[Webcast Transcript] CFIUS Reviews: Strategies for Ensuring Compliance and Strategizing on Foreign Investments
Editor’s Note: During a recent HaystackID webcast, expert panelists explored the role of the Committee on Foreign Investment in the United States (CFIUS) in protecting sensitive technologies, classified contracts, and other vital national defense components from foreign control. CFIUS experts shared real-world examples and lessons learned from handling CFIUS reviews throughout their careers. The panel also discussed staffing roles for CFIUS matters, emphasizing the difference between a Chief Information Security Officer (CISO) and a Chief Security Officer (CSO). Read the full transcript to get the ins and outs of CFIUS, from how to staff these matters to the latest updates to how your organization can prepare to handle these reviews while staying compliant.
Expert Panelists
+ Jason Garkey
Chief Security Officer, Momentus Space
+ Matthew Miller
Senior Vice President of Information Governance and Data Privacy, HaystackID
+ Nate Latessa
Executive Vice President of Advisory Services, HaystackID
[Webcast Transcript] CFIUS Reviews: Strategies for Ensuring Compliance and Strategizing on Foreign Investments
By HaystackID Staff
The Committee on Foreign Investment in the United States (CFIUS) is an interagency committee that plays a critical role in protecting sensitive technologies, classified contracts, and other vital national defense components from foreign control. During our recent webcast, CFIUS experts gave a brief overview of CFIUS and how the agency ensures foreign investments do not compromise U.S. national security and provide real-world case studies, including how CFIUS protected sensitive technology agreements like the one involving Momentus’ water-based propulsion system by ensuring they do not become public record, thus maintaining U.S. technological advantages over adversaries.
Panelist Matthew Miller discussed the Edmodo education platform, which was eventually terminated and moved overseas. This example is a significant case study highlighting the importance of data security. .The panelists also discussed the role of staffing for CFIUS matters. They highlighted the key difference between a Chief Information Security Officer (CISO) and a Chief Security Officer (CSO), with expert panelist Jason Garkey saying the CISO focuses on your organization’s “day-to-day security.” In contrast, a CSO acutely understands the national security implications for your organization and how to interact with government officials throughout CFIUS matters.
Read the full transcript below to understand the different individuals involved in CFIUS engagements, proposed rule changes, and strategies for handling CFIUS reviews.
Transcript
Moderator
Hello everyone, and welcome to today’s webinar. We have a great session lined up for you today. Before we get started, there are just a few general housekeeping points to cover. First and foremost, please use the online question tool to post any questions that you have, and we’ll share them with our speakers. Second, if you experience any technical difficulties today, please use the same question tool, and a member of our admin team will be on hand to support you. And finally, just to note, this session is being recorded, and we’ll share a copy with you via email in the coming days. So, without further ado, I’d like to hand it over to our speakers to get us started.
Nate Latessa
Great, thank you. Hi, everyone, and welcome to another HaystackID webcast. I’m Nate Latessa, your expert moderator and lead for today’s presentation and discussion, “CFIUS Reviews: Strategies for Ensuring Compliance and Strategizing on Foreign Investments.” This webcast is part of HaystackID’s ongoing educational series designed to help you stay ahead of the curve in achieving your cybersecurity, information governance, and eDiscovery objectives. We’re recording today’s webcast for future on-demand viewing, and we’ll make the recording and complete presentation transcript available on the HaystackID website.
I’m excited to present today alongside true industry experts Jason Garkey, Chief Security Officer at Momentus, and my colleague Matt Miller, Senior Vice President of Global Information Governance and Advisory Services at HaystackID. Thank you, Jason and Matt, for joining me today. We’ve got a lot to cover, so let’s dive into the program. And Matt, if you can move us forward, let’s just cover the agenda here briefly. So we’ll go into some introductions here shortly so you can get to know Matt and Jason. We do want to level set on CFIUS. I know a lot of the folks on this call probably already know what CFIUS is, but we do just want to just level set and spend a little bit of time just defining that and talking about exactly what we’re protecting. We’re going to spend some time discussing the different roles in CFIUS engagements and who to staff in those roles. I think another big topic, and this is something we discussed quite a bit as we were prepping for this, is the difference between a CISO versus a CSO, fiduciary duties, and some proposed rule changes. I know there were some updates actually just yesterday that we’ll want to share with you. And then, if we have time, we’ll get into some questions. So, without further ado, Matt, you are the first on our intro list. Do you want to just introduce yourself briefly?
Matthew Miller
Yeah. Thanks so much, Nate, and I’m glad to be here. I have been working in legal technology for the last 20-plus years. Over the past ten years, I have truly focused on fraud investigations, consulting, and getting into protecting IP, protecting sensitive data for the public, and all citizens, which has led to a lot of work in the CFIUS space. I’m currently a third-party monitor for a project. I’ve worked as a third-party provider and am currently leading an independent security inspection team. I’ve been a neutral third-party expert appointed by the court for eDiscovery. So, I try to come into these projects with a true kind of independent objective so that we work with the government and the corporation to protect your data.
