This is part 1 of a five-part series with Tom Fox and the FCPA Compliance Report on mitigating risks within CFIUS compliance with business intelligence.
What Is CFIUS? The Committee on Foreign Investment in the United States (CFIUS) is a government committee charged with protecting U.S. national security by reviewing foreign investment in U.S. business. The committee is led by the Secretary of the Treasury and it is composed of national security agencies such as the Department of Defense, Homeland Security, and the Department of Justice, as well as economic agencies in the Department of Commerce and Department of Treasury. It was created in 1975 at the direction of President Ford and has undergone a number of changes in a greater formalization of its authorities and processes since it was established. The most recent changes to CFIUS were made in the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which expanded the jurisdiction of CFIUS to address growing national security concerns over foreign exploitation of certain investment structures that traditionally have fallen outside of CFIUS’s jurisdiction.
CFIUS has the authority to review a foreign investment that could result in the control of a U.S. business by a foreign investor if the foreign investor operates a/is a business that is engaged in the development, production, or manufacturing of a critical technology; performs certain functions with respect to critical infrastructure; or maintains or collects, directly or indirectly, sensitive personal data of U.S. citizens. Lastly, there are certain real estate transactions that could present national security concerns to the committee such as those located near ports or military installations, that could potentially be used for foreign surveillance.
The Role of Business Intelligence When evaluating the risks posed to national security by a foreign investment transaction, CFIUS considers three basic issues:
- What is the threat posed by the foreign investor in terms of its intent and its capabilities?
- What aspects of the business activity pose vulnerabilities to national security?
- What are the national security consequences if these vulnerabilities are exploited as a result of the transaction going through?
To predict how CFIUS might answer these questions with regard to a particular investment, the interested parties must dissect pretty much every aspect of the transaction that could potentially compromise U.S. national security interests. The best practice is to do so in advance of a transaction. This due diligence entails methodical, process-driven research to fully understand the nature of the transaction, the complexities involved, and the risks presented by the consummation of the transaction.
Identification and Mitigation of Threats and Vulnerabilities To assess the threats and to discover if there are vulnerabilities in any transaction to be reviewed by CFIUS, due diligence needs to begin with an understanding of the identities and backgrounds of the parties to the transaction. Some of the basic questions to ask would be: Who are the foreign investors behind the proposed acquisition? Do they have ties to a foreign government? Would it present a national security risk if the deal were completed?
Often, companies may need to dig deeper. The supply chain of each party to the transaction should be examined, with a determination made of how foreign ownership of critical elements of that supply chain might negatively impact U.S. national security interests. For example, in certain cases cybersecurity risks have emerged from foreign vendors around concerns for hardware, software and cyber services, which would present a risk to the overall transaction. This requires a holistic review of each transaction, with a striving to understand the strategic goals of the foreign investors.
An additional concern is to understand the transaction as it relates to the ability of the foreign investor to gain access to business information, business data, material, or other nonpublic technical information. For example, could the foreign investor somehow obtain access to sensitive information through a position on a company’s board of directors, or in some other manner? With respect to vulnerabilities, the focus should be less on the foreign investor and more on discovering the aspects of the U.S. business that could impact national security if the deal were to be consummated. The bottom line is that you would want to understand the vulnerabilities posed by a completed transaction, which would involve independently assessing the complete universe of management, operational, and technical controls relevant to safeguarding the critical infrastructure.
Mitigation requires an understanding of how an organization will respond to a potential data loss. This would include answering such questions as: Is there a process for notifying CFIUS of a failure? Is there a process for remediation? It is important that all of this framework has a governance structure around it that provides management and employees with a level of accountability and reporting. Management must ensure that the proper steps are taken and there is accountability at all levels for any type of breach or loss.
To listen to the next podcast in the series, please click here.