SOCI Act 2022: One Step Ahead of Cyber and IT Risks
Organisations falling under the purview of the SOCI Act 2022 and CIRMP Rules have to work quickly to implement and comply with their selected cyber security framework before the August 2024 deadline.
And it’s not a set-it-and-forget-it situation — you have to actively manage your program, and the work starts now. The Legislation and asset classes continue to change, which means you’ll need an agile approach that allows you to manage internal controls and processes in a fluid way.
Not to mention, the threats we face this year are not going to be the same for 2024, nor will those be the same for 2025 and so on. We have to continue to evolve.
This regulation isn’t exclusive to Australia, either; cyber security is a key focus area and we are seeing regulations similar to this appear across the globe. From SEC cyber disclosure requirements in the US to Europe’s DORA and UKs SS2/21, many regulations seem to centre around cyber resilience.
The other hot topic this is closely linked to is third-party risk. As organisations become increasingly reliant on their third-parties and outsourcing – and leverage new technology to manage these relationships as they do so— they are exposing themselves to new risks. So, when organisations could have up to 600+ third-party vendors, effectively managing these through a spreadsheet is simply not possible.
There are also a lot of industry-specific regulations that intersect, which means that you’ll need to take a step back and build a program that will meet the needs of the range of regulations for your particular organisation and industry. When you tackle these as one-off projects they become disconnected, which in itself can create risk.
Here are a few of the top questions and considerations to keep in mind when evaluating — or developing — your cyber risk management program.
These processes and frameworks are not something you can do passively; it has to be active, not reactive. For example, there are requirements where critical incidents have to be reported within 12 hours, the final report within 48 hours, and other non-critical incidents within up to 72 hours of initial notification. With that in mind, you need to be fully prepared and have processes in place to quickly and efficiently investigate and report on risk at a moment’s notice.
What happens if you don’t meet those deadlines? There are penalties, and these can apply to both the individual and the organisation as a whole. Organisations either headquartered in Australia or operating there have to comply as well.
The SOCI Act regulation is based on principles and outcomes, meaning there is no checklist of what you should or shouldn’t be doing to comply. There is flexibility, but with that also comes greater risk exposure, so organisations have to be actively addressing it rather than taking a lackadaisical approach. We are addressing a hostile threat environment and agility is key. These regulations will continue to evolve, and staying aware of present threats and requirements is a good way to proactively prepare for future changes.
Organisations would benefit to approach cyber risk frameworks not only as necessities, but as business enablers. A well-run cyber and third-party risk program is an intelligent, long-term investment, bringing higher levels of efficiency, effectiveness, and resilience.
If you would like to learn more about building your risk management program and staying one step ahead with Automated Cybersecurity Risk Management Technology, please get in touch with our Mitratech team today.
Mitratech’s GRC solutions are next-generation technology tools that deliver full coverage of key GRC use cases, from enterprise risk management, cyber risk management and third-party risk management to regulatory compliance and beyond.
Whether you’re just starting to implement GRC processes or looking to deploy mature GRC capabilities across your full organisation; Mitratech’s GRC solutions deliver versatile applications and convenient, out-of-the-box templates to empower data-driven decision-making and fast time-to-value.