Nate Latessa
Outstanding. Jason, can you introduce yourself?
Jason Garkey
Absolutely. Thanks, Nate, and I am glad to be invited to join today. I am going to start off by saying that my comments represent my own and not necessarily my organization’s because they extend beyond my current position. I first started in the Department of Defense. I was in uniform for almost 30 years, and then I decided to retire. Upon that time, I was in the Office of the Secretary of Defense for policy, and it was a very unique place. I got exposed to CFIUS and ended up working as I was going through that transition phase. I was offered a role at Radisson Hotel Group Americas as their Chief Security Officer. I could leverage my government experience with my executive experience that I’d learned in the Office of Secretary of Defense and moved into Radisson as the Chief Security Officer to what was a very complex National Security Agreement regarding data privacy, specifically around guest records. And I was able to take that to conclusion so that that agreement was terminated. Then, I was hired by Radisson. I’m sorry. I was hired by Momentus Space to become their Chief Security Officer. They had moved into a National Security Agreement, and that one was centered around intellectual property. So, I’ve had two very interesting aspects with data and technology, and I am happy to say that in January of this year, I also took that National Security Agreement to termination as well. So, it’s been a very interesting experience in CFIUS from two different sides, working with Treasury, Justice, and the Department of Defense, and I look forward to bringing some of those experiences to you today.
Nate Latessa
Thank you, Jason. And just briefly, my name is Nate Latessa. I’m the Executive Vice President of Advisory Services here at HaystackID. I, along with Matt Miller, lead our advisory practice. I started my career in eDiscovery and decided to pivot into information governance shortly after. I saw a lot of the same issues popping up over and over again in eDiscovery and realized that to change things and really help our customers, we needed to address information from the point of creation. I pivoted to information governance, which ultimately led to data protection and cybersecurity, which are the things that we covered today in our advisory services here at Haystack. So Matt, let’s jump right in, talk about CFIUS, and just give a quick summary. Actually, I think, Jason, you’re going to summarize exactly what CFIUS is.
Jason Garkey
Yeah, exactly. And just to let everyone know, we’re going to handle an overview at the high level of what is CFIUS, and then we’ll get into some of the examples of practitioners. However, it is important to understand that CFIUS is an interagency committee, and the players are essentially nine cabinet members, two ex-officio members, and then other members appointed by the President. Treasury is the chair of the committee. Then, the other eight cabinet members are State, Defense, Homeland Security, Commerce, Energy, and then the Attorney General. Labor and the Director of National Intelligence come in as the ex-officials to round out for technical expertise. Then, as needed, they can bring in other members, including the Office of Trade Representation, the Director of Science and Technology, the National Security Council, etc. Specifically, that committee will look at different transactions involving foreign investment in the United States, which can include real estate transactions by foreign persons. It can also talk about, as I brought up before, data and technology, and they will determine whether that transaction has some form of a national security risk to our country. CFIUS is a very important thing because, as we found, the global economy is becoming much more prevalent. It was easier for people to actually buy data and technology than it was to go in and try to do things through some form of a nefarious method. So, CFIUS is here to prevent people whom the United States views as threats to our national security from actually procuring those technologies, information, or properties through legal means. Essentially, the committee then has the power to suspend transactions. They can impose agreements, hence the National Security Agreements.
And believe it or not, this actually goes back to the Defense Production Act of 1950. So it’s been around for a long time. It really came into a lot more authority with the Foreign Investment National Security Act of 2007, more commonly referred to as FINSA, and then also the Foreign Investment Risk Review Modernization Act of 2018 or FIRMA. And as we know, we started to see a lot more teeth coming into the CFIUS realm, and we also saw a significant rise in the number of agreements and transactions that were brought underneath the CFIUS. Matt, Do you want to give me the next slide, please? There we go. As I stated, CFIUS does have a national security mandate. It’s primarily focused on how this impacts the national security of the nation, and it’s not necessarily focused on economic interests or economic security.Needs to determine the threat. So, for example, what’s the function of the threat? What’s their intent? What capabilities do they have? And then, if they captured information or capabilities, could that create vulnerability to the nation? For example, critical technologies are needed for our critical or important national defense programs, whether it be for production, etc.
When we look at the vulnerabilities is, how does that impact our economy? What is the nature of that particular US business in relation to the national security? So, for example, when you look at small technology companies that operate with classified contracts moving someone coming in from a foreign perspective, we wouldn’t want that to usurp our classification and protection of our state secrets. Therefore, that would be an example of vulnerability. And then, of course, what are the consequences? For example, the potential effects that could come from that. In terms of real estate, if an adversary purchases real estate near a military installation, there’s a great story that goes back into the 80s and 90s about the Chinese purchasing a large office building outside the National Security Agency and what they were capable of being able to do by being across the street from the NSA just off of Fort Meade. Obviously, we need to protect those critical sites. The committee is also designed to be an apolitical entity; hence, you see a broad representation across the whole government. It’s not designed to enforce current political policies. It’s more designed to look at what’s the enduring impacts. So, as a result, you look at the city’s committee, and they’re not looking in terms of an administration and an agreement. They’re looking in terms of the transaction. Some transactions could go on for decades. In other transactions, for example, like the ones that I’ve been involved in, we were able to bring those to termination in a two-year timeframe.
