Investors and deal makers are taking note: The Committee on Foreign Investment in the United States (CFIUS, or the Committee) will focus on foreign investment in U.S. businesses that could lead to cybersecurity vulnerabilities or exposure of sensitive personal data and national security sensitive information. New legislation and regulations direct CFIUS to consider whether foreign investment exacerbates cybersecurity vulnerabilities or allows a foreign government to gain new capabilities to engage in malicious cyber activities in the United States, particularly with respect to critical infrastructure, critical technologies, and sensitive personal data.
Potential Cyber Threats and Vulnerabilities Considered by CFIUS
Cybersecurity vulnerabilities may arise in a number of different ways and no operation is insulated from cyber risks. Some notable examples:
- Foreign investments in U.S. cybersecurity firms that play an important role in protecting companies or the public sector from malicious cyber threats may demand greater CFIUS scrutiny. In such cases, it will be critical to understand investment partners, the types of threats and vulnerabilities posed to U.S. national security, and potential mitigation conditions that CFIUS will demand to address national security risks.
- Foreign investors that may be able to leverage their investment to gain access to critical technologies and nonpublic and sensitive information may prompt additional examination. CFIUS may require companies—including financial institutions, insurers, FinTech and other technology companies, and startups across a range of sectors—to protect data or technology from cyber attack through mitigation requirements involving cybersecurity policies and procedures, governance and oversight, or reporting requirements.
- Critical infrastructure, such as power plants, communications providers, or hospitals and healthcare networks, will be a focus of CFIUS attention. Concerns about the ability of foreign investors to misuse their investment to introduce cyber threats can result in access controls or proxy arrangements, along with requirements for enhanced cyber policies.
- Access to sensitive personal data will, in many cases, draw further scrutiny. Concerns about diversion of data for malicious purposes or in ways that threaten U.S. national security will be a concern, particularly with respect to local, state, and federal databases, and may elicit requests for cybersecurity protocols.
In addition, under the changes implemented to the CFIUS rules and regulations, minority investments—such as portfolio investments or equity-for-services arrangements—can fall under the purview of CFIUS review, particularly if a transaction provides access to material, nonpublic technical information or sensitive personal data, or provides certain decision-making abilities or rights. If, for example, a foreign cyber defense firm provides cybersecurity services to a U.S. startup and is entitled to equity interests as compensation for its services, such an investment could be subject to CFIUS review in some circumstances.
At the same time, CFIUS will consider the threat posed by strategic actors—both public and private—that are seeking to invest in U.S. companies. Investors that have ties to foreign governments or public funding sources (for example, sovereign wealth funds) can result in scrutiny by CFIUS in order to glean whether those ties provide incentives and opportunities for exploitation.
Compliance Frameworks to Guard Against Cyber Risks
As outlined above, in many cases, CFIUS will evaluate whether there is an effective and validated cybersecurity program at the target U.S. business, as well as evaluating the cybersecurity practices of the investor, in assessing threats and vulnerabilities to U.S. national security. Importantly, CFIUS is likely to evaluate whether parties to an investment transaction have undertaken three core cybersecurity protocols: (1) implementing a strong cybersecurity compliance framework, (2) conducting meaningful cyber due diligence, and (3) developing a cybersecurity plan to address known risks and vulnerabilities going forward for the combined entity. The cybersecurity compliance framework—the systems in place to manage and oversee security governance—is a critical aspect of an effective cybersecurity program. The framework should articulate the cybersecurity program’s strategy and goals; standardized processes for responding to and mitigating security issues; program accountability, which includes enforcement and disciplinary policies for noncompliance; a “tone at the top” demonstrating executive leadership and oversight; and the resources necessary to implement an effective program.
The cyber due diligence review should include, but not be limited to:
- Cybersecurity plans for addressing the known vulnerabilities in the acquirer’s and target’s networks, including the policies, procedures, and technology in place to prevent malicious cyber attacks from exploiting weaknesses that may expose the target entity’s technology systems, resulting in damage to critical infrastructure and, therefore, to U.S. national security.
- An understanding of what the combined networks’ security and interconnectivity will look like post-closing, including a thorough examination of the connection points and new exposures, if any.
- An analysis of the target’s and the investor’s cyber attack assessments to understand vulnerabilities to a number of different attack scenarios and vulnerabilities, including susceptibility to spear phishing, hacking, business email compromise, ransomware, distributed denial of service attacks, Trojan-horse malware attacks, and other cyber weaknesses, including methodologies implemented to reduce the likelihood and extent of such attacks.
- A complete inventory of critical infrastructure connectivity, including the risks and vulnerabilities of products and services that are inherent to or emanate from such connections, and the policies, procedures, technologies, and other safeguards in place to prevent the vulnerabilities from being exploited.
- An inventory of all U.S. government connections, regardless of agency or department, with connections between the target and the government entities mapped to highlight U.S. government exposure and vulnerabilities accessible via the target’s networks.
It is critical that both the cyber due diligence and cybersecurity plans be robust, taking into account contingencies presented by the transaction, in order to increase the chances that the transaction will be approved without lengthy delay or undue cost and without the need for mitigation provisions that are overseen by a security officer or monitor. It is without doubt that cybersecurity threats and vulnerability will be a cornerstone of any CFIUS review, and transaction parties should proactively consider and address such risks as part of the investment process.