The United States remains the largest single recipient of Foreign Direct Investment (FDI) in the world. However, as the global economy has developed, the United States must actively compete to retain and attract new investment. Foreign companies have become increasingly active in investing and acquiring businesses and assets in the United States to satisfy rising global demand.
Protection of the United States’ critical infrastructure has been at the forefront of the U.S. government’s concerns for more than three decades. In one of the few bipartisan efforts during the current Presidential administration, congress agreed that the powers of the agencies that comprise the Committee on Foreign Investment in the United States (CFIUS) had a need to be reformed. Along with critical infrastructure, they now have been tasked with protecting our critical technologies given the ever-increasing threat to our technologies posed by foreign ownership.
I am pleased to be presenting at Executive Alliance’s National Security Leadership Symposium in Naples, Florida, on October 28, 2019, before senior cybersecurity professionals, regarding best practices on how IT Security professionals will need to prepare and effectively manage the CFIUS process in all stages – from preparation, to submission, to review.
So, how does this information affect cyber security professionals? Within the 16 industries classified as critical infrastructure and now the 27 areas of critical technologies that will be discussed at the Symposium, these transactions fall under the jurisdictional regulation of CFIUS. As an interagency task force whose purview is concerned with foreign controlling ownership in U.S. companies, CFIUS oversees the national security aspects of foreign direct investment in the U.S. economy.
Additionally, the Committee is especially concerned with protecting U.S.-owned companies’ Intellectual Property, if it’s related to industries responsible for critical infrastructure such as healthcare, energy and cybersecurity. It is important to note that a number of the transactions that are reviewed by CFIUS fall under a mitigation agreement, which requires that the U.S. company maintain a number of physical and cyber related protections. The agencies will mandate that either an independent third-party auditor and/or monitor be retained to review the protections in place to mitigate any national security concerns regarding critical technologies or sensitive information that needs to be protected from the influence of foreign investors. These independents will spend a significant amount of time with cybersecurity leadership and other professionals to ensure the proper controls and compensating controls are in place to protect the information with which the agencies have concern. Those controls will be tested, and the results will be relayed back to the agencies for review. Failure by the companies to follow the mitigation measures that are set forth may result in fines levied against the organization and/or the issuance of a divestiture order that requires the unwinding of a transaction. The legal and financial ramifications of a divestiture can be significant and, if provisions of the transaction were stated as such, a break fee may be imposed.
CFIUS will likely play a larger role in cross-border M&A activity in the years ahead, with potentially more stringent reviews and/or an increased use of mitigation measures. The practical guidance for identifying factors that constitute a national security risk may also be broadened to include economic security. This will directly affect the cybersecurity leadership and professionals of those enterprises which have seen foreign direct investment.
For foreign investors considering investing in the U.S—especially those based in countries the current administration has focused on—CFIUS can no longer be an afterthought and cybersecurity professionals should consider CFIUS review a priority variable. Recent regulatory updates give the Committee power to intervene much earlier in the negotiation process and consequently, for deals involving certain industries, it’s no longer a question of if CFIUS should be considered but how the Committee should be considered and how early. I look forward to a deeper discussion this fall with my peers, during my presentation at the National Symposium.