So it really depends upon the compliance measures and what the company has in terms of the vulnerabilities and complexes to our economy. One of those entities, when you take a step back and look at it in the big picture, is absolutely critical to preserving a lot of the important things that are generated within the United States.
Nate Latessa
That’s probably a great segue, Jason, with what you’re talking about there with covered transactions. Matt, can you talk a little bit about those covered transactions?
Matthew Miller
Yeah, so the CFIUS, the committee, has jurisdiction over any of these covered transactions. For example, with real estate, like what Jason was just talking about, if there’s a purchase or a lease to a foreign person, a foreign entity that invests in land that is around a place of national security interest or agriculture or farming, like things that infrastructure of the United States, things that keep the economy moving, that type of real estate transaction can come under CFIUS review as a covered transaction. A control transaction would be when foreign persons take control over if they form a joint venture, or there’s an M&A. There’s an acquisition. There’s a long-term lease or concession by one party over another. So if that can affect the control over a US business, and really it’s based on foreign ownership. And what we’re really going to focus on for the next couple of minutes is the covered investment transactions over what are called TID investments, technologies, infrastructure, and data. So under FIRMA, even if it’s a non-controlling investment, they don’t own the entire thing but rather have just invested in these TID businesses; there can be reviews by CFIUS over these non-controlling investments of these businesses. CFIUS has a really broad range and scope to assess whether or not they need to perform a review and whether this can affect US national security interests. Suppose the foreign transaction lends itself to material non-public technical information. In that case, the government can step in and start a monitorship or have observers to ensure that there’s no data that shouldn’t be going to these foreign entities that could jeopardize national security interests in the US. So critical technologies, large swaths of personally identifiable information controlled by, let’s say, an education company, which I had previously worked on as the third-party provider. You may not think about the fact that kids are signing up for their schools, especially during COVID when everyone was online, that that type of transaction if it got… when an organization like that gets purchased by a Chinese software and gaming company that they would now have access to 25 million children’s personally identifiable information and their parents’ personally identifiable information and where they live and where they go to school. These are things that can drastically affect the security of the United States. And going… let’s go a little deeper into these covered investment transactions, kind of like what are we protecting. Technology, that’s what we’ll start with first. And I think Jason, it’s probably a good time to flip it back to you to talk about some of your personal experiences. And Jason, in the CFIUS world, many transactions don’t make the newspaper. We don’t really hear about them because it is in the US national security interest not to broadcast that stuff. However, once you’ve reached finalization, they’ve terminated the National Security Agreement; you can talk a little bit about some of the stuff you’ve worked on. So, I’d love to hear what you say about the technology side.
Jason Garkey
Yeah, thanks, Matt. I always appreciate it when people comment about how this doesn’t hit the press. I mean, CFIUS is not a very transparent thing because it’s designed to protect the entities that are involved, not make their transaction data public record. So there’s that degree of protection to the entities involved. But it’s difficult for guys like you and I, watching this very closely, to appreciate the landscape. But what I would say is specifically to Momentus, for example. It’s very clear that our agreement was based on the technology within our propulsion system. We have a water-based propulsion system for satellite buses that essentially has the ability to serve as orbital service vehicles and deliver smaller satellites into orbit. It was deemed that because of the potential for that particular technology and the use of water as a propellant versus your traditional electrical or chemical propulsion systems, that was something that the United States wanted to protect. Therefore, that’s what led our particular organization to an agreement. Honestly, as a Security Officer, I can completely see it. Also, more importantly, as a practitioner with so much time in the Department of Defense, you can understand how you want to maintain your technological overmatch. And a lot of these critical technologies do that. They allow us to maintain a technological advantage over adversaries, back to our national security emphasis behind CFIUS. You can see some of the critical technologies on the slide. The United States munitions list, essentially our ITAR-controlled items, commerce control list items within EAR, and clearly nuclear technology, are all things that we view within the United States as technological advantages for our nation over adversarial countries. When you start talking about getting into the bio realm, I’m not going to get into the causes and how it evolved, but you look at something such as a global pandemic and the impact that that can have on a society. Therefore, if technologies were identified, we would want to ensure they were very closely controlled. And so our nation must exercise these jurisdictions over the technology realm because the United States, quite frankly, has had a tremendous amount of success in producing things, developing things, and leveraging our experimental mindset through research and design to create cutting-edge technologies. I just always think it’s very important that people remember what gets produced in the lab from an academic perspective. People look at it as something that they want to share. But you should always have in the back of your mind before it really gets released to market what the national security implications will be if this does, in fact, move overseas.
