Comprehensive Guide to the Cyber security Act 2024: Key Updates and Compliance

Background of the Cyber Security Act 2024

In November 2024, Australia amended the Security of Critical Infrastructure Act and introduced the new Cyber Security Act of 2024. These changes come on the back of several cybersecurity threats that have been publicly reported this year, particularly in Australia. With the use of AI, the protection of data and systems is on the mind of every organization and government.

This legislation aims to enhance the security standards for smart devices, mandate reporting of ransomware payments, and improve coordination during significant cyber incidents. The Act is a key component of the 2023-2030 Australian Cyber Security Strategy, reflecting extensive consultations with stakeholders to address the evolving cyber threat landscape.  

Key Amendments to the SOCI Act 

The Security of Critical Infrastructure Act (SOCI) 2018 has been amended to further protect Australia's critical infrastructure. The amendments include: 

1. Inclusion of Data Storage Systems: Businesses must now ensure that data storage systems holding business-critical data are included in their risk management and reporting obligations. This means more comprehensive security measures for data storage systems. 
2. Enhanced Government Assistance: The government can now provide assistance for a broader range of incidents, including natural disasters and terrorist attacks, not just cyber incidents. Businesses must be prepared to collaborate with government agencies during such events.
3. Stricter Risk Management Requirements: Regulators can direct businesses to address serious deficiencies in their risk management programs. This requires businesses to maintain robust and compliant risk management practices.
4. Simplified Reporting Obligations: Some notification and reporting requirements have been reduced, which can lessen the administrative burden on businesses while still maintaining security standards.
5. Telecommunications Sector Integration: Security and notification obligations from the Telecommunications Act have been integrated into the SOCI Act. Businesses in the telecommunications sector must now comply with these consolidated requirements. 

Does It Impact Your Organization? 

If your industry in Australia deals with critical infrastructure, you're likely affected by the SOCI Act. Initially focused on the physical security of traditional critical infrastructure assets, the SOCI Act was amended in 2021 and 2022 to better encompass assets critical to Australia’s defence, national security, and economic and social stability. These amendments expanded the number of Critical Infrastructure Sectors (CIS) with cybersecurity obligations from 3 to 11, including sectors like communications, data storage, financial services, water and sewerage, energy, healthcare, higher education, food and grocery, transport, space technology, and the defence industry. 

The SOCI Act now requires organizations in these sectors to implement cybersecurity measures and report any security incidents to the government. The new Positive Security Obligations (PSO) include maintaining a register of critical assets, mandatory cyber incident reporting, and adopting, maintaining, and complying with a Critical Infrastructure Risk Management Program. While these measures are essential for cybersecurity, understanding all the requirements can be challenging, leading some organizations to make assumptions about their impact rather than knowing how to achieve compliance. 

 
Compliance Strategies for Companies 

To comply with the new regulations, companies should: 

• Update Critical Infrastructure Risk Management Program (CIRMP): Ensure it reflects the new requirements, including the inclusion of data storage systems that hold business-critical data. 
• Assess Data Storage Systems: Identify and assess all data storage systems used in connection with critical infrastructure assets. Ensure they meet the new criteria and are included in your risk management and reporting obligations. 
• Familiarize with Government Support: Understand the types of support available from the government during significant incidents, including natural disasters and terrorist attacks. Ensure your internal policies and procedures can accommodate these requests. 
• Streamline Reporting Processes: Review and streamline your notification and reporting processes to comply with the new requirements. The SOCI Act provides for mandatory cyber incident reporting for critical infrastructure assets. 
• Train Staff and Engage with Service Providers: Ensure they understand the changes to the regulation and are implementing the right systems in their organization. 
• Comply with Positive Security Obligations (PSO): Establish and maintain a process or system to comply with ISO 27001:2022;   SOC:CMM maturity model and other models as outlined by the act.  

How LRQA Can Help 

If you have an Information Security Management System, consider assessing the maturity of the system and identifying gaps. For an assessment and standards to comply with, we recommend starting with ISO 27001 and SOC CMM as a beginning point. For more advanced cyber security assistance, LRQA has other areas of support like: 

• Vulnerability assessment and penetration test  
• Risk Assessment  
• Red Teaming – CORIE or CORIE aligned Threat Intelligence Led Red Teaming
• Threat hunting
• Incident Response Retainer
• Managed Security Services
• Security Awareness Training solution 

By leveraging LRQA's expertise, companies can not only achieve compliance but also enhance their overall cybersecurity posture, ensuring resilience against future threats. 

Learn more about our Cybersecurity services