cyber
risk
soci
Board Accountability for Cyber Risk: Quantifying Exposure Under the SOCI Act
Sam Keogh
Critical infrastructure directors face personal accountability for cyber risk management. Qualitative heat maps won't protect them. Financial quantification will.
The Board's New Reality
Something fundamental changed for Australian critical infrastructure operators in 2022. The Security of Critical Infrastructure Act 2018 (SOCI Act), significantly strengthened through the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, shifted cyber risk management from a technical concern into a board-level legal obligation.
This is not a compliance exercise you can delegate to the IT department and forget. Under the SOCI Act, responsible entities across thirteen critical infrastructure sectors — energy, water, communications, transport, healthcare, financial services, data storage, food and grocery, higher education, space, defence industry, and more — must establish and maintain a Critical Infrastructure Risk Management Program (CIRMP). The obligations are broad, the reporting requirements are specific, and the consequences for failure are material.
Your board needs to understand three things: what the Act requires, what happens if you get it wrong, and how to demonstrate you are getting it right.
What the SOCI Act Actually Requires
Let us cut through the legal language. The SOCI Act imposes four categories of obligation on critical infrastructure operators:
1. Critical Infrastructure Risk Management Programs (CIRMPs)
Every responsible entity must establish, maintain, and comply with a written risk management program that addresses hazards across four domains: cyber security, personnel, supply chain, and physical security. The program must identify material risks, mitigate them "so far as is reasonably practicable," and be reviewed and updated annually.
The board must approve the CIRMP. An annual report must be submitted to the relevant Commonwealth regulator confirming the program is current and has been complied with. This is not a set-and-forget obligation — it requires active, ongoing governance.
2. Mandatory Incident Reporting
Critical cyber security incidents must be reported to the Australian Signals Directorate (ASD) within 12 hours. Other significant incidents must be reported within 72 hours. These are tight timeframes, and they demand that organisations have monitoring, classification, and escalation processes that actually work under pressure.
3. Government Assistance and Intervention Powers
This is where the Act has teeth. If the Government determines that a cyber incident poses a serious risk to the social or economic stability of Australia, it can issue directions to the entity — including requiring specific actions to respond to or mitigate the incident. In the most severe cases, the Government can authorise the ASD to directly intervene in your systems.
The message is unmistakable: if you cannot manage your own cyber risk effectively, the Government reserves the right to manage it for you.
4. Enhanced Cyber Security Obligations
Systems of National Significance (SoNS) face additional obligations including vulnerability assessments, incident response planning, access to Government-provided threat intelligence, and participation in prescribed cyber security exercises.
The Board's Problem: Risk Without Numbers
Here is the challenge most boards face. They know the SOCI Act requires a risk management program. They have engaged consultants. They have a CIRMP document. But when the board sits down to review cyber risk, what do they actually see?
Typically, they see a heat map. A matrix of red, amber, and green squares. Perhaps some descriptive text about ransomware being "high likelihood, high impact." It looks professional. It feels thorough. And it is almost entirely useless for decision-making.
Your board needs to know: is your cyber exposure $5M or $50M? That is not a rhetorical question. It determines your insurance coverage, your capital allocation, your risk appetite, and — critically — whether your CIRMP can withstand regulatory scrutiny.
A qualitative rating of "High" does not tell you whether a $3M investment in network segmentation is justified. A financial quantification of $12M in Annual Loss Expectancy across three attack scenarios does.
The SOCI Act requires you to mitigate risks "so far as is reasonably practicable." That phrase has a specific legal meaning — it requires balancing the likelihood and consequences of a risk against the cost, time, and effort of mitigation. You cannot perform that balancing exercise without numbers.
How Quoll Addresses SOCI Compliance
Quoll is a graph-based threat modelling and cyber risk quantification platform that implements the Open FAIR (Factor Analysis of Information Risk) methodology. It translates the abstract language of risk management programs into concrete financial metrics that boards can understand, regulators can examine, and organisations can act upon.
Quantifying Risk in Dollars for Board Reporting
Quoll runs Monte Carlo simulations across attack tree models mapped to the MITRE ATT&CK framework. The output is not a colour — it is a probability distribution of Annual Loss Expectancy (ALE) in Australian dollars. Your board report moves from "we have 14 high-rated cyber risks" to "our modelled cyber exposure is $23.4M annually, concentrated in three attack scenarios targeting our operational technology environment."
That is a number the CFO can work with. It can be compared against revenue, insurance limits, capital reserves, and the cost of proposed mitigations. It transforms the CIRMP annual board approval from a rubber-stamping exercise into an informed governance decision.
Generating Audit Evidence Automatically
Every simulation Quoll runs is timestamped, versioned, and logged. Every change to an attack tree — adding a new threat scenario, adjusting a control effectiveness estimate, revising an asset valuation — is captured in an immutable audit trail. When the regulator asks "how did you assess this risk?" or "what evidence supports your mitigation decisions?", the answer is not a narrative reconstructed from memory. It is a complete, time-stamped record generated as a natural byproduct of using the platform.
This matters for CIRMP annual reporting. The board's attestation that the program has been complied with is substantially stronger when backed by continuous, auditable risk assessment records rather than a point-in-time review conducted the week before the report is due.
