National Security and CFIUS Services
Cross-border investments face heightened regulatory risks arising from the changes made to the Committee on Foreign Investment in the United States (CFIUS) by the Foreign Investment Risk Review Modernization Act (FIRRMA) and similar foreign investment review regimes globally. Businesses seeking to execute deals with foreign counterparties need the right resources, expertise, and strategies to navigate regulatory complexities and avoid potentially costly pitfalls. More than ever, investment parties and their counsel will need trusted advisors with national security and technical experience to help navigate the CFIUS process.
Our clients include investors and corporate dealmakers, financial institutions, sovereign wealth funds and governments, and target businesses in diverse sectors such as telecommunications, aerospace, pharmaceuticals, and chip manufacturing.
Our national security experts assist clients, often in partnership with their outside counsel, with cross-border transactions that involve national security concerns, including CFIUS reviews, supply chain vulnerabilities, end-user and end-use investigations, cybersecurity and data protection, and sanctions and export control compliance. We work with parties in the planning stages of an investment, during the investment and CFIUS review, and at the end of the CFIUS review to help parties plan for CFIUS mitigation and to ensure proper implementation of and compliance with CFIUS mitigation agreements.
The K2 Integrity team includes former senior U.S. government policy officials, investigators, and compliance professionals who have deep experience with the nuances and complexities of CFIUS rules and national security considerations. Our professionals have worked at CFIUS and in senior national security roles in the U.S. government and apply valuable insights from CFIUS’s deliberations and concerns to each engagement. Our national security experience is coupled with the firm’s subject-matter expertise across an array of industries, business types, and geographies. K2 Integrity tailors every team to meet the specific national security, industry, or technical expertise needed for each unique CFIUS engagement. Our targeted services help to ensure that parties and their counsel receive quality service while protecting U.S. national security interests.
Pre-Transactional Risk Assessment
In the initial stages of a deal, our national security team conducts a CFIUS risk assessment to highlight potential national security risks and CFIUS concerns. Our team assesses transaction risk, providing a detailed report that identifies potential threats, vulnerabilities, and consequences related to a transaction. Each risk assessment includes the following services:
- Conducting Overall Due Diligence: We examine the backgrounds, motivations, and goals of transaction parties, partners, and investors to understand whether CFIUS may identify concerns with a transaction. This process includes researching ties to foreign governments or sanctioned parties, evaluating compliance with U.S. laws and regulations, and searching for potentially derogatory information.
- Reviewing Supply Chain Risk: We analyze the technologies, materials, or services involved in the transaction and which vendors, manufacturers, and suppliers are a part of the production or distribution process. We also review U.S. government touchpoints to assess whether CFIUS may have supply assurance concerns regarding the transaction.
- Evaluating Existing Compliance Frameworks Our experts assess the parties’ anti-money laundering, illicit finance, corruption, export controls, and sanctions risks and the effectiveness of the companies’ internal controls to determine whether CFIUS may identify risks.
- Assessing Cybersecurity and Data Controls: Using our in-house technology team, we evaluate parties’ cybersecurity and IT posture, data access controls, and data storage practices to determine whether sensitive information is adequately protected.
Preparing for CFIUS Mitigation
CFIUS mitigation can be costly and potentially disruptive for businesses in ways that may impact underlying deal rationale. As such, it is important for businesses to begin assessing their security controls across their entire business operations to identify weaknesses and to anticipate potential CFIUS mitigation as early as possible. If there are potential CFIUS risks with a transaction, our team works with parties and their counsel to identify and recommend tailored mitigation solutions that both address the potential risks and preserve business objectives. This process allows businesses to begin assessing the costs, timeframe, and effectiveness associated with applying appropriate controls as well as potential obstacles to implementing those controls—and to proactively engage with CFIUS on potential solutions.
If CFIUS identifies national security risks related to the transaction and seeks mitigation, our team can assist parties and their counsel during the negotiation process. Our team advises on mitigation terms that creatively address CFIUS concerns while considering underlying deal rationale and business constraints. For example, we help transaction parties work with CFIUS to structure cybersecurity frameworks or IT separation requirements in a way that provides confidence to CFIUS agencies and is consistent with business requirements.
Post-Transaction Mitigation Services
Once CFIUS has imposed mitigation conditions on a transaction, our team works with parties, security officers, their counsel, and CFIUS to evaluate and execute the terms of the agreement. These agreements often require that parties establish and implement policies and procedures by a set deadline to protect sensitive data or technologies. In addition, mitigation agreements often include third-party monitoring or auditing provisions to assess parties’ compliance with certain provisions of an agreement or an entire agreement. Regardless of the specific requirements, establishing open lines of communication with CFIUS is always important for engendering trust during the mitigation process.
K2 Integrity works with parties and their counsel to understand the scope of the mitigation terms and their potential impact on the business. After reviewing the agreement, our team assists parties with recommending a baseline of controls that are necessary to implement the mitigation agreement. We then establish work plans that track progress towards mitigation implementation, project costs, identify immediate and long-term obstacles to implementation, and communicate implementation progress to parties, their counsel, and CFIUS.
Our team works with parties and their counsel to establish and oversee the controls that may be required by CFIUS mitigation agreements, such as:
- Cybersecurity Plans: CFIUS may require that parties establish cybersecurity plans or frameworks that are based on international standards and that are continually updated to protect the business from unwanted access. Our cybersecurity and IT teams have experience developing and implementing comprehensive cybersecurity frameworks based on international standards such as the National Institute of Standards and Technology’s Cybersecurity Framework. These frameworks improve an organization’s cybersecurity posture and protect sensitive data according to CFIUS needs, thereby comforting CFIUS.
- Access Controls: CFIUS may include physical and logical access prohibitions in mitigation agreements to protect sensitive information. Our team has experience with establishing and overseeing the implementation of physical and logical access controls and logs as well as ensuring the physical or logical separation of certain businesses or sensitive data so that CFIUS access requirements are met.
- Control Plans: K2 Integrity establishes plans and procedures for businesses to implement the access controls mandated by CFIUS. Our team develops data management plans, technology control plans, electronic communications plans, or corporate security plans to ensure that sensitive technology or information is only conveyed according to CFIUS requirements. These plans include processes for detecting, preventing, reporting, and remediating breaches as required by CFIUS.
- Sanctions and Illicit Finance: We have extensive experience assessing and building effective compliance and governance programs that meet the challenges of transacting business across numerous regulatory regimes. We help clients develop and improve their compliance and governance programs in the areas of anti-bribery and anti-corruption, data privacy and data protection, anti-money laundering, trade secret protection, economic sanctions, and export compliance. We perform risk assessments and gap analyses, develop and implement remediation plans, and provide training to ensure that companies implement best practices across U.S. and global standards for effective compliance programs.
Third-Party Monitor or Third-Party Auditor
- As a third-party monitor or auditor, K2 Integrity oversees parties’ compliance with mitigation terms as required by CFIUS. This often includes assessing compliance with provisions that mandate controls over accessing certain information or technology, including physical and logical access controls and logs, cybersecurity and data segregation controls, corporate security plans, electronic communications plans, and independent reporting requirements to notify CFIUS of potential breaches.
Independent Board Member
- CFIUS may require that the U.S. business establish a government security committee or appoint an independent board member that is approved by and answerable to CFIUS. Security committees or independent board members have crucial national security responsibilities and must be able to effectively oversee efforts to protect sensitive U.S. business information. The K2 Integrity team includes former national security officials at the highest levels of the U.S. government who can serve on a security committee or as an independent board member.