Matthew Miller
Yeah. And I’ll make one more comment here. Software development of technology could be covered and protected IP as well. So if the software lends itself to something where a foreign government, a nation-state, could take advantage of that to use that technology against the United States, that would also fall into this category. That’s one of the projects that I’ve been working on really closely for the past year. It is a type of technology that could be used for nefarious purposes if it got into the wrong hands. And with the different geopolitical events going on on the other side of the world, there’s more focus on that, and for good reason, right? Not only are we trying to protect US citizens here, but also our service members overseas.
Jason Garkey
Yeah, that’s a great point. I mean, when you look, and it’s very fresh right now, at the CrowdStrike issue that occurred over the weekend. I mean, we’ve narrowed that down kind of to a single source, but yet look at the impact on the transportation infrastructure and the impact on many businesses and their ability to operate. When you start talking about things done on software or using digital technologies, it can quickly move through multiple systems, industries, and players because, essentially, the internet can inject it from anywhere. So yeah, that’s a great point on the software as well when we start talking about things that can be manipulated in real time and, quite frankly, introduced very quickly.
Matthew Miller
All right. And so the infrastructure is of interest to being protected, right? The covered investment and critical infrastructure are where US businesses own, operate, manufacture, and supply these services around what powers the US economy and your day-to-day life. So transportation systems, energy, satellites, and telecommunications are all part of the infrastructure that allows us to have our day-to-day functions and keep the economy going. The financial markets, if they are… if they were being able to be manipulated by foreign governments and think about the effect that could have, and to the point, you could almost draw a parallel with the internet. Some platforms are out there from a manipulation perspective; that’s why the government doesn’t want foreign entities to know things before they’re supposed to know them, where they could manipulate markets or elections, for example. I mean, this is an important year where we’re headed into a presidential election, and having control and maintaining the control for the US government is reallyimportant with these different large-scale critical pieces of infrastructure and these covered transactions. As US citizens, we want the government to protect these major parts of critical infrastructure. That’s going to enable our society to keep going. If there was the destruction or the manipulation of such systems or assets, it could absolutely have a debilitating effect on national security. And what’s the third piece? This is obviously a very busy slide because data has truly become very important, right? A lot of people refer to data as the new oil. That is how important it is. Sensitive personal information that businesses maintain or collect directly or indirectly for US citizens, especially when you have large collections of aggregated data related to US citizens. If there’s a business that targets or tailors its products to government personnel or if a business has more than 1 million US citizens, individual sensitive personal information, or is planning to collect more than a million individual’s personal information, all of these types of businesses can fall under CFIUS review. Jason, when you were working in the hospitality business, I mean, talk… can you talk a little bit about, was that the impetus that brought this under CFIUS review?
Jason Garkey
It absolutely was. When you start talking about the hospitality industry, a lot of people wonder, “Well, what’s the national security concern about somebody renting a hotel room?” Well, think of the amount of information that you provide to a hotel chain when you rent that room, everything from financial data to potential members of your party. As I would try toexplain to people, it was interesting that the hospitality industry does not have a regular engagement with the government.And so it was one of those issues from a cultural perspective that I had to explain to them that when you start talking about data and what people can do with it, you need to not look at what’s happening today. You need to look at what could happen in five to 10 years and as the data continues to be collected. With the introduction of AI, I always use the example of when IBM Watson first came out. Everybody thought that that was just revolutionary. And it was, don’t get me wrong, but what we’re able to do with data now compared to what that invention did or what that new product did seven years ago is tremendously different. And we just keep seeing these exponential leaps in computing capacity, the ability to manipulate and to process data to the point where if you had enough data on a single person, you could actually identify patterns of life based on where they had for hotel stays. And if you look at people who are critical leaders or people who have significant roles in companies, what do they do? They do a lot of travel. So, if you could lock down a few hotel chains and identify where these people are going to be, it would provide a lot of information on individuals. And then, of course, you start talking about identity theft, et cetera, from a bigger macro scale of all of the guest data. It was a tremendous national security issue. And so you can think, for example, if, in our particular case, it was a Chinese firm that purchased Radisson. That was something that the government said, “Hey, we are not going to oppose the transaction. We just oppose the access to the data.”
And so we had to take the precautions under a National Security Agreement to protect that. But it was a very interestingstudy because what a lot of people don’t realize is when you start talking about data, think of your software applications or your software as a service application that you’re using. Do you really know beyond the initial echelon who has access to that? For example, if I’m using a US-based company to provide a program management suite of tools, even though it might be based in the United States, they could have development overseas. And in one scenario that I dealt with, the development of the software application was actually located in Russia. You typically can have your support for those applications that come from abroad. And if you don’t go through your due diligence with those companies, even your protection of that data using what you think is a safe alternative could still expose it to a breach. So yeah, it’s very important. And I think that’s why the government views this as a national security interest to ensure that companies are properly safeguarding that data because, quite frankly, those companies have a lot of trust in their customers because of the information that’s provided. We can get into the other things on a list that are also equally important.
