Australia Cyber Security Act and SOCI Act overlap

The clearest statutory overlap is ransomware payment reporting. The Cyber Security Act treats an entity as a reporting business entity if it is a responsible entity for a critical infrastructure asset to which Part 2B of the SOCI Act applies. That means a SOCI status assessment is not just background context; it can be the fact that brings an impacted entity into Cyber Security Act ransomware reporting.

Keep the SOCI scope analysis separate from the Cyber Security Act event analysis. The SOCI record should show the asset, sector, responsible entity, and whether Part 2B applies. The Cyber Security Act record should show whether there is a cyber security incident, a demand, a ransomware payment or benefit, and the 72-hour reporting clock if a payment is made or discovered.

The overlap analysis should start with an asset register entry, not a generic cyber incident ticket. For SOCI purposes, the useful record identifies the asset, why it is treated as a critical infrastructure asset, the responsible entity, and whether the relevant SOCI Part applies to the asset.

For risk management program overlap, keep the Cyber Security Act incident evidence beside the SOCI all-hazards record but do not make them substitutes. Home Affairs guidance for the critical infrastructure risk management program describes material-risk work across cyber and information security, personnel, supply chain, and physical or natural hazards. A ransomware event may inform that program, but the Cyber Security Act ransomware report still needs its own payment, demand, and communication fields.

For a SOCI responsible entity, the ransomware question is not limited to annual turnover. Cyber Security Act section 26 includes responsible entities for critical infrastructure assets to which SOCI Part 2B applies. The ransomware rules separately prescribe a turnover threshold for other businesses, but SOCI responsible-entity status should be checked first when a critical infrastructure asset is affected.

The report clock is triggered by the ransomware payment facts, not by completion of the broader incident investigation. The Cyber Security Act requires the ransomware payment report within 72 hours of making the payment or becoming aware the payment has been made, whichever applies. The rules state that report information is required only to the extent the entity knows it or can find it by reasonable search or enquiry within that 72-hour period.

The Cyber Security Act smart-device regime is a product compliance track. The smart-device rules apply to consumer grade relevant connectable products that are intended, or likely, to be used for personal, domestic, or household use or consumption, with listed exclusions such as desktop or laptop computers, tablets, smartphones, therapeutic goods, road vehicles, and road vehicle components.

That product track can sit beside, but should not be blended with, SOCI obligations. A consumer energy product or connected device may need product-scope, security-standard, statement-of-compliance, support-period, and security-issue-reporting evidence. A critical-infrastructure operator may separately need SOCI asset, responsible-entity, incident-reporting, and risk-management evidence. The same incident can touch both tracks, but each track needs its own source, owner, trigger, and record.

The most useful overlap record is a two-column evidence file: one side for Cyber Security Act obligations and one side for SOCI Act obligations. Each row should show the source provision, factual trigger, accountable owner, evidence, report or action taken, and unresolved assumptions.

For a ransomware incident affecting a critical infrastructure asset, the record should be specific enough to prove why the entity was or was not a Cyber Security Act reporting business entity, whether SOCI Part 2B applied, whether a ransomware payment was made by the entity or on its behalf, and what information was known or reasonably searchable within the reporting period.