Further to our article Navigating Australia’s evolving cybersecurity landscape: 4 key features of the new Cyber Security Bill 2024, which provides a snapshot of the proposed legislation introduced by the Federal Government on 9 October 2024, another set of proposed changes to the Security of Critical Infrastructure Act 2018 (SOCI Act) were also introduced to the Federal Parliament on the same day. These amendments were captured in the form of the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024.
Together, these reforms are designed to bolster the security of critical infrastructure against cyber threats for Australian organisations, and reflect the Government’s commitment to the implementation of its broader cyber security strategy.
Key features of the 2023-2030 Cyber Security Strategy
The 2023-2030 Australian Cyber Security Strategy announced last year aims to significantly enhance the resilience and security of critical infrastructure in Australia. Some of the key impacts include the following:
- Stronger regulations: The introduction of a standalone Cyber Security Act will enforce mandatory reporting of ransomware payments and set minimum security standards for smart devices, ensuring that critical infrastructure entities adhere to higher security protocols.
- Expanded scope of protection: The strategy broadens the definition of “critical infrastructure” to include data storage systems, meaning that entities must now protect these systems as part of their overall security obligations. This addresses vulnerabilities that could be exploited by cyber threats.
- Enhanced government powers: The Government will have increased authority to intervene during significant incidents, which extends to include incidents not directly related to cyber threats. This allows for a more coordinated response to significant crisis situations affecting critical infrastructure.
- Improved incident response: The strategy facilitates better collaboration between the Government and industry experts during incidents, allowing for more efficient flow and sharing of information and resources. This is crucial for managing the aftermath of data breaches or other critical disruptions.
- Focus on risk management: Entities will be required to enhance their Critical Infrastructure Risk Management Programs, ensuring they proactively identify and mitigate risks to their assets.
- Cross-industry collaboration: The strategy encourages collaboration across different sectors, fostering a unified approach to cyber security that can better protect critical infrastructure from diverse threats.
Proposed reforms to the SOCI Act
If and when the new Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 passes, there will be five major updates to the SOCI Act, all of which are focused on improving resilience and defences against cyber incidents across Australian organisations.
The key proposals include:
- Data storage protections: Data storage systems linked to critical infrastructure will now be included under the SOCI Act, meaning they must meet the same security obligations as the infrastructure itself. This is a shift away from the current legislative approach which are predominantly focused on cloud and data storage service providers.
- Crisis collaboration: The definition of "protected information" will be updated to allow for better sharing of information during crises, based on a harms assessment. This means entities can disclose information if it does not pose a risk to security or public interest.
- Government powers: The Government plans to expand its authority to respond to serious incidents affecting critical infrastructure, which will extend to include incidents that are not strictly cyber-related. This aims to provide enhanced support for businesses in managing their response to incidents which may have a “relevant impact” (as defined under the new legislation) on critical infrastructure assets.
- Risk management programs: The Government will gain the authority to direct entities to improve their Critical Infrastructure Risk Management Programs if they are found to have serious deficiencies which could pose a risk to national security.
- Consolidation and simplification: Some obligations from the Telecommunications Act 1979 will be merged into the SOCI Act, and reporting requirements for certain systems will be streamlined.
Overall, these changes aim to enhance Australia’s cyber resilience and ensure critical infrastructure is better protected against evolving threats.
Learn more
We encourage you to stay informed and prepared as these significant reforms take shape. Marsh is well-equipped to assist organisations in navigating the evolving cyber risk landscape and regulatory environment. With expertise in cyber risk management and insurance solutions, we can help your business thrive in the digital economy through enhancing your cyber resilience, developing robust frameworks and strategies to mitigate potential threats. If you have any questions about the Government’s implementation of its cyber security strategy and how it may impact your business, please contact one of our cyber specialists.
