Compliance Spotlight: Australia – Security of Critical Infrastructure Act 2018 (SOCI)
The recent amendments to Australia’s Security of Critical Infrastructure Act 2018 expanded its scope to cover 11 critical infrastructure sectors and 22 categories of critical infrastructure assets, extending obligations to various participants in the supply chain. Organizations within these sectors must determine which of their assets qualify as critical and, if applicable, comply with obligations like implementing a risk management program.
Earlier this year, the Security of Critical Infrastructure Act 2018 (“SOCI”) was amended. These reforms expanded the scope of SOCI, which now covers 11 “critical infrastructure sectors” and 22 categories of “critical infrastructure assets”.
In addition to applying to these critical infrastructure sectors and assets, the obligations under SOCI also apply to several participants in the supply chain including “responsible entities”, “reporting entities”, “direct interest holders”, “managed service providers” and “operators”.
It is important to note that assessing applicability within an organisation is complex as whilst an organisation may be within a critical infrastructure, not all of its assets will be critical infrastructure assets. However, where an organisation is caught by both there are several obligations to comply with, including the requirement to have a risk management programme in place.
Risk Management
Part 2A of SOCI and the associated Security of Critical Infrastructure (Critical Infrastructure risk management programme) Rules 2023 (the “Rules”) require entities to manage personnel security risks under their critical infrastructure management programme. Those covered by SOCI must do the following when addressing personnel risks:
Establish and maintain a process or system that:
(a) Identifies and lists the entity’s critical workers;
(b) Permits a critical worker access to critical components of the critical infrastructure asset only where the critical worker has been assessed as suitable to have such access; and
(c) As far as is reasonably practicable to do so, minimises or eliminates material risks arising from:
i. Malicious or negligent employees or contractors; and
ii. The off-boarding process for outgoing employees and contractors.
A “critical worker” is an employee, intern, contractor or subcontractor of an entity to whom SOCI applies and the employer has assessed that their absence or compromise would prevent the proper function of the critical infrastructure asset or could cause significant damage to the asset and the individual has access to, or control and management of, a critical component of the asset.
Mitigating Risk with Background Screening
Background screening is important in this context because, whilst not mandatory, the Department of Home Affairs & Cyber and Infrastructure Security Centre has suggested that background screening may be a “useful tool” in carrying out the assessments required and standards such as the AS4811 employment screening standards and HB 323 Employment Screening Handbook can provide a benchmark framework for any such programme.
Whilst background screening when hiring new staff members is not new in Australia, especially in regulated industries such as financial services, SOCI and the Rules extend the requirement out to “contractors”, “interns” and “subcontractors”. Further, the Rules makes it clear that the duration of any engagement does not remove the obligation to subject personnel to the risk management programme. Risk management is an ongoing obligation and additional rescreening programmes may be considered together with monitoring programmes, which can provide a practical way of identifying risks ahead of time.
Business Obligations
The first step is to identify whether the Rules apply to your organisation and then to identify those critical workers that will access critical infrastructure assets. This includes both internal employees and interns and any contractors or employees of a subcontractor. In respect to the latter, it should not be assumed that staff will be screened either to the level required or at all because the subcontractor itself may not be subject to the obligations under SOCI/the Rules. An assessment in respect to access to critical infrastructure assets should be added to any subcontractor/contractor onboarding to ensure that the level of screening can be checked or mandated where absent.
Once critical workers have been identified, an appropriate screening package for new hires, interns and contractors/subcontractors should be created and should include, but not be limited to, checks such as criminal, identity, employment, professional reference check (otherwise known as character references), education, conflicts of interest check (such as directorship checks), media, sanctions, and credit. Monitoring programmes may be put in place as an early warning system such as media, sanctions, and credit checks and a full rescreening schedule of non-static data should be agreed. These requirements should be included in employment contracts and/or contractor/subcontractor contracts.
If background screening is already part of an organisation’s DNA, consideration should be given to creating a distinct programme for critical workers which will assist in any audits that may be carried out in respect of the risk management programme.
Key Takeaways
In many respects, Australia is leading the way globally in this area of reform, amongst an increasingly complex cybersecurity regulatory ecosystem. This high-level summary provides a simple overview to help demystify the new regime’s complexities.
The Security of Critical Infrastructure Act 2018 (SOCI) reforms are now in force, after its two tranches were passed in December 2021 and March 2022. These reforms are arguably the most ambitious and significant security reforms in Australian legislative history.
While Government assistance, intervention, and direction obligations have been in force since December 2021, positive security obligations are being progressively switched on and enhanced security obligations are now in force.
Despite the apparent simplicity of the regime, assessing applicability remains complex. The legislation covers a broad range of assets and a broad range of roles relating to those assets.
Many Australian corporates are now grappling with multiple regulatory regimes and regulators, in addition to the critical infrastructure reforms.
This summary provides a high-level overview of the recent reforms. We look to simplify the regime, acknowledging that complexity exists below the surface and will invariably require a case-by-case assessment.
How Can HireRight Help?
HireRight offers services that as a minimum align to the standards set out in AS4811 and currently support numerous clients with their rescreening programmes. In addition, HireRight has available its “Extended Workforce Screening” programme designed to assist organisations in mitigating employment and regulatory risks when contractors and subcontractors are engaged. For further information, please contact us here.
Release Date: August 22, 2024
Caroline Smith
Caroline is a UK qualified lawyer with over 18 years’ experience and currently serves as HireRight’s Deputy General Counsel for the EMEA and APAC regions. When not “lawyering” or writing blogs, Caroline can be found striking yoga poses in remote locations such as Mongolia and Bhutan.