Tracking Treatment Plans and Demonstrating Due Diligence
The SOCI Act's "so far as is reasonably practicable" test requires organisations to demonstrate they have considered mitigation options and made rational decisions about which controls to implement. Quoll's risk register and treatment planning capabilities directly support this.
For each quantified risk, Quoll enables you to model the effect of proposed controls on Annual Loss Expectancy. If a $500,000 investment in endpoint detection reduces ALE from $8M to $2.1M, that cost-benefit analysis is documented and auditable. If the board decides a particular residual risk is acceptable given the cost of further mitigation, that decision and its rationale are recorded.
This is precisely the evidence that demonstrates due diligence. It shows the regulator — and, if necessary, a court — that the organisation applied a rational, financially informed methodology to its risk management decisions.
Classification Banners and Air-Gapped Deployment
For operators handling classified or sensitive information, Quoll supports classification banners (UNCLASSIFIED through TOP SECRET) and can be deployed in air-gapped environments. Sensitive risk assessments and threat models never need to leave your secured network.
Mapping SOCI Obligations to Quoll Capabilities
| SOCI Act Obligation | What It Requires | How Quoll Helps |
|---|---|---|
| Critical Infrastructure Risk Management Program (CIRMP) | Written program identifying and mitigating material risks across cyber, personnel, supply chain, and physical domains | Quantifies cyber risks in dollar terms using Open FAIR methodology; documents risk identification, assessment, and treatment decisions with full audit trail |
| Annual Board Approval of CIRMP | Board must approve the risk management program and attest to compliance annually | Executive dashboards present quantified risk exposure in financial terms the board can meaningfully evaluate and approve |
| "So Far as Reasonably Practicable" Mitigation | Must demonstrate that mitigation decisions balance risk likelihood and consequence against cost and effort | Monte Carlo simulations model cost-benefit of each proposed control, providing auditable evidence of rational decision-making |
| Mandatory Incident Reporting (12/72 hours) | Critical incidents reported within 12 hours; other significant incidents within 72 hours | Attack tree models pre-identify likely incident scenarios and their financial impact, enabling faster classification and escalation |
| Government Assistance/Intervention Powers | Government may direct actions or intervene directly if cyber risk is not adequately managed | Continuous, quantified risk posture demonstrates active management, reducing the likelihood of government intervention |
| Systems of National Significance (SoNS) Obligations | Vulnerability assessments, incident response planning, threat intelligence integration | Graph-based attack trees identify vulnerability chains; risk register tracks remediation; MITRE ATT&CK mapping aligns with threat intelligence |
| Annual CIRMP Compliance Reporting | Annual report to regulator confirming program currency and compliance | Immutable audit logs and versioned risk assessments provide continuous compliance evidence, not retrospective documentation |
A Practical Example
Consider a water utility operator classified as critical infrastructure under the SOCI Act. Their CIRMP identifies ransomware as a material cyber risk to operational technology systems controlling water treatment processes.
Using qualitative methods, the risk is rated "Extreme" — red on the heat map. The board is told the risk is serious. They approve a budget for "improved cyber security." No one can articulate exactly how much is enough.
Using Quoll, the same scenario is modelled as an attack tree: initial access via phishing, lateral movement to the OT network, deployment of ransomware on SCADA systems, and consequent disruption to water treatment. Each node in the attack tree has calibrated probability estimates. The Monte Carlo simulation produces an ALE of $14.2M, with a 10th-to-90th percentile range of $3.8M to $31.5M.
Now the board has a decision framework. A $2M investment in network segmentation between IT and OT environments reduces the modelled ALE to $4.1M — a $10.1M reduction in expected annual loss. The cost-benefit is clear, the decision is documented, and the "reasonably practicable" test is satisfied with auditable evidence.
The Cost of Getting It Wrong
The penalties under the SOCI Act are significant. Failure to establish or comply with a CIRMP can attract civil penalties. But the financial penalties are arguably the lesser concern. The reputational damage of a major cyber incident at a critical infrastructure operator — particularly one where the Government exercises its intervention powers — is orders of magnitude more costly.
More practically, directors who approve a CIRMP that lacks rigorous, defensible risk assessment methodology are exposed. The question a regulator will ask after an incident is not "did you have a risk management program?" It is "was your risk management program adequate?" A programme built on qualitative heat maps is substantially harder to defend than one built on quantified financial analysis with a complete audit trail.
Moving From Compliance to Confidence
The SOCI Act is not going away, and the regulatory posture is tightening, not loosening. Critical infrastructure operators who treat CIRMP compliance as a documentation exercise are storing up risk — legal, financial, and operational.
Quoll provides the quantitative foundation that transforms CIRMP compliance from a box-ticking obligation into a genuine risk management capability. It gives boards the financial metrics they need to make informed decisions, the audit evidence regulators expect to see, and the analytical rigour that demonstrates due diligence.
Your board is accountable for cyber risk management. Give them the numbers to manage it properly.
Quoll is an Australian-built, graph-based threat modelling and cyber risk quantification platform. It implements the Open FAIR methodology, supports air-gapped deployment, and is designed for organisations where defensible risk decisions matter. To discuss how Quoll supports your SOCI Act obligations, contact the Quoll team for a confidential briefing.