Matthew Miller
Well, I mean, that’s a great case study, right? And I think one of the ones that I worked on that also ended up being terminated and closed was this education platform. It was called Edmodo. It doesn’t exist in the US anymore. They actually wound down that business and moved it back overseas. But I recall being on the phone with the CMAs, and it really hit home. So sometimes, in these calls with the CMAs, you’ll get a person that joins the call with a 202 phone number, and they don’t say who they are, and they don’t say what organization they’re from. So we can assume it’s either someone from the DOD or NSA. And the guy told a story, and he said, “Look, if I’m China and I want to target and do something really bad, right?” Maybe if you ever saw a movie back in the 80s where they take hostages at a high school, very rich kids, right? Imagine if you knew where the joint chiefs of staff’s children went to school because they’re signed up on this application and they’re just trying to get to their homework. But meanwhile, you’ve got a foreign military power targeting where these people go to school.” And that is… And it really hit home because I’ve got three kids in school, and I’m not necessarily of national security interest, but there are people whose kids do have that impact.
It was a data case, and 25 million children signed up for it, and all their parents’ names and personally identifiable information were all on that platform. So, when we first got involved as the third-party provider, we took over all the security for that platform. And then, when they decided to wind down that business, it was just as important to make surethat none of the PII, PHI, or credit card information stored in this platform left the country when the employees started to migrate overseas to reopen a business. It was our job to protect the PII and delete it securely, and we’re talking petabytes of data inside Amazon S3 buckets. And I think they had 52 different SaaS platforms that helped power this overall app. All of them had PII related to individuals from the US. It’s not that you think every day about this when you hand over your information, “Oh my gosh, is this a national security situation?” But I feel really good about the fact that we have people looking over our shoulders and in this direction to protect our people’s data.
Jason Garkey
Yeah. And Matt, I also want to point out that it’s not just CFIUS concerned about this. On February 28th of this year, President Biden put out an executive order preventing access to Americans’ bulk sensitive personal data. So, I mean, it’s more than just within CFIUS. It’s the government’s concern. I think your point that you just brought up was great. The example that I brought up in the hospitality industry is amazing how many things we use are day-to-day operating tools that create those vulnerabilities to the point where the President of the United States is issuing executive orders to say, “Hey, industries, make sure you understand this.”
Nate Latessa
Exactly. And just to jump in here as we kind of transition over. I mean, Matt, I think about just listening to you and Jason talk, I mean, how important data is, and every day you and I talk to clients about understanding where critical sensitive data is, and it’s something that I think almost everybody struggles with, right? It’s like you said, you’ve got a lot of new systems out there. I think the pandemic kind of accelerated the adoption of some of these. Thinking about things like Teams and some of these other collaboration tools that companies get, these two to three-year plans to move to all of a sudden, this pandemic happens, and those two to three-year plans become two to three-week plans where they prioritize remote work over security and information governance and management. And we’re dealing with all the downstream effects of that, right? I think it’s a huge challenge for organizations. I mean, you’ve got more threats than ever. You’ve got more systems. I feel like we’re adding tools all the time. I think I saw something. The average cybersecurity team manages 76 tools. I mean, it’s insane the number of tools we have to keep up with and all the data it creates. And the integrations with third parties, like you said, Jason, are a lot for these companies to manage. So, thinking about all that, managing the utility versus the security and privacy requirements, and making sure that we’ve got the right controls.
And a lot of times, Matt, that’s what we’re dealing with, right? We’re helping organizations develop those controls and implement them. We make sure that they understand where their critical sensitive data is. So again, in instances like CFIUS here, they’re able to respond to that and understand where that information is. And it just, I think, highlights the fact that the work that we do is important and that control-centric information governance and cybersecurity program is important.
Matthew Miller
Well, Nate, do you want to talk a little bit about those different groups that need to be involved in getting the job done in achieving compliance?
Nate Latessa
When you think about technology and information governance, these are all the people we’re touching and dealing with here. So I’m just thinking of Jason; I do want to kick this to you. When I think of implementing CFIUS and all the different departments you have to work with here, how do you handle that CFIUS implementation?
