This is part 4 of a five-part series with Tom Fox and the FCPA Compliance Report on mitigating risks within CFIUS compliance with business intelligence.
How Does CFIUS Weigh Cyber Risks?
Cybersecurity is an area that is getting more attention from the Committee on Foreign Investment in the United States (CFIUS). There are a number of ways in which cybersecurity and cyber risks can be implicated within a transaction under CFIUS review for potential national security concerns. The first is the effect of the transaction on U.S. capability and capacity. Organizations should consider the following questions: If the transaction goes through, will it lead to a reduction in U.S. employment, especially in critical cyber skills? Will the transaction impact U.S. production of goods necessary to safeguard national security? Second, consider how the transaction would affect sensitive data on U.S. citizens. Would the transaction lead to or allow potential exploitation of sensitive data by foreign entities and governments? would the transaction exacerbate cybersecurity vulnerabilities or allow a foreign government to gain new capabilities to engage in a malicious cyber activities or cyber mischief against the United States? And finally, would the transaction involve critical technologies or components of critical technologies and the ability of the foreign investors to gain access to that or other material, nonpublic information?
If a corporation answers yes to any of these questions, it is important to seek to understand the identities of the potential investors, their track records of compliance with U.S. laws, the identities of their other clients or joint venture or other business partners, and the processes and procedures they have in place for maintaining confidentiality, aggregating client information, and other cybersecurity safeguards.
Conducting a Cyber Risk Assessment
It all begins with due diligence. Companies should undertake cyber risk assessments to understand the risks and controls in place to prevent a cybersecurity breach—perhaps some kind of a hack, a malicious insider, or some other loss. Organizations should be prepared to demonstrate measures they have in place to confidentially maintain proprietary information, trade secrets, confidential information, and personally identifiable information (PII). The cyber risk assessment should also consider whether the organization’s cybersecurity plans are current and robust.
Beyond this initial cyber risk assessment, any plan proffered to CFIUS should address known vulnerabilities in a target company’s network, including those that may have been exploited previously and remediated over the past five years. The key is to understand (1) the extent to which there was a breach or compromise in the target’s network and (2) what the organization has done in response. Is there a plan in place to prevent the occurrence again? Have lessons been learned as far as resources and focus on cyber risk?
Another area of inquiry will be what the combined network infrastructure will look like. Some of the questions in this area could include: Does the cybersecurity plan anticipate ways in which the acquirer will connect to the target’s networks? What does that system look like? What is the data storage going to look like? How will the networks interact? What types of vulnerabilities come out of that combination? For certain organizations, a cybersecurity plan would look to see whether the identities of any clients, such as federal agencies with whom the target has contracts, are present. An organization should have those relationships mapped so CFIUS can fully understand them.
A Cyber Risk Compliance Framework
When reviewing a transaction’s cybersecurity compliance framework, CFIUS is looking to understand the systems by which the organization controls security governance, dictates the accountability framework, and provides oversight to ensure that risks are adequately mitigated. There are five areas CFIUS will, most generally, closely consider:
- What is the organization’s cybersecurity strategy and goals? How does cybersecurity risks relate to critical business operations?
- Has the organization identified all its cybersecurity needs, developed objectives, and applied key performance indicators (KPIs) to determine resources, risk appetite, and other requirements? Is the compliance framework standardized so there is predictability and response, through a repeatable process?
- Are there enforcement of cybersecurity requirements and accountability in terms of the addressing negative behaviors and reinforcing positive behaviors?
- Is there senior management leadership and oversight?
- Is there continuous improvement or updating of the compliance framework? This ties into the remediation plan that CFIUS may require going forward.
An entity under review must demonstrate that it is ready to manage the day-to-day cyber risks and other security requirements of the target organization.
To listen to the next podcast in the series, please click here.