Australian Data Risk Management

Is your organisation foreign owned?

If so, how does your enterprise data governance stack up?

August 2021

Reading Time: 2 mins

You’ll need an enterprise data governance framework if you have FIRB data security conditions.

An effective enterprise data governance and management framework is an essential requirement for compliant audit findings.

Your organisation will need an enterprise data governance framework if it has Foreign Investment Review Board (FIRB) Conditions that address data security.  

FIRB may conduct audits from time to time, or a company may need to perform an annual audit under its FIRB Conditions. An effective enterprise data governance and management framework is an essential requirement for compliant audit findings.

What are FIRB Conditions?

Under Australia’s foreign investment laws, the Federal Treasurer may approve investments by foreign investors in Australian operating businesses, subject to conditions. These conditions are commonly known as FIRB Conditions.

The Treasurer receives advice from the Foreign Investment Review Board (FIRB) on the content of FIRB Conditions for an investment.

The Treasury, Foreign Investment Division (Treasury), supports FIRB on developing the content of the FIRB Conditions through engagement with other government agencies such as the ATO, ACCC, Critical Infrastructure Centre (CIC), Australian Cyber Security Centre (ACSC), the Australian Federal Police and AUSTRAC.

If you want to know more about how the Treasurer determines the content of FIRB conditions, FIRB’s detailed guidance note is a good reference.

The content of FIRB Conditions for an investor is specific to that investor and the business. Matters such as national security, competition impacts, government policy and impact on the economy and the community, and investor character are relevant. The idea behind FIRB Conditions is that they facilitate foreign investment in a way that serves and protects the national interest.

Over the last few years, FIRB has made steps to improve the consistency of conditions. Still, it retains the flexibility to set conditions that respond to the risks that exist in respect of a particular investment.

Data and FIRB

So, what has data got to do with FIRB?  

These days, everyone is aware of the importance of cybersecurity protections to safeguard business activities and critical infrastructure security. National security risks involve risks regarding misuse or unauthorised access to data or systems. Threats might include cyber espionage that gathers intelligence in support of state-sponsored activities; cyber-attacks that aim to destroy critical infrastructure; or criminals using the Internet as a means to defraud or steal individual identities.

Defending against cybersecurity threats is a clear policy of the Government. The Federal Government’s Cybersecurity strategy will see $1.67 billion invested over ten years to create a ‘more secure online world for Australians, their businesses and the essential services upon which we all depend’.

So, in protecting the national interest, data and system security are critical, particularly for sectors that are essential services such as energy, water, communications, and healthcare. FIRB Conditions are a tool to mitigate risks of unauthorised access, corruption, denial or exfiltration data and unauthorised system access.

As outlined in FIRB’s Guidance Note 11, FIRB data security conditions may include:

  • requirements for development and implementation of data security policies and procedures that extend beyond the requirements of general Australian law;
  • restrictions on access to specified data by directors, representatives and staff of the investor;
  • restrictions on the location of data storage and access;
  • cybersecurity arrangements; or
  • reporting requirements in the event of a data breach will often restrict the export, storage and access of specific sensitive data from outside Australia.

Compliance with FIRB Conditions in many cases is assessed annually by an independent annual audit. You can find further details in FIRB’s Guidance Note on Independent Audit Conditions.  

If your company is subject to FIRB data security conditions, then at a minimum, your company will need an information management and data governance framework.

In the case of audit or regulator review, the first question asked by regulators in assessing compliance is “Tell us about your enterprise governance for data”. It is closely followed by “Show us that your systems effectively support compliance with the conditions”.  

Sharon Eacott, Executive Director of ADRM has managed several FIRB audits. Compliance is achievable if you have the right governance frameworks and are operating consistently with those frameworks.

How does your company’s enterprise framework stack up?

We’ll share our insights on what ‘good’ enterprise data governance looks like in a future blog post.

Want to know more?

If you want to know more about implementing enterprise governance to ensure compliance with FIRB data security conditions or have questions about FIRB audit processes, then get in touch with Sharon.

Further reading

Foreign Investment Review Board, Guidance Notes

Joseph Brookes, InnovationAus (21 June 2021) “Former ASIO boss warns on energy sector cyber

Ben Butler, The Guardian (21 February 2021) “The Firb way: finding Australia’s sweet spot between blocking China and driving foreign investment

John Kehoe, Australian Financial Review (January 15 2021) “Conditional approval of Probuild buyout rejected due to security risks

John Kehoe, Michael Bleby, Hannah Wootton, Nick Lenaghan and Andrew Tillet, Australian Financial Review (20 January 2021) “Treasurer blacklists China investments

Cara Waters, Sydney Morning Herald (20 October 2020) “Foreign investment shake-up could be fatal to startups

Sharon Eacott is the Executive Director of Australian Data Risk Management, a consulting firm helping companies to keep information and data safe, secured and protected through good governance.

© Australian Data Risk Management 2021. Could you please respect our copyright and the effort taken to produce the original material in this document? Unauthorised use of this material without express permission from this site’s author and owner is prohibited. If you use excerpts or links, then please reference Australian Data Risk Management with specific direction to the original content. Thanks for your support.