Welcome to a podcast series where I am exploring how to navigate risk from the Committee on Foreign Investment in the United States (CFIUS), sponsored by K2 Intelligence, LLC, Financial Integrity Network (K2 Intelligence FIN). Over this five-part series I will visit with David Holley and Him Das, the co-leads of CFIUS Advisory Practice at K2 Intelligence FIN. We will consider navigating the CFIUS process through proactive management, CFIUS and compliance frameworks, CFIUS and cyber risk and access control, and effective monitoring for CFIUS. Today, in Episode 1, I visit with Holley on using business intelligence to identify threats and vulnerabilities under the CFIUS process.
What is CFIUS?
CFIUS is a government committee charged with protecting US national security by reviewing foreign investment in US business. The committee is led by the Secretary of the Treasury and it is composed of national security agencies such as the Department of Defense, Homeland security, the Department of Justice, as well as economic agencies in the Department of Commerce and Department of Treasury. It was created in 1975 at the direction of President Ford. It has undergone a number of changes in a greater formalization of its authorities and processes since it was established. The most recent changes to CFIUS were made in the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) which expanded the jurisdiction of CFIUS to address growing national security concerns over foreign exploitation of certain investment structures which traditionally have fallen outside of CFIUS jurisdiction.
CFIUS has the authority to review a foreign investment that could result in the control of the US business by a foreign investor that falls into a categories of a business that is engaged in the development, production, manufacturing of a critical technology; perform certain functions with respect to critical infrastructure or maintains or collects directly or indirectly sensitive personal data of us citizens. Lastly, there are certain real strengths, real estate transactions that could present national security concerns to the committee such as those located near ports or a military installation, which the purchase of such properties that could be used say for foreign surveillance.
The Role of Business Intelligence
When evaluating the risks opposed to a national security by a foreign investment transaction, CFIUS considers three basic issues. (1) What is the threat posed by the foreign investor in terms of intent and its capabilities? (2) What aspects of the business activity pose vulnerabilities to national security? (3) What are the national security consequences if these vulnerabilities are exploited as a result of the transaction going through? Holley noted, “to get to the bottom of these questions you have to dissect pretty much every aspect of the transaction that could potentially compromise US national security interests.” Moreover, the better practice is to do so in advance of a transaction. It entails methodical, process-driven research to fully understand that nature, the complexities and the risks presented by the consummation of the transaction. What does that mean in that regard? Holley concluded, “at K2 Intelligence FIN we believe that business intelligence factors that make up the threats and vulnerabilities of a proposed deal and our estimation, independence, reliability of the keys to actionable business intelligence and knowing where to go for certain answers to key questions.”
Identification and Mitigation of Threats and Vulnerabilities
To assess the threats and if there are vulnerabilities in any transaction to be CFIUS reviewed, you need to start with an understanding of the identities and backgrounds of the parties to the transaction. Some of the basic questions would be: Who are the foreign investors behind the proposed acquisition? Do they have ties to a foreign government? Would it present national security risk if the deal were completed? Yet Holley cautioned you need to dig deeper, “There should be an understanding of a party to the transaction’s supply chain and understand how foreign ownership of critical elements of that supply chain might negatively impact US national security interests. For example, we’ve seen cyber security risks from foreign vendors around concerns for hardware, software and cyber services, which would present a risk to the overall transaction.” This requires a holistic review for each transaction, understanding the strategic goals of the foreign investors.
An additional concern is to understand the transaction as it relates to the ability of the foreign investor to gain access, business information, business data, material or other nonpublic technical information. Holley pointed to the example of the foreign investor obtaining access through the Board of Directors, or in some other manner, sensitive information. “With respect to vulnerabilities, the focus on the foreign investor and more on the aspects of the US business that could impact national security if the deal were to be consummated.” The bottom line is that you would want to understand the vulnerabilities posed by a completed transaction, which “would involve independently assessing the complete universe of managements, operational and technical controls relevant to safeguarding the critical infrastructure.”
Mitigation requires an understanding of how an organization will respond to a potential data loss. This would include answering such questions as: Is there a process for notifying CFIUS of a failure? Is there a process for remediation? Holley noted, “it’s important that all of this framework has a governance structure around it that provides management and employees with a level of accountability and reporting over this entire framework. Management must ensure that the proper steps are taken and there is accountability at all levels for any type of breach or loss.”
Join us in our next episode where we consider navigating the CFIUS process by proactive management and compliance solutions.
For more information on K2 Intelligence Financial Integrity Network and their CFIUS Advisory Services practice, click here.