Reforms to the act were flagged about 18 months ago — and have now been implemented, first in December 2021 and then a second tranche in April 2022 with a number of key changes, which Ms Tan spoke about on the show.

And as these reforms are more required than ever before, there are a number of things that constitute best practice moving forward, according to Ms Tan.

“Best practice really is to firstly educate yourself as to the broadness of these reforms, to understand it, to actively engage in it. We shouldn’t be too afraid of it from the standpoint that, ‘Oh my goodness, it’s so extensive. I don’t know where to start. I don’t know what to do.’ We should actually proactively try to understand it and call for help, ask for help,” she said.

“For example, the operators and owners of critical infrastructure, they should be reaching out, or their legal council should be reaching out; be it seeking external council advice, or seeking guidance from the government as to what should be done for their particular industry sector to comply with these obligations. I think best practice requires you to really no longer be reactive, but proactive towards understanding what you need to do to effectively comply with these obligations.”

This kind of proactive understanding of the regulations can be of great help to lawyers working in this space, Ms Tan added.

“Even if you might find that there is still not as advanced of a guidance possible, but understanding that this is an evolving area where everyone is moving along and being educated together, and actively coming on this journey together with the government and trying to come up with a roadmap for yourself and for your sector, I think that’s important. The second aspect is also, I think one of the issues is that with the expansion of the scope and the number of asset classes that are now caught within it, one of the best practices that organisations can do, is that they need to start classifying their assets,” she said.

“It might be something that they’ve never really thought about previously, but now with the SOCI Act requirements, it really requires you to understand what assets you have and you possess, and how you classify them and whether or not they’re caught within this act. I think it comes down to, internally as well, really understanding the kind of information you hold, the kind of assets you have, in order to comply.”

VIEW ALL

To continue boosting her knowledge on the subject, Ms Tan personally keeps up to date with new developments in the cyber security space, particularly in the US, EU, the UK, China, and Singapore, in terms of critical infrastructure, how their legislation has been changing and how they’ve been implementing these reforms.

“Get involved in the committees or relevant organisations that enable you to have a conversation within the industry about these reforms. I come from a legal perspective, but there are things that I can definitely learn from other cyber security experts who are practising in this area. It’s the technical aspect, it’s the compliance aspect, it’s the Cysos (sic) out there who have been dealing with these at the front lines. There are many things that you can learn from them, and together you can come together to form a roadmap for that particular organisation,” she said.

“The second proactive way would be, I think it’s important to, like I said, continually educate yourself. I recently attended Canberra CyberCon and there were many workshops that were run with different perspectives on the SOCI Act itself, because as you can imagine, SOCI Act is so topical that it came up in more than just one workshop. So, through that exchange and knowledge, through that active discussion, we were able to actually talk through a lot of the problems we were facing in terms of uncertainty, and the good things about this act and how we were going to work through.”

But despite the uncertainty that can come with working in the cyber space, Ms Tan said there were a number of exciting opportunities on the horizon.

“It’s definitely challenging, but it’s so interesting because cyber is not static. Cyber and technology, it’s always changing, and that’s why the challenges that we face today will definitely be different five years down the road, and that’s what makes this topic and this industry so exciting for me. I think there’s definitely a lot of opportunities, digitisation of processes presents, like you said, many opportunities for businesses, but it’s not without risk. So, it’s really important to be able to balance your investment in opportunity while addressing key risk,” she added.

“It’s important, I think for us, to be able to advise clients as to how they do not give up on their commercial opportunities while at the same time, ensuring that they’ve adequately covered off the management of such risk. I think this is also an area where my main clients, purchasing insurance, my main clients are the cyber insurers; it’s also an exciting time for them. I know there’s a lot of talk about how cyber insurance at the moment is a hard market, and it’s difficult to get cover for cyber insurance. But because of the nature of what cyber is, it gives a great opportunity for both insurers and insureds to enhance that collaboration.”

The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Melissa Tan, click below: