loss of international student fee revenue from the pandemic and the slow withdrawal of government funds over time. They stated that universities were under extreme financial pressure and ‘In this environment, additional regulatory burden on the sector will be acutely felt’. (Submission to the Protecting Critical Infrastructure and Systems of National Significance Consultation, 2020)
In 2022, Curtin University was one of many companies that applied to be made exempt from the SOCI Act regulations. The university explained that the cyber security incident reporting would require them to report over 900 non-critical incidents per year, which would involve time-consuming manual processes. Curtin stated that they didn’t ‘believe this to be risk proportionate and would only serve to increase resource requirements on both Curtin and the Government reporting body to submit and review each of these incidents’. (SOCI Act Application Rules and 2022 Bill Feedback, 2022)
2022 data breach at Queensland University of Technology (QUT)
It seems as though these requests for exemption and changes to the SOCI Act were largely dismissed by the government, as all universities are still required to meet the regulations. And although time-consuming, improvements to risk management and security are necessary to avoid circumstances like we witnessed in the 2022 Queensland University of Technology (QUT) data breach.
Last December, campus printers at QUT began to spew bulk ransomware notes, revealing that the university was under cyber-attack. The notes threatened to share the university’s private data on the dark web unless their ransom was paid, and QUT responded by immediately shutting down some of its IT systems in precaution. But it was January 2023 by the time the university released the full numbers of staff and students impacted. A total of 11,405 people, including 2,492 current university staff and 8,846 former staff had their personal data compromised—with 3,820 tax file numbers breached in the attack.
Since the attack, QUT vice-chancellor Professor Margaret Sheil said the university has found the ‘particular vulnerability’ in their system and that they’ve addressed it. A university spokesperson also stated that there has been no evidence of criminal activity with the stolen data.
Professor Sheil said, “Can I be confident that we won’t be subject to further attacks? I can’t, I can never be that confident. They are very active, these kinds of criminals, and we are not the only ones being targeted.” (Utting, 2023)
Penalties for non-compliance
Universities have a responsibility to their staff and students, to protect their private data and work to avoid situations like the Queensland University of Technology experienced. However, it’s not just the real-life ramifications that can follow non-compliance, higher education providers who don’t meet requirements by the deadline will be penalised.
The main requirement is that you must create and maintain a Risk Management Program, if you don’t do this or you don’t meet the related obligations, you will receive 1,000 penalty units ($275,000) per day until you meet the requirements. You must also meet the annual reporting requirement for your RMP, if you fail to do so, there will be a penalty of 750 penalty units ($206,250) per day (Clyde & Co, 2023).
“Critical Infrastructure Update: Risk management program obligations under the SOCI Act now ‘turned on’”. Clyde & Co. (2023, February 27). https://www.clydeco.com/en/insights/2023/02/critical-infrastructure-update-risk-management-pro
“Regulatory obligations”. Cyber and Infrastructure Security Centre. (2023, March 23). https://www.cisc.gov.au/legislative-information-and-reforms/critical-infrastructure/regulatory-obligations
Security Legislation Amendment (Critical Infrastructure Protection) Act 2022. (2022). Cyber and Infrastructure Security Centre. https://www.cisc.gov.au/critical-infrastructure-centre-subsite/Files/cisc-factsheet-security-legislation-amendment-critical-infrastructure-protection-act-2022.pdf
SOCI Act Application Rules and 2022 Bill Feedback. (2022, January 31). Department of Home Affairs. https://www.homeaffairs.gov.au/reports-and-pubs/files/security-legislation-amendment-bill-2022-exposure-draft/curtin-university.pdf
Submission to the Protecting Critical Infrastructure and Systems of National Significance Consultation. (2020, September). Universities Australia. https://www.universitiesaustralia.edu.au/wp-content/uploads/2020/11/200916-Universities-Australia-Critical-Infrastructure-submission.pdf
Utting, A. (2023, February 3). More than 11,000 employees, students and former staff affected by cyber attack, QUT says. ABC News. https://www.abc.net.au/news/2023-02-03/qut-cyber-attack-university-staff-students-affected/101929302
“What the changes mean for me”. Cyber and Infrastructure Security Centre. (2023, March 23). https://www.cisc.gov.au/legislorms/critical-infrastructure/what-the-changes-mean-for-me