Jason Garkey
Nate, I’ll tell you that’s the secret sauce, so to say, because I think the important part is that culture plays such an important role in implementing a CFIUS agreement. And if properly done, I’ll never forget the first time I’ve said this to our board. They looked at me quizzically, but I said, “CFIUS can serve as a competitive advantage if you implement it properly.” What I meant by that is that when you look at the slide, it really represents the business functions within the company. So, the ultimate question is how do you integrate CFIUS into your organization? Is it integrated in as an independent entity? Is it integrated underneath one of these business units? Is it viewed as compliance? Is it viewed as legal? And I think that the most important thing is that it requires teamwork, and your CFIUS structure needs some touch with all of the different business units. The approach I’ve taken in the cases I’ve worked on is that we’ve essentially used cross-functional teams. It’s a very small core group of people titled CFIUS practitioners, for example, the Chief Security Officer or Security Director, and then people that directly support those roles. But you pull a lot of support from the other parts of the company because, quite frankly, everything that we’ve been talking about today, somebody else in the company has already been doing pre-National Security Agreement. For example, your data security, I mean, your information technology department’s been working on data security the entire time to bring in a separate entity and not integrate them into your IT current structure, or you look at the protection of your intellectual property or your technology, your legal department’s been doing that, your compliance for your export controls, those things have already been done. How do you adapt those current functions to the terms and the stipulations agreed upon within the National Security Agreement, which is essentially the negotiated document between the business and the government? That’s why I’m a true believer that this is a team sport. CFIUS is not something that you just bolt on. You meet the agreement’s terms, pull it off, and then say, “Man, I’m glad we’re through that hurdle.”
It needs to be something that becomes woven into your current operations. And then, more importantly, it is not viewed as a hindrance or an impediment but is viewed as something that can, quite frankly, due to the increased security that comes from the implementation of the National Security Agreement, something that could be marketed. I don’t know, Matt. What are your experiences?
Matthew Miller
So, when I think of the different lines of business, first of all, I liked what you said about it being a team sport to get this done. When we are working with the clients, I mean, you’ve got legal on a day-to-day basis that at the beginning is heavily involved, but they never get out of the picture. They were heavily involved at the beginning because they were working with the government’s attorneys to come up with the requirements and compliance obligations that would be included in the National Security Agreement. I will flip us to the next slide because I think we can talk about some of the different roles here that come up on the government and the business sides. But since we’re talking about the business side here and the legal team, I’ve been dealing with outside counsel daily because there’s ongoing litigation with the company where my team is doing the third-party monitor role. And that ongoing litigation involves some of the data that is protected under the NSA. So, as a third-party monitor, we have an obligation to make sure that the protected data stays protected and doesn’t get into the hands of the investors from China who have taken control over this organization that has this protected IP. At the same time, if there is data in question, outside counsel is worried that we’re going to break privilege if we look at this data. So, on the one hand, my team needs to see whether it is a protected IP. But we can’t look at it. So what they did in this particular matter is that we set up two different teams from HaystackID, one of which acts as the third-party monitor. And it’s completely firewalled off from a second team, which is called the trusted repository manager. And that the trusted repository management team actually has control over the data.
It’s similar to the third-party provider role that my team has done in the past. We take over the administrative rights of the different apps. We control their Gmail environment to maintain control over all the IP and all their different SaaS platforms. That particular act alone involves the IT security and compliance teams weighing in and ensuring that we have all the rights, access, and permissions that the trusted repository manager needs to control those different systems where the IP resides. Meanwhile, I’ve got the third-party monitor team ensuring that the TRM who is working on a day-to-day basis with their IT security team and the security director, and the security director… and I mean Jason, the security director, the security officer, let’s talk a little bit about that part of the business. Are they nominated? How are they brought in? Because on the day-to-day, that security officer from the company is dealing with both the third-party monitor and this trusted repository manager and has full control on the company side for where this IP can go and where it can’t go. And that’s kind of some of what you’ve been dealing with, right?
Jason Garkey
Yeah, exactly. I want to pick up something you mentioned about the security director and the security officer. The interesting thing is that they’re business employees, yet they have direct roles in supporting the National Security Agreement. So I mean that really is the company’s interface between the government and the business. You’re not going to have the executive leadership team talking to the CMAs or the monitors on a regular basis. When selecting those two people, you need to think, and of course, not all agreements have a security director. Still, if they do, it’s typically a board-level position, and then the security officer will be a direct report to the security director. And so those two individuals, you really are putting a lot of trust and confidence in them to represent your organization properly to the government in those day-to-day interactions or in some of the bigger strategic discussions you’re having between the security director and the government. Those two individuals are also the ones who are kind of keeping their finger on the pulse so that they understand how the government feels and kind of where they need to put a little more effort in or where maybe they’re doing the appropriate level of information. Still, they’re the ones who will also determine or maybe recommend what level of transparency is required. And I’ve found that transparency is very important, and so, therefore, that’s why it’s really important that those two people not just understand the agreement that they understand the business. It’s a very interesting position when you start talking about how you staff it, and we’ll get into it in the following slide regarding how you staff the roles. But I just wanted to point out that when you look at the business where, those two fit in the bigger picture, as opposed to the business thinking that these are just a couple of people that got tacked in. We will continue to do business as usual and let those guys do their CFIUS work. You really want to have them a little bit more integrated because the executive leadership team needs to understand this issue just as much as they need to understand an acquisition or just as much as they need to understand bringing on new franchises, for example, if it’s a franchised organization. Then, those people need to work closely with the legal team and develop relationships there. In some cases, they might even make recommendations on outside counsel to handle topics that are CFIUS related because if they’re people that have been in the business or done CFIUS for a little while, they’ll have a little bit a Rolodex so to speak, that they can provide some of that insights as well to ensure that the appropriate level of knowledge on this issue is getting into the corporate legal team. It is definitely not inherent in every general counsel officer, chief legal officer counsel, or chief legal officer department, so it’s critical to think through that process when you’re talking about your business and how those people are integrated into the day-to-day ops and what the reporting streams are in terms of where they’re organized and more importantly, how much responsibility and authority they’re given.
