You’ll need an enterprise data governance framework if you have FIRB data security conditions.
An effective enterprise data governance and management framework is an essential requirement for compliant audit findings.
Your organisation will need an enterprise data governance framework if it has Foreign Investment Review Board (FIRB) Conditions that address data security.
FIRB may conduct audits from time to time, or a company may need to perform an annual audit under its FIRB Conditions. An effective enterprise data governance and management framework is an essential requirement for compliant audit findings.
What are FIRB Conditions?
Under Australia’s foreign investment laws, the Federal Treasurer may approve investments by foreign investors in Australian operating businesses, subject to conditions. These conditions are commonly known as FIRB Conditions.
The Treasurer receives advice from the Foreign Investment Review Board (FIRB) on the content of FIRB Conditions for an investment.
The Treasury, Foreign Investment Division (Treasury), supports FIRB on developing the content of the FIRB Conditions through engagement with other government agencies such as the ATO, ACCC, Critical Infrastructure Centre (CIC), Australian Cyber Security Centre (ACSC), the Australian Federal Police and AUSTRAC.
If you want to know more about how the Treasurer determines the content of FIRB conditions, FIRB’s detailed guidance note is a good reference.
The content of FIRB Conditions for an investor is specific to that investor and the business. Matters such as national security, competition impacts, government policy and impact on the economy and the community, and investor character are relevant. The idea behind FIRB Conditions is that they facilitate foreign investment in a way that serves and protects the national interest.
Over the last few years, FIRB has made steps to improve the consistency of conditions. Still, it retains the flexibility to set conditions that respond to the risks that exist in respect of a particular investment.
Data and FIRB
So, what has data got to do with FIRB?
These days, everyone is aware of the importance of cybersecurity protections to safeguard business activities and critical infrastructure security. National security risks involve risks regarding misuse or unauthorised access to data or systems. Threats might include cyber espionage that gathers intelligence in support of state-sponsored activities; cyber-attacks that aim to destroy critical infrastructure; or criminals using the Internet as a means to defraud or steal individual identities.
Defending against cybersecurity threats is a clear policy of the Government. The Federal Government’s Cybersecurity strategy will see $1.67 billion invested over ten years to create a ‘more secure online world for Australians, their businesses and the essential services upon which we all depend’.
So, in protecting the national interest, data and system security are critical, particularly for sectors that are essential services such as energy, water, communications, and healthcare. FIRB Conditions are a tool to mitigate risks of unauthorised access, corruption, denial or exfiltration data and unauthorised system access.
As outlined in FIRB’s Guidance Note 11, FIRB data security conditions may include:
Compliance with FIRB Conditions in many cases is assessed annually by an independent annual audit. You can find further details in FIRB’s Guidance Note on Independent Audit Conditions.
If your company is subject to FIRB data security conditions, then at a minimum, your company will need an information management and data governance framework.
In the case of audit or regulator review, the first question asked by regulators in assessing compliance is “Tell us about your enterprise governance for data”. It is closely followed by “Show us that your systems effectively support compliance with the conditions”.
Sharon Eacott, Executive Director of ADRM has managed several FIRB audits. Compliance is achievable if you have the right governance frameworks and are operating consistently with those frameworks.
How does your company’s enterprise framework stack up?
We’ll share our insights on what ‘good’ enterprise data governance looks like in a future blog post.
Want to know more?
If you want to know more about implementing enterprise governance to ensure compliance with FIRB data security conditions or have questions about FIRB audit processes, then get in touch with Sharon.
Foreign Investment Review Board, Guidance Notes
Joseph Brookes, InnovationAus (21 June 2021) “Former ASIO boss warns on energy sector cyber“
Ben Butler, The Guardian (21 February 2021) “The Firb way: finding Australia’s sweet spot between blocking China and driving foreign investment“
John Kehoe, Australian Financial Review (January 15 2021) “Conditional approval of Probuild buyout rejected due to security risks“
John Kehoe, Michael Bleby, Hannah Wootton, Nick Lenaghan and Andrew Tillet, Australian Financial Review (20 January 2021) “Treasurer blacklists China investments“
Cara Waters, Sydney Morning Herald (20 October 2020) “Foreign investment shake-up could be fatal to startups“
Sharon Eacott is the Executive Director of Australian Data Risk Management, a consulting firm helping companies to keep information and data safe, secured and protected through good governance.
© Australian Data Risk Management 2021. Could you please respect our copyright and the effort taken to produce the original material in this document? Unauthorised use of this material without express permission from this site’s author and owner is prohibited. If you use excerpts or links, then please reference Australian Data Risk Management with specific direction to the original content. Thanks for your support.