First things first — What is the SOCI Law?
With the uptick of cybersecurity threats and attacks on companies, the government has now recognised the importance of cybersecurity infrastructure in the country. It’s response? The SOCI Law – or the Security of Critical Infrastructure Act 2018 (Cth) which places obligations on organisations to report cybersecurity incidents on critical infrastructure assets to the government.
Critical infrastructure assets may include those assets that are essential to broadcasting, financial markets, hospitals, food and grocery, education, freight, energy, gas, water, and aviation. Other sectors not specified in the SOCI Law are nevertheless encouraged to voluntarily report incidents.
1. Cybersecurity and Infosec go hand in hand. You need an Information Security Policy.
An effective information security policy will help protect your company against potential threats. It will also provide guidelines for employees regarding cyber security and infosec best practices.
The policy should include a mechanism to identify and report:
- unauthorized access or modification of computer data or computer program;
- unauthorized impairment of electronic communications to or from a computer; or
- unauthorized impairment of the availability, reliability, security or operation of a computer, data or program; and
- details of the cyber security incident such as how it was discovered, the nature of the incident (e.g. ransomware or denial of service), whether or not it affects information technology, operational technology or consumer data; whether the incident has been reported elsewhere, and any other relevant information.
It is important to draft these policies with the change of regulatory landscape in mind. Australia is currently lagging behind the world in terms of regulating this space, but it is catching up. Moreover, if you intend to operate as a global tech company, your policies should meet the global standard. You can talk to one our our data, privacy and infosec experts to see where the gaps are in your legal position.
2. Give Cybersecurity Awareness Training to Employees.
Data security is an ongoing process, not just a one-time event, and companies with critical assets should not merely rely on a cybersecurity and infrastructure security agency.
It requires constant vigilance and training. Companies need to train their employees about how to protect themselves against cyberattacks. They also need to educate them about how to identify an incident when it’s occurring. Like any disease, early detection is key.
This is also important because cyber security incidents need to be reported at the exploitation phase regardless of whether you have implemented any prevention or mitigation action. The exploitation phase is when the availability, confidentiality and integrity of networks and network data has or could be impacted. This is also the phase where companies will typically commence incident response processes.
3. Conduct Regular Audits.
A good first step towards improving your company’s cybersecurity is conducting regular audits. This will help you identify any weaknesses in your current system and make sure you’re taking steps to correct them. You should conduct these audits at least once per year.
4. Asses your contractual risk and ensure SOCI compliance in your whole ecosystem
If you own a business with customers or clients, you need to understand how cyberattacks affect your whole vertical. The SOCI Law requires companies to take a holistic view of their environment and systems to assess risk. You are ultimately on the hook for a cyber incident within your suppliers or service providers that impact your critical infrastructure assets.
Depending on the gravity of the impact to your business, you are required to notify the Australian Cyber Security Centre (ACSC) within 12 or 72 hours of becoming aware of the incident. Therefore, it is important that you require your suppliers and service providers to notify you of any cyber incident within that timeframe.
The SOCI Law has identified two categories of impact –Relevant and Significant.
A Relevant Impact is an impact on the availability, integrity, reliability or confidentiality of the asset. For example, a cyber security incident might impact a bank’s information technology (e.g. corporate network) in a manner that could expose information about the asset, but not impact the provision of banking services. Cyber security incidents that result in a Relevant Impact require notification within 72 hours of becoming aware.
A Significant Impact is one where the incident has materially disrupted the availability of essential goods or services delivered by the asset. For example, an incident might affect an electricity asset’s operational technology which impacts the generation, transmission or distribution of electricity. In such a case, notification is required within 12 hours of becoming aware.
Talk to an expert
Biztech Lawyers was founded to address the need for specialist technology lawyers who could act as outside counsel in assisting tech businesses with their commercial legal needs. We pride ourselves in understanding the complexities and needs of tech-driven business unlike other legal partners, and boast deep practical experience gained from top-tier law and strategy consulting, and from operational and leadership roles in scaling some of the world’s most exciting startups.
With offices in Australia and the United States, Biztech has a unique legal and operations skillset, including in cybersecurity and infosec law as well as data and privacy law. As members of the Tech Council of Australia, the peak body for industry, we understand the changing regulatory landscape, and are best placed to assist and advise you on legal strategy.
In need of legal support from a tech lawyer? Get in touch now to see how we can help.
