PSPF Direction on Foreign Ownership, Control or Influence
On 8th July 2024, Home Affairs Secretary, Stephanie Foster PSM, issued three Protective Security Directions under the Protective Security Policy Framework (PSPF) which every Commonwealth Non-Corporate Entity is required to implement.
The fact that PSPF Directions are very infrequently issued is an indication of how critical the actions they contain are to maintaining the Commonwealth’s defence against cybersecurity threats.
The first of these new Directions requires entities to identify and manage Foreign Ownership, Control or Influence (FOCI) risks in their technology asset procurement.
According to the Direction, foreign interference occurs when activity carried out by, or on behalf of, a foreign power, is coercive, corrupting, deceptive or clandestine, and contrary to Australia’s sovereignty, values and national interests.
There are four specific actions entities must complete by July 2025:
- Implement a FOCI risk management process for technology asset procurement;
- Conduct a security risk assessment of any risks identified in the above process in alignment with PSPF Policy 3;
- Regularly review existing contracts for emerging FOCI risks in alignment with PSPF Policy 6;
- Report any identified real or potential risks identified in the above.
The ASD’s Guidelines for Identifying Cyber Supply Chain Risks is a helpful resource. The guide includes a series of questions entities can ask themselves when reviewing their suppliers.
- Who has controlling shares in the business?
- What are the nationalities of Board members and key employees (e.g.: the CEO and Leadership Team?
- Where is the business headquartered?
- Where does the business operate?
- What ties do board members and key employees have to the governments of countries they operate in?
- What might a foreign government gain access to by controlling or influencing the business?
- Could the business’ products or services be used to facilitate foreign interference?
If it was Macquarie Technology Group being reviewed, the answers below would demonstrate little to no FOCI risk.
Who has controlling shares in the business?
Macquarie Technology Group is an ASX listed company with approximately 99.7% of shares held by Australians at the time of publishing.
What are the nationalities of Board members and key employees (e.g.: the CEO and Leadership Team?
Our Board Members are all Australian citizens, resident in Australia.
Where is the business headquartered?
Our headquarters are in Sydney.
Where does the business operate?
We operate wholly within Australia’s sovereign and physical borders.
What ties do board members and key employees have to the governments of countries they operate in?
As above, we only operate in Australia, so our ties are to the Commonwealth of Australia. We also have zero foreign debt.
What might a foreign government gain access to by controlling or influencing the business?
Quite a lot! Which is why we have made commitments around our ownership and control to the Commonwealth, as part of our “Strategic” assignment under DTA Hosting Certification Framework.
In fact, Home Affairs considers Certified Strategic providers like Macquarie Technology Group as an effective mechanism in applying this direction for FOCI risk in procurement under this Direction.
This and the other two Directions have been issued in response to the changing cybersecurity threat landscape facing Australian government entities. We support the strengthening of Australian Sovereignty over the technology assets used to protect Australia and our livelihood.
