The regulatory ‘trickle-down’: Why the SOCI Act is no longer just for energy giants

For the past two years, the Australian accounting profession has largely viewed the Security of Critical Infrastructure (SOCI) Act 2018 as a big-end-of-town problem. The prevailing assumption has been that unless your client operates a power station, a port, or a hospital, the stringent risk management programs mandated by the Act do not apply.

In 2026, that assumption is becoming a dangerous liability for mid-market directors and their advisers.

We are witnessing a regulatory trickle-down effect. While an SME manufacturing firm, a logistics provider, or a specialised labour hire company might not be a critical asset themselves, they are almost certainly part of the supply chain for one.

Tier 1 entities (government, energy, banking) are now auditing their supply chains with a level of forensic rigour we haven't seen before. They are asking questions that many SMEs cannot answer, resulting in disqualification from lucrative tenders.

Understanding the ‘positive security obligation’

The friction point lies in Part 2A of the SOCI Act, known as the positive security obligation (PSO). This requires responsible entities to establish and maintain a risk management program (RMP).

For accountants advising SMEs, it is crucial to understand that an RMP is not just about installing a firewall. The act requires entities to minimise material risks across four distinct hazard vectors:

• Cyber and information security hazards: Protecting data from unauthorised access or modification.
• Personnel hazards: Vetting insiders who have access to critical systems.
• Supply chain hazards: Ensuring vendors (like the SME client) do not introduce vulnerability.
• Physical hazards: Protecting the physical assets.

Why SMEs are failing the audit

When a tier 1 entity audits an SME for a tender, they are looking for evidence that the SME does not introduce risk in these areas. SMEs are frequently failing these audits, not because they lack a good product, but because they cannot prove process integrity.

Common failure points include:

• Data sovereignty: Using software providers that route data through non-sovereign jurisdictions (triggering foreign interference concerns).
• Personnel risk: Lack of audit trails regarding who touched sensitive data.
• Process vulnerability: Relying on manual workflows that are susceptible to tampering.

The ‘desktop gap’ in financial integrity

A prime example of this process failure – one that accountants are uniquely positioned to spot – is the last mile of the financial function.

While many SMEs have moved to secure cloud ERPs, their payment execution often remains stuck in a "manual sneakernet." Finance teams generate a payment file (ABA or ISO 20022), download it to a local, unencrypted laptop, and manually upload it to a bank portal.

In the context of a SOCI audit, this workflow is a red flag.

From a cyber perspective, the file is unencrypted at rest. From a personnel perspective, a single user has an unfettered, often unlogged ability to manipulate the file (e.g., swapping a BSB). Under the act’s integrity requirements, this represents a material risk that has not been effectively mitigated.

ASIC and the shift in liability

The stakes for this kind of process failure have been raised significantly by the ASIC v RI Advice Group ruling. The Federal Court established that cyber resilience is not merely an operational IT matter; it is a core fiduciary duty of the Director.

If a payment redirection fraud occurs because an SME was relying on manual file handling – a known, fixable vulnerability – the board can no longer claim ignorance.

This puts the external accountant in a critical advisory position. If you are advising a client on their systems or risk governance, and you allow them to persist with high-risk manual workarounds when secure, automated alternatives exist, are you leaving them exposed?

The adviser’s role: The sovereign audit

To protect clients from liability and ensure they remain tender-ready for government and enterprise contracts, accountants should encourage a review of the financial supply chain.

This involves asking:

• Sovereignty: Does your financial data remain within Australian jurisdiction at all times?
• Integrity: Is the chain of custody unbroken? Does data move from the ledger to the bank without landing on a user’s desktop?
• Identity: Can you cryptographically prove who authorised the movement of funds?

The era of implied trust in business processes is ending. The zero-trust methodology is now being applied to financial operations.

For the accounting profession, this is an opportunity to lead. By helping clients identify these gaps – whether in data sovereignty or process integrity – advisers aren't just improving efficiency; they are providing the liability immunity that boards are desperate for in the current regulatory climate.

Justin Trollip is the founder of Demiton.