SOCI Act Compliance and Insider Risk

SOCI Act compliance is not only a cyber-security issue. For critical infrastructure organisations with CIRMP obligations, insider risk, personnel hazards, contractors, privileged access and weak reporting pathways can all affect resilience. This guide explains how leaders can connect SOCI risk management with practical insider-risk controls.

SOCI Act insider risk is a practical governance issue for organisations that own, operate, support or supply critical infrastructure. It is easy to frame critical infrastructure resilience as a cyber issue, but people with trusted access can also create disruption, data loss, fraud, sabotage, unauthorised disclosure or operational weakness.

The Security of Critical Infrastructure Act 2018 and related risk-management expectations should be considered with current legal and regulatory advice. Not every SOCI obligation applies to every entity or asset class. This guide does not restate every obligation. Instead, it explains how boards, executives, risk teams, security leaders and integrity teams can think about personnel risk as part of critical infrastructure resilience where critical infrastructure risk management program obligations or similar resilience expectations apply.

Core Integrity supports organisations with insider risk services, investigations and integrity controls, including Core Sentinel.

Source note: This article is based on Core Integrity's insider-risk, investigations and critical infrastructure content, together with the internal article brief, stored SERP validation, CISC guidance on SOCI obligations, and the current Federal Register compilation of the Critical Infrastructure Risk Management Program Rules reviewed during drafting. Current legal advice should still be obtained before decisions are made on a live compliance matter.

Reviewed by Core Integrity's insider risk and investigations team.

Key takeaways

• Insider risk is part of critical infrastructure resilience, not only a cyber-security problem.
• SOCI-related risk management should consider cyber and information security, personnel, supply chain, physical security and natural hazards together where the CIRMP Rules apply.
• Trusted insiders, contractors and privileged users can create material operational risk.
• Controls should include governance, reporting pathways, behavioural indicators and response planning.
• Insider-risk assessments can help organisations identify where controls are thin or poorly owned.

Why insider risk matters for critical infrastructure

Critical infrastructure depends on people as much as it depends on systems, assets and suppliers. Staff, contractors, administrators, vendors, executives and privileged users may all have access that could affect essential operations.

Insider risk does not always involve malicious intent. It can arise from:

• poor access control
• excessive permissions
• weak offboarding
• contractor access that is not reviewed
• pressure, grievance or conflict
• careless data handling
• poor supervision
• unclear escalation pathways
• failure to act on warning signs

For critical infrastructure organisations, these weaknesses can have consequences beyond ordinary business disruption. They may affect service continuity, public trust, regulatory confidence and the organisation's ability to respond to an incident.

For a plain-English overview of critical infrastructure, see What Is Critical Infrastructure?.

Where SOCI compliance and personnel risk overlap

SOCI compliance and personnel risk overlap where people have the access, knowledge or authority to affect a critical infrastructure asset, system, data set or operational process.

CISC guidance explains that the SOCI Act can include obligations to notify data service providers, provide operational and ownership information to the Register of Critical Infrastructure Assets, report cyber incidents and adopt, maintain and comply with a written critical infrastructure risk management program, depending on the asset and obligation. The current CIRMP Rules identify hazard domains that include cyber and information security hazards, personnel hazards, supply chain hazards, physical security hazards and natural hazards.

That overlap may include:

• employees with privileged system access
• contractors who support operational technology or critical processes
• administrators who can change permissions or delete logs
• suppliers who hold sensitive operational data
• managers who approve workarounds or exceptions
• staff who know physical security gaps
• people who can move information outside approved systems

The SOCI Act overview explains the broader framework for critical infrastructure obligations. The practical point for insider risk is that personnel controls should not sit outside the risk program where a CIRMP is required. They should be treated as part of the organisation's ability to protect, detect, respond and recover.

CIRMP personnel hazards beyond cyber access

Cyber access is important, but it is not the whole personnel-risk picture. A critical infrastructure organisation should also consider non-technical personnel hazards where they may create a material risk to an asset or essential operation.

Examples include:

• unauthorised physical access to sites, rooms, equipment or records
• workers bypassing procedure to keep operations moving
• unresolved conduct concerns involving people in sensitive roles
• poor segregation of duties in finance, procurement or operations
• contractors remaining active in systems after work ends
• sensitive knowledge leaving with departing employees
• pressure points that increase the risk of fraud or misuse
• informal workarounds that become accepted practice

These issues may not trigger a cyber alert, but they can still weaken resilience. A mature approach connects people risk, cyber and information security controls, physical security, natural hazard planning, supply chain exposure and incident response.

Core Integrity's article on Cyber Security Act 2024 updates provides adjacent context for organisations tracking cyber and critical infrastructure reform.

Warning indicators and control weaknesses

Insider-risk controls should help leaders notice early indicators without overreacting to ordinary workplace behaviour. The aim is proportionate escalation, not surveillance for its own sake.

Possible warning indicators include:

• unusual access requests
• attempts to bypass approval steps
• repeated policy exceptions
• unexplained data movement
• conflict, grievance or unmanaged performance issues in sensitive roles
• unusual work patterns around critical systems
• refusal to follow security or record-keeping requirements
• poor handover or evasive behaviour during offboarding

Control weaknesses may include:

• no single owner for insider risk
• unclear triage rules between HR, legal, cyber, security and operations
• privileged access that is not reviewed
• weak contractor onboarding or offboarding
• no safe reporting pathway for staff concerns
• monitoring that produces alerts without decision rules
• policies that do not match day-to-day practice

The strongest controls are practical and owned. Leaders should know who receives concerns, who assesses them, when an issue becomes an investigation, and how lessons feed back into the risk program.

