This week, in a five-part podcast series, sponsored by K2 Intelligence FIN, I will consider how to navigate risk from the perspective of Committee on Foreign Investment in the United States (CFIUS). For this series, I interviewed David Holley and Him Das, the co-leads of CFIUS Advisory Practice at K2 Intelligence FIN. We will consider navigating the CFIUS process using business intelligence to identify threats and vulnerabilities under the CFIUS process, through proactive management, CFIUS and compliance frameworks, CFIUS and cyber risk and access control, and effective monitoring for CFIUS.

Part I – Identifying Threats and Vulnerabilities

CFIUS is a government committee charged with protecting US national security by reviewing foreign investment in US business. The committee is led by the Secretary of the Treasury and it is composed of national security agencies such as the Department of Defense, Homeland security, the Department of Justice, as well as economic agencies in the Department of Commerce and Department of Treasury. It was created in 1975 at the direction of President Ford. It has undergone a number of changes in a greater formalization of its authorities and processes since it was established. The most recent changes to CFIUS were made in the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) which expanded the jurisdiction of CFIUS to address growing national security concerns over foreign exploitation of certain investment structures which traditionally have fallen outside of CFIUS jurisdiction.

CFIUS has the authority to review a foreign investment that could result in the control of the US business by a foreign investor that falls into a categories of a business that is engaged in the development, production, manufacturing of a critical technology; perform certain functions with respect to critical infrastructure or maintains or collects directly or indirectly sensitive personal data of us citizens. Lastly, there are certain real strengths, real estate transactions that could present national security concerns to the committee such as those located near ports or a military installation, which the purchase of such properties that could be used say for foreign surveillance.

When evaluating the risks opposed to a national security by a foreign investment transaction, CFIUS considers three basic issues. (1) What is the threat posed by the foreign investor in terms of intent and its capabilities? (2) What aspects of the business activity pose vulnerabilities to national security? (3) What are the national security consequences if these vulnerabilities are exploited as a result of the transaction going through? Holley noted, “to get to the bottom of these questions you have to dissect pretty much every aspect of the transaction that could potentially compromise US national security interests.” Moreover, the better practice is to do so in advance of a transaction. It entails methodical, process-driven research to fully understand that nature, the complexities and the risks presented by the consummation of the transaction. What does that mean in that regard? Holley concluded, “at K2 Intelligence FIN we believe that business intelligence factors that make up the threats and vulnerabilities of a proposed deal and our estimation, independence, reliability of the keys to actionable business intelligence and knowing where to go for certain answers to key questions.”

To assess the threats and if there are vulnerabilities in any transaction to be CFIUS reviewed, you need to start with an understanding of the identities and backgrounds of the parties to the transaction. Some of the basic questions would be: Who are the foreign investors behind the proposed acquisition? Do they have ties to a foreign government? Would it present national security risk if the deal were completed? Yet Holley cautioned you need to dig deeper, “There should be an understanding of a party to the transaction’s supply chain and understand how foreign ownership of critical elements of that supply chain might negatively impact US national security interests. For example, we’ve seen cyber security risks from foreign vendors around concerns for hardware, software and cyber services, which would present a risk to the overall transaction.” This requires a holistic review for each transaction, understanding the strategic goals of the foreign investors.

An additional concern is to understand the transaction as it relates to the ability of the foreign investor to gain access, business information, business data, material or other nonpublic technical information. Holley pointed to the example of the foreign investor obtaining access through the Board of Directors, or in some other manner, sensitive information. “With respect to vulnerabilities, the focus on the foreign investor and more on the aspects of the US business that could impact national security if the deal were to be consummated.” The bottom line is that you would want to understand the vulnerabilities posed by a completed transaction, which “would involve independently assessing the complete universe of managements, operational and technical controls relevant to safeguarding the critical infrastructure.”

Mitigation requires an understanding of how an organization will respond to a potential data loss. This would include answering such questions as: Is there a process for notifying CFIUS of a failure? Is there a process for remediation? Holley noted, “it’s important that all of this framework has a governance structure around it that provides management and employees with a level of accountability and reporting over this entire framework. Management must ensure that the proper steps are taken and there is accountability at all levels for any type of breach or loss.”

Navigating CFIUS Through Proactive Management

How can you think through navigating the CFIUS process through proactive management and compliance solutions? Das believes that any discussion with CFIUS is “essentially a two-way conversation between CFIUS and the parties to the transaction.” Moreover, through this process, CFIUS is trying to either seek information or clarify information presented to it. CFIUS is trying to sort through the filings and assess what the threats and vulnerabilities are presented by the transaction. To the surprise of no compliance professional, CFIUS will want to understand the underlying business rationale for the transaction. The Committee will pose a number of questions through the process may be intended to try to get at that business rationale.

CFIUS’s next goal is to understand and discuss with the parties what are the national security considerations. The national security issues are classified as security related issues so the parties may be required to do a little bit of guesswork in terms of trying to understand exactly what the national security considerations are and to think through how to manage appropriately. After CFIUS reaches an understanding on this national security component, it will negotiate mitigation terms with the parties. CFIUS will engage in a dialogue with the parties to see if there are ways to mitigate those national security concerns in a way that are consistent with a business interests. Das cautioned, “This could be a somewhat complicated process of engagement. That is why it is critical for parties to a transaction to have effective advisors, who are able to understand what the CFIUS process is, to understand what the issues CFIUS considers and to also understand what the dynamics are within the CFIUS interagency process.” From these discussion, CFIUS “will try to develop a term sheet for a mitigation agreement if they have concerns with the transaction.”

Das emphasized that it is absolutely critical to begin thinking about the CFIUS process and the information required when you begin to conceive of a transaction in the mergers and acquisitions (M&A) process. He stated, “It’s just never too early to start thinking about what the national security dimensions are because it might have an impact on the contours and the structure of the transaction and the manner in which the parties approach it. From the CFIUS compliance perspective, it starts at the point where you start talking about a transaction or an investment.” The more complex a transaction, the more likely it is to raise a significant national security sensitivities, or it might come from a sensitive foreign country so it is more important to begin thinking through the CFIUS issues and prepare a game plan for navigating the process. From there Das suggests that you begin a dialogue directly with CFIUS about the parameters of the proposed transaction so there are no surprises down the road.

From here you can decide if you want to make a Voluntary Declaration, which does not require as much information as the longer and more detailed process. This Voluntary Declaration process can as little as 30 days. However, in a more substantial transaction where there might be an investment by a foreign government involving critical technologies, sensitive or dual use technologies, critical technologies like semiconductors, avionics, robotics, potentially biotechnology and others; the process is likely a minimum of 90 days.

One of the keys Das related was to make sure you have a compliance framework in place to facilitate CFIUS approval. For businesses engaged with sanctioned countries or jurisdictions, where there is a high concentration of sanctioned actors, a large number of transnational criminal organizations or the potential for terrorist financing issues, it is important to have a robust sanctions compliance framework that meets the standards set forth by OFAC or any other appropriate agency and to have a culture of compliance around sanctions. CFIUS will look to whether or not a company and the foreign investor have a strong compliance framework. Das emphasized it is much more than having a paper compliance program in place. A company must fully operationalize compliance and then be able to document that operationalizing.

Join me tomorrow where I consider, navigating CFIUS through compliance frameworks and the role of cyber risk and access control in the CFIUS process.

Check out the podcast series by clicking here.