Welcome to a  sponsored podcast series where I am exploring how to navigate risk from the Committee on Foreign Investment in the United States (CFIUS), sponsored by K2 Intelligence Financial Integrity Network (K2 Intelligence FIN). Over this five-part series I will visit with David Holley and Him Das the co-leads of CFIUS Advisory Practice at K2 Intelligence FIN. We will consider navigating the CFIUS process through using business intelligence to identify CFIUS threats and vulnerabilities, using a proactive approach to navigate the CFIUS process, compliance frameworks for risks under CFIUS and effective monitoring for CFIUS. Today, in Episode 4, I visit with David Holley on the CFIUS and cyber risk and access control.

How does CFIUS weigh a cyber risk?

Holley said that this is an area which is getting more attention from CFIUS. There are a number of ways in which cyber security and cyber risks can be implicated within a transaction that has potential national security concerns. The first is how the transaction may affect US capability and capacity. This would include considering such questions as if a transaction goes through will it lead to a reduction in US employment, with the critical cyber skills?  Will the transaction impact US production of goods necessary safeguard or national security? The next consideration would be sensitive data on US citizens. Would the transaction lead or allow potential exploitation of sensitive data by foreign entities and governments? Additionally, would the transaction exacerbate cyber security vulnerabilities or allow a foreign government to gain new capabilities to engage in a malicious cyber activities or cyber mischief against the US?

Holley believes that in such cases, “it would be paramount to understand the identities of the potential investors, their track records of compliance with US laws, the identities of their other clients or JV or other business partners and the processes and procedures they have in place for maintaining confidentiality, aggregating client information and other cybersecurity safeguards.” Another example would be transactions that involve critical technologies or components of critical technologies and the ability of the foreign investors to gain access to that or other material, nonpublic information. Here Holley pointed to the example of Qualcomm Inc.

Steps companies can take

Here it all begins with due diligence. A company should undertake cyber risk assessments to understand the risks and controls in place to prevent a cybersecurity breach. This could be some kind of a hack, a malicious insider, or some other loss. An organization should be prepared to demonstrate measures in place to confidentially maintain proprietary information, trade secrets, confidential information, and personally identifiable information. The cyber risk assessment should also consider whether their cybersecurity plans are current and robust.

Beyond this initial cyber risk assessment, any plan proffered to CFISU should address known vulnerabilities in a target company’s network, including those that may have been exploited previously and remediated over the past five years. The key is to understand (1) to the extent that there was a breach or was a compromise in the target’s network and (2) what has the organization done about it? Is there a plan in place to prevent the occurrence again and have lessons been learned as far as resources and focus on cyber risk?

Holley said another area of inquiry will be what the combined network infrastructure will look like. Some of the questions in this area could include: Does the cybersecurity plan anticipate ways in which the acquirer will connect to the target’s networks? And what does that system look like? What is the data storage going to look like? How will the networks interact? What types of vulnerabilities come out of that combination? For certain organizations, a cybersecurity plan would look to see whether the identities of any clients, such as federal agencies with whom the target has contracts, are present. An organization should have those relationships mapped so CFIUS can fully understand the relationship.

 A compliance framework for cyber risks and access control

Holley said, “when we talk about a cyber security compliance framework, we’re looking to understand the systems by which the organization direction controls security governance dictates the accountability framework and provides oversight to ensure that risks are adequately mitigated.” Holley believes are there are five areas CFIUS will, most generally, closely consider. First is the cybersecurity strategy and goals of how cyber security risks relate to critical business operations. Second, has the organization identified all the cybersecurity needs, developed objectives and applied key performance indicators (KPIs) to determine resources, risk appetite, and other requirements? Is the compliance framework standardized so there is predictability and response, through a repeatable process. Third, are there enforcement of cybersecurity requirements and accountability in terms of the addressing negative behaviors and reinforcing positive behaviors. Fourth, is there senior management leadership and oversight?

The fifth and final area is continuous improvement or updating of the compliance framework. This ties into the remediation plan which CFIUS may require going. Holley concluded that an entity must demonstrate that it is ready to manage the day to day cyber risks and other security requirements of the target organization. It could involve a monitor, which will be the subject of our fifth and final podcast in this series.

Join us tomorrow where we conclude by looking at effective monitoring for CFIUS.

For more information on K2 Intelligence Financial Integrity Network and their CFIUS Advisory Services practice, click here.