Matthew Miller
What you said struck a chord with me; this executive leadership team has been so involved. I mean, we, as third-party monitors, met with the CEO and the General Counsel. They are day-to-day aware of what’s going on. And what really struck the core was the transparency. As a third-party monitor, we’ve got a fiduciary duty, which also comes up later in this deck, but I don’t know if we’re going to get to that slide. We have a fiduciary duty to the government even though we are technically employed by the business. That’s why it’s really important to connect with the general Counsel and the CEO; they want the TPM to go back to the CMAs to represent their point of view. Their point of view should be that “We have nothing to hide.” Because if you have something to hide, that’s what the government’s looking for. These mitigation agreements, these National Security Agreements, should take into account that you’ve brought on these outside investors so you can do more with your business, and it shouldn’t be grinding to a halt because now you have all these more layers of compliance involved. Still, you can turn that around and be more compliant on a go-forward basis, and your business should function better. You’ve got more controls in place. It is more secure. In one of the other projects we’ve been working on lately, Nate and I have been working with this independent security inspector team to assess and enhance cybersecurity measures for an app that contains tons of data and could be very influential in the social media space. And we’re helping that company focus on ensuring that the integrity of their software in the network security is impenetrable to these foreign outside investments. The government has a hand in protecting all of the data inside this app, but there are only so many hands and so many keyboards out there for the IT security team that exists. To be able to provide at the level, at the congressional level, the assurance that these repeated cyber attacks aren’t going to be able to infiltrate and exfiltrate… infiltrate the network and then exfiltrate the data is eerily important in today’s culture. I mean, because of the way that social media and everything influences different people’s decisions, you can see how compliance and IT security and legal are all tied together in making this kind of an ecosystem that allows these businesses to continue to function, but at the same time provides those different levels of protection that may not have been there in the past. So, let’s move forward in the interest of time.
Jason Garkey
We’ve got about nine minutes, Matt. I know we had a couple of slides here at the end that were particularly of interest.
Matthew Miller
Yeah, so let’s talk about the staffing, and then we’ll jump ahead a little bit because Jason, I mean, you started talking about the chain of command and the personalities, and this should dovetail right into CISO versus CSO. Can you give us a brief description of what these companies should be looking for for these internal roles?
Jason Garkey
Yeah, I cheated a little bit on the last slide and threw a lot of some of those points in as it lent itself. I do want to point out the full-time equivalent versus part-time. Where do you do the role, and how do you handle the staffing of some functions that may not be a full-time event but you still need the capability to bring in? And I would say think of how you hire in relation to can that person evolve into a role within the organization to where if it’s a part-time role, either you’re doing a part-time consulting contractor for technical expertise, for example, in your policy development or if it’s somebody that you could split time within another department. The other thing too that I want to point out is that personalities matter. The reason is that the person you’re bringing in to support your agreement has to have a personality that is enough of a generalist to operate across the entire business. So what does that mean? It means that they need to be inquisitive. They need to be able to engage other people within the company and ask to learn what they’re doing as opposed to trying to fit them into a box that they’re looking as the CFIUS solution to mitigate the impacts on the business. Then, they get into the question of who they report to. Automatically, if there’s a Security Director, the National Security Agreement will indicate that the Security Officer reports directly to the Security Director, which also means he reports directly to the Board. The second one would be how he reports within the company. Is it a direct report to the CEO? Is he reporting to the Chief Legal [Officer] or the Compliance function? That’s a question that people need to think through, and they need to think through in terms of the level of influence or how much information the particular executive leadership would like to have. I found my personal experience, where I’ve been a direct report to the CEO and then to the Board through the security director, which works out very well. Moving into the next slide, it really gets to the point that the Chief Security Officer is not the Chief Information Security Officer, and that’s a common, well, I should say, a common misperception. I’ve dealt with a scenario where I actually followed a CISO as the second security officer for a company, and the person was extremely competent. Still, you really want them, as I stated before, to operate across the entire range of the business. You can see some of the things we were talking about in terms of understanding the difference between your IT security that CISO deals with the day-to-day versus the national security impacts and understanding how to interact with the government and how they implement change management. They’re the ones who have to bring this complex issue to your company and make sure that the company can understand. And then, of course, your CISO is a full-time employee, whereas your Chief Security Officer is essentially working until the agreement’s over. Then, the company will determine whether that role evolves into something else within the organization or if their position is terminated with the agreement and with the CFIUS. Matt, I think it’d probably be a good time to talk about the fiduciary responsibilities that are held.
