Skip page header and navigation

Business critical: Is your organization SOCI compliant?

Staffing Stream

Business critical: Is your organization SOCI compliant?

Steve Smith
| August 1, 2024
Image
Female executive coaching group of corporate employees during br

main content

The clock is ticking for Australia’s amended Security of Critical Infrastructure Act (SOCI) with a deadline of August 11, 2024, for the implementation of the new legislation. This leaves staffing firms that place talent into critical infrastructure in the country with just a few months to prepare for the new regulations. As we get closer to the deadline, it is important to identity the key Positive Security Obligations (PSOs) for the companies whose assets fall inside the scope of the critical infrastructure regulations and who must ensure that they have suitable governance, identification and protection mechanisms in place to mitigate risk.  

It is important not to forget that the Australian government introduced the legislation back in 2018 — subsequently amended in 2021 and 2022 — so this is not new. One of the key changes to the legislation was the expansion from four to 11 industry sectors (and 22 asset classes), covering industries such as financial services and markets, space technology and defense as well as data storage and processing. While all these sectors are linked given the security risks at play, there are different tiers depending on company size and risk levels, so not all companies will have to comply.      

The Responsible Entities and Direct Interest Holders that need to meet regulatory obligations must demonstrate that they have robust plans and measures in place to counter any potential hazards that could pose a threat to the nation’s security. The first of the triumvirate of statutory requirements is an Information Provision PSO, with impacted organizations having to register their critical assets with the federal government, alongside details of how these will be managed and their  scope. They must also provide any subsequent updates of new assets as and when these are added.  

Given the ever-growing frequency of security risks across the globe, it won’t come as a surprise to learn that there is also a Mandatory Cyber Incident Breach Notification PSO whereby organizations must notify the Australian Cyber Security Centre (ACSC) of any incident immediately by phone, on the reporting portal and in writing. And for the Risk Management Plan PSO, organizations have to outline how they intend to identify risks and mitigate hazards under four key pillars: supply chain hazards, cyber and information hazards, physical hazards and personnel hazards.  

Spotting the People Risk Factor Early

It is worth noting that personnel hazards — the risks posed by employees — are a significant part of the legislation and should not be underestimated, for it is individuals who have access to information and systems that underpin security and safeguarding. This is why it is so important that every critical role and job holder is carefully scrutinized with a robust risk based approach applied. Employees must be screened and re-screened with thorough background checks on their previous history to unearth any red flags. This applies both to expats and those moving back to Australia.         

Another important point to take into account is that every organization is different and so are the roles in question. For example, for jobs in financial services and banking, checking a person’s financial past for evidence of fraud and carrying out credit references is vital. Clearly, checks must be tailored to your industry and link back to the risk management plan. Verification of identity is also absolutely essential to ensure that the individual is who they say they are. Digital ID checks are now very advanced thanks to sophisticated facial recognition and “liveness” detection technology.      

Australian staffing companies and those with subsidiaries in the country must ensure that they have their plans and checks in place so that they can safely mitigate against the above-mentioned risks and remain compliant with the SOCI requirements. People come and go, so an ongoing screening and rescreening policy for those working on critical infrastructure is key. Organizations should also focus on the offboarding process too, making sure that those critical workers leaving can never access those assets again.     

With all the grace periods either already ended or expiring in August 2024 (for certain cybersecurity requirements) and the first annual report due in September 2024, time is running out to comply with the amended Australian legislation. Not prioritizing and addressing the gaps could prove costly.