The Security Critical of Infrastructure Act 2018 (the Act / SOCI) is a legislative framework for managing risks relating to critical infrastructure. The Act aims to improve the transparency of ownership and operational control of critical infrastructure, facilitating cooperation and collaboration between all parties involved to identify and manage risks, imposing enhanced cyber security obligations on relevant entities and more.
Within SOCI, the Australian government has introduced civil and criminal penalty provisions applicable to both persons and corporations, these cover core foundations of the Act and are seen as the ‘non-negotiables’ from a compliance perspective. The enforcement options available for non-compliance under SOCI are not dissimilar to those we have seen historically across the financial services sector for sustained governance, risk and compliance failures. It should also be noted that Australia is the only country with legislation and subsequent penalties of this nature currently.
There are a number of key organisational failures that may give rise to penalties under SOCI, including:
- Failing to notify the CISC of a cyber security incident;
- Failing to have a critical infrastructure risk management plan;
- Failing to comply with the entity’s critical infrastructure risk management plan;
- Failing to provide the CISC with information pertaining to the asset by the responsible entity within the required timeframe;
This list is not exhaustive, however it gives rise to financial penalties under the act for individuals and corporations respectively, with the latter facing 5 times greater penalties. What this translates to in practice is, for individuals they can be fined between $16,500 and $82,500, while for corporations this multiplies to a range of $82,500 and $412,500. Financial penalties under SOCI are tied to penalty units and will adjust as the Commonwealth penalty unit is revised from time to time.
Other examples of financial penalties occur where an entity fails to provide the necessary information, while there are further penalties for telecommunications entities.
The penalties open to the regulator under SOCI are not limited to financial consequences, with enforceable undertakings and injunctions open depending on the severity of the breach. These are complimented by monitoring and inspection powers that exist for the regulator.
There is collective strength in industry wide compliance with SOCI and in turn resilience. To this end it is important to understand that the regulator is currently prioritising bringing every Australian critical infrastructure owner and operator along on the journey to uplift their enterprise risk and resilience practices, rather than seeking out opportunities to enforce penalties.
Notwithstanding this, it is important to understand that the penalties under SOCI are real and the longer the Act is in force, the shorter the timeline becomes until the regulator takes action against an entity. And while becoming compliant may be an expensive exercise in some instances, a failure to develop a compliant Critical Infrastructure Risk Management Plan may in turn cost a company more than triple what it would have to become compliant in the first instance. Add to this the potential cost of an incident, including any subsequent penalties and subsequent uplift requirements will far exceed the initial and ongoing compliance cost.
Navigating the complexities of the SOCI Act can be challenging, particularly as obligations evolve and enforcement expectations increase. Ensuring your organisation’s Critical Infrastructure Risk Management Plan (CIRMP) meets the required standards is not only essential for compliance but also for long-term resilience and operational continuity.
If your organisation is unsure where to start or needs assistance reviewing its readiness, our SOCI compliance experts can help. We provide tailored advisory and assurance services to support you through every stage of your SOCI journey, from readiness assessments to risk management program development.
Speak with our SOCI specialists today to ensure your business is compliant and resilient for the year ahead.
