SOCI Act: Protecting the Security of Critical Infrastructure

Critical infrastructure protection explained

The Security of Critical Infrastructure Act 2018 (SOCI Act) is a framework for managing critical infrastructure security in Australia.

Designed to uplift Australia’s critical infrastructure protection, successive changes to the SOCI Act put requirements on responsible entities across 11 critical sectors.

Drawing on experience across legal, risk, cyber, supply chain, asset management and infrastructure, KPMG offers comprehensive support to help you navigate the interconnected complexities of SOCI compliance, stay on top of evolving risks, and strengthen your organisation’s security and resilience culture.

SOCI Act: insights and facts

Between the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI) that came into effect in December 2021, and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP) that came into effect in April 2022, the Australian Government has expanded the SOCI Act to promote improved preparedness and resilience of critical infrastructure assets in Australia.

The SOCI framework includes:

Positive Security Obligations (PSO)
Government assistance measures
Enhanced Cyber Security Obligations (ECSO)

SOCI Act: Key compliance dates

Earlier

Grace periods have ended for reporting cyber incidents, registering ownership and operational information and meeting CIRMP obligations. These are now mandatory.
17 August 2024

Conclusion of the grace period for achieving cyber security requirements against a recognised framework (AESCSF, NIST, ISO 2700X, E8) or equivalent.
28 September 2024

The first annual report was due (within 90 days of 30 June 2024).

How KPMG can help

With requirements differing across sectors and entities, there is no cookie-cutter approach to SOCI compliance. Genuinely delivering on the SOCI Act’s intent involves adapting and bringing common concepts and services together in a new way.

Understand

Monitor your obligations and master the basics

Assess your cyber maturity and identify risk scenarios
Provide actionable strategies to address the fundamentals
Brief your board
Establish annual reporting processes

Act

Uplift to meet SOCI requirements

Implement, review and/or update your CIRMP
Provide advice on your approach
Build incident response and asset upgrade plans
Assess your security and physical risk posture and
Meet SoNS requirements

Transform

Leverage critical infrastructure protection

Embed a security culture across your organisation
Integrate critical infrastructure requirements into your wider control environment and transformation activities
Use SOCI alignment for a competitive edge

Are you an operator of critical infrastructure?

Download our factsheet to explore six facts about SOCI.

Critical infrastructure reforms

Six facts you need to know

Download

SOCI Act 2018 FAQs

SOCI aims to ensure critical infrastructure assets and services across 11 sectors are protected and resilient to disruptions that would severely impact Australia’s society, economy, and security. The SOCI Act reflects how important critical infrastructure is to Australia, the potential for cascading consequences, and the public’s expectation that the government will be able to respond to emergencies.

SOCI applies to 22 asset classes across 11 sectors of the economy:

communications
data storage and processing
defence industry
higher education and research
energy
financial services and markets
food and grocery
healthcare and medical
space technology
transport
water and sewerage.

Not all obligations have been ‘switched on’ for every sector, so it is important to make sure you check the relevant obligations for your asset class.

The SOCI Act is aimed at bolstering security, particularly cyber security, across 11 critical infrastructure sectors in Australia. It does this through a framework with the following components:

Positive Security Obligations (PSO)

Register of Critical Infrastructure Assets
Mandatory Cyber Incident Reporting
Critical Infrastructure Risk Management Program

Government assistance measures

Information gathering directions
Action directions
Intervention request

Enhanced Cyber Security Obligations (ECSO) for Systems of National Significance

Incident Response Plans
Cyber Security Exercises
Vulnerability Assessments
Provision of System Information

Under the SOCI Positive Security Obligation, responsible entities in 13 asset classes from page 2 of: CISC Fact Sheet – Overview of SOCI Obligations (PDF 560KB) must have a Critical Infrastructure Risk Management Program (CIRMP) that outlines and maintains their processes and systems to identify hazards and mitigate potential risks. A CIRMP needs to take an ‘all hazards’ approach across 4 key vectors: physical security and natural hazards; personnel hazards; supply chain hazards; and cyber security and information security hazards.

Non-compliance with critical infrastructure security legislation can result in legal proceedings, significant penalties and reputational damage.

Failing to comply can expose responsible entities to cyber security incidents with major impacts on their organisation and national security.

There is no legal basis to be granted an extension for submission of the CIRMP 28 September 2024 Annual Report deadline. However, the Cyber and Infrastructure Security Centre (CISC) has strongly encouraged any entities that won’t be compliant to engage with them directly. The CISC is particularly interested in understanding any barriers or roadblocks, and what your plan for compliance looks like. Contact KPMG if you would like to discuss your situation.

Your CIRMP Annual Report must be submitted via the approved form available on the CISC website. Responsible Entities must complete the form within 90 days of the end of the financial year – ie: 28 September 2024. The Annual Report must be approved by your Entity’s board, council or other governing body. KPMG can provide support with this process.