Last Updated on June 27, 2022
If there has been any non-US investment or merger/acquisition activity around your business, you’re likely aware of CFIUS: The Committee on Foreign Investment in the United States. It includes representatives from nine US federal agencies (Treasury, State, Commerce, Homeland Security, Justice, Energy, the Office of the US Trade Representative and the Office of Science & Technology) plus the Office of the President.
CFIUS’ role is to scrutinize the impacts of potential foreign investment transactions on US national security. This encompasses issues ranging from terrorism to environmental security—including cybersecurity. The Committee has broad authority to recommend that the president block, suspend or even roll back transactions. It can also modify transaction agreements.
With foreign investment in US businesses at an all-time high and still growing, CFIUS plays a critical role in strategically important areas like finance and technology. Business leaders need to assess and identify CFIUS considerations early on in any dealmaking process involving non-US investors to avoid hurdles at closing time. Likewise, foreign-backed companies that deal in sensitive technologies or significant amounts of personal data need to prepare for increased federal oversight.
Top-level CFIUS cybersecurity considerations
CFIUS has a broad cybersecurity focus targeting issues like these:
- Could a deal create or increase any cybersecurity vulnerabilities impacting the US (e.g., investment in energy, communications, healthcare, technology or other critical infrastructure leading to misuse of data)?
- Could a deal expose sensitive personal data about US citizens to a foreign government or foreign individuals that could threaten US national security?
- Could a deal potentially arm a foreign entity with new capabilities to mount cyber-attacks against the US?
- Does a deal involve significant cybersecurity technology that protects US companies or government agencies today?
What CFIUS is most likely to evaluate regarding cybersecurity is whether all parties in the investment transaction have done their cyber due diligence, implemented a robust cybersecurity framework and have plans of action in place to mitigate known risks. An example would be assessing what a combined entity’s network security will look like after the deal, including identifying any new vulnerabilities.
Before making a CFIUS filing and potentially undergoing review, affected organizations need to carefully consider their critical data assets and current security controls that monitor, protect and allow access to those assets. If you identify any gaps, you’ll need to develop and implement mitigation plans. Identifying critical data assets and demonstrating that they are effectively safeguarded is key to a successful CFIUS review.
Some of the steps you’ll need to take to evaluate your CFIUS compliance posture include:
- Review policies and procedures and interview security leaders to understand and validate how your security controls operate
- Compare—and align—your technical and administrative control sets with global cybersecurity standards like ISO 27001, CIS Critical Security Controls, and/or NIST 800-171/171a
- Carefully review your data assets and identify any controlled/regulated data types, such as controlled unclassified information (CUI) or International Traffic in Arms Regulations (ITAR) data
- Consider whether you need to migrate regulated data to a highly secure “enclave” environment such as a “government cloud”
- Ensure that your critical/export-controlled technology, intellectual property and trade secrets are appropriately protected
- Put additional monitoring and auditing capabilities in place for CFIUS-related reporting
Cybersecurity is likely to be “top of mind” during any CFIUS review. Besides reducing CFIUS concerns and reducing the risk of significant added costs or delays, taking the above steps can enhance your company’s overall cybersecurity and data governance maturity leading to reduced cyber and business risk.
As is often the case with cybersecurity compliance, companies that hold certifications of compliance with trusted third-party frameworks like ISO 27001, NIST 800-171 or SOC 2 should be well-positioned to address and demonstrate CFIUS compliance.
To connect with an expert about your CFIUS related issues and questions, contact Pivot Point Security.