Reporting pathways and early intervention

People often see weak signals before systems do. A staff member may notice unusual conduct, a contractor may observe an unsafe workaround, or a manager may become aware of pressure affecting someone in a sensitive role.

Reporting pathways matter because they turn observations into early intervention. For critical infrastructure organisations, reporting options should be:

• visible and easy to use
• safe for staff and contractors
• able to receive confidential concerns
• linked to clear triage rules
• connected to cyber, HR, legal, security and operations where needed
• capable of triggering investigation, containment or remediation

The pathway should also distinguish between misconduct, security risk, wellbeing concerns, policy breaches and operational control gaps. Not every concern requires the same response, but every concern should have a clear owner.

How to assess insider risk in a critical infrastructure setting

An insider-risk assessment should test how personnel hazards are identified, managed and escalated. It should not be limited to a document review.

Useful assessment questions include:

• Which roles have access to critical systems, sensitive information or essential operational processes?
• Are privileged users mapped, reviewed and monitored proportionately?
• Are contractors and suppliers subject to the same access discipline as employees?
• What happens when a worker moves role, leaves the organisation or finishes a project?
• Who owns personnel risk across HR, security, cyber, legal and operations?
• How are conduct concerns in sensitive roles escalated?
• Are reporting pathways trusted and understood?
• Are response plans tested through realistic scenarios?
• Do board reports explain people-related risk, or only cyber and technical controls?

Core Integrity's guide on how to assess insider risk in your organisation provides a broader assessment framework. Core Sentinel can then help organisations move from concern to a clearer view of exposure, controls and response. See What is Core Sentinel?.

Board questions for SOCI and insider-risk oversight

Boards and executives do not need to manage every operational control, but they should ask sharper questions about how personnel risk fits into critical infrastructure resilience.

Useful questions include:

1. Who owns insider risk at executive level?
2. How are personnel hazards considered in our critical infrastructure risk management program or equivalent resilience work?
3. Which roles, contractors or suppliers have the highest trusted-access exposure?
4. How often is privileged access reviewed?
5. What happens when staff or contractors leave sensitive roles?
6. Do we have a safe pathway for reporting concerns about trusted insiders?
7. How are cyber, HR, legal, security and operations teams connected during triage?
8. What would trigger an investigation, containment step or board escalation?
9. Have we tested an insider-risk scenario involving a critical asset?
10. What control improvements have been made after recent incidents, concerns or near misses?

These questions help move oversight from broad assurance to usable evidence.

Common mistakes to avoid

Common mistakes in SOCI-related insider-risk work include:

• treating insider risk as only a cyber issue
• assuming background checks remove personnel risk
• relying on policies that are not reflected in workflow
• excluding contractors, vendors or privileged users from review
• failing to connect reporting pathways with security response
• giving the board technical metrics without personnel-risk context
• waiting for an incident before mapping trusted access
• closing investigations without improving controls

Avoiding these mistakes requires clear ownership and regular testing. The organisation should know where people-related exposure exists before an incident forces the issue.

FAQ

Does the SOCI Act include insider risk?

SOCI-related risk management can include personnel hazards where people, contractors, suppliers or privileged users may affect critical infrastructure assets or operations. Whether a specific CIRMP obligation applies depends on the asset, sector and role of the entity, so current legal wording and regulatory guidance should be checked before making compliance decisions.

What are personnel hazards in critical infrastructure?

Personnel hazards are people-related risks that could affect critical infrastructure resilience. They may include excessive access, poor offboarding, contractor exposure, misuse of privileged access, unmanaged conduct concerns, weak reporting pathways or pressure that increases the risk of fraud, sabotage, data loss or operational disruption.

How does insider risk differ from cyber risk?

Cyber risk focuses on threats to systems, networks, data and technology. Insider risk focuses on trusted people and access pathways. The two often overlap, but insider risk also includes behaviour, governance, culture, contractors, physical access, reporting and response.

What should boards ask about insider-risk controls?

Boards should ask who owns insider risk, which roles have the highest trusted-access exposure, how privileged access is reviewed, how concerns are reported, how HR, cyber and security teams coordinate, and whether insider-risk scenarios have been tested.

Is an insider-risk assessment useful for SOCI compliance?

An insider-risk assessment can help identify where personnel controls are weak, unclear or poorly owned. For entities with CIRMP obligations, it can support broader critical infrastructure resilience by testing trusted access, reporting pathways, governance, offboarding, contractor controls and response planning.

Independent support for SOCI and insider risk

SOCI Act compliance and insider risk should be considered together where trusted people, contractors or suppliers can affect critical infrastructure assets or operations. The right response is not just more monitoring. It is clear governance, practical controls, trusted reporting and tested response pathways.

Core Integrity helps organisations assess insider risk, strengthen reporting pathways and build more disciplined response models. If your organisation needs a clearer view of personnel risk in a critical infrastructure setting, book a confidential discussion about insider-risk assessment or Core Sentinel.