Matthew Miller
Yeah. So, from a fiduciary duty perspective, the third-party monitor, for example, is written into the NSA. We have a direct fiduciary duty to the US government. At the end of the day, we are the CMAs. The committee members of the agency are their eyes and ears inside the organization, right? So it’s as if the third-party monitor is the CMAs on a day-to-day basis. They don’t have that kind of coverage, and that is why they’ve set it up in this way you’ve got experts from different consulting organizations, different law firms that do this. This is their day job. Maintaining that independence and asking objective questions really gives the CMAs the ability to have a real view of what’s going on there. Are there any suspected violations of the NSA on a day-to-day basis that the CMA should be aware of? We’ve got reporting obligations as the monitor, as a third-party provider, as a third-party auditor, where we are going down a checklist of everything inside the NSA and on a day-to-day basis, ensuring for the CMAs that the security officer and the IT security team is doing what they said they were going to do under the obligations that were laid out inside the National Security Agreement.
Jason Garkey
The next slide would be repurposing proposed rule changes and segueing into this slide. The first important thing, as we mentioned before, with the authorities with FINSA and FIRMA and the evolution of CFIUS and how it’s become much more widely used, you can see that this slide talks about some of the recent rulemaking changes and what it’s doing is it’s giving a lot more teeth to CFIUS. It’s increasing their authority to operate. For example, on April 11th, there was an increased focus on monitoring, compliance, and enforcement. The one that people look at this one is the massive change in penalties, for example. Before penalties were assessed, current legislation had it at $250,000, or the transaction cost. And what we just found is that this proposed rule change has come in. It says that the government wants to raise that number to $5 million or the value of the transaction, or I’m sorry; the max penalty amounts to $5 million per violation or the greater of the $5 million in the value of the transaction. It means that the government is now looking for ways to say, “Okay if somebody does not abide by their agreement, what is considered a current deterrent?” And $250 million… or I’m sorry, $250,000, was not deemed to be a sufficient deterrent. You can obviously pull it up on the CFIUS site for the rest of them. You can see the bullets on the slide. But Matt, I’ll hand it over to you to talk about real estate.
Matthew Miller
Well, yeah. And so, the most recent NPRM that came out is around real estate transactions. For our team, it is extremely timely due to the fact that we are in the RFP process related to a real estate transaction where a Chinese organization has taken over the ownership [of a government building]. And by the way, it’s not always China. If we look at Jason, when we were talking yesterday, we were talking about the 2022 statistics, and for everyone out there, the 2023 CFIUS Annual Report was just released yesterday afternoon. What you’ll see is, I mean, Canada and Germany and France and the UK, all these… I mean, that’s just to name a few. Singapore has had transactions that have come under review. And so I just want everyone to say we’re not picking on China. Still, in this particular instance, they’ve taken over a government building, and it is now coming under review because the people, the staff, the stuff that they’re dealing with on a day-to-day basis contains controlled, classified information inside that building. Now, the ownership of that building could, for example, take over the key cards, walk right in the front door, and bypass security. When looking at real estate transactions around military bases, military installations, airfields, and government buildings, the US government has really looked to expand the list of areas that should be protected because they weren’t specifically named in the past. And it is top-of-mind real estate right now, which before it was just really more focused on technology and data. And I think it’s great to see that they are thinking much more broadly about the national security interest overall in all these different areas.
Nate Latessa
Well, Jason and Matt, this was great. I think we probably have enough content here. We could go for another hour, but unfortunately, we’re out of time and a little bit over. But I want to thank you both for joining me on today’s webcast. On behalf of HaystackID, I also want to thank everyone who took time out of their busy schedule to attend today. We truly value your time and appreciate your interest in our educational series. HaystackID has a special program in August with the EDRM on “Practical Insights into Generative AI Workflows for Legal Teams.” Check out our website to learn more about the program. Thank you again for attending today’s webcast, and we hope all have a great day.
Expert Panelists’ Bios
+ Jason Garkey
Chief Security Officer, Momentus Space
Jason Garkey is the Chief Security Officer (CSO) at Momentus Space, where he played a pivotal role in ensuring the company’s compliance with their National Security Agreement. His responsibilities span across information technology, physical security, export control, and cybersecurity. His efforts led to the termination of Momentus’ CFIUS agreement in January 2024. Before joining Momentus, Mr. Garkey held the position of Chief Security Officer at Radisson Hotel Group Americas, where he successfully orchestrated the termination of their CFIUS agreement. His extensive background includes over 27 years of service in the United States Army, both domestically and overseas. His final assignment was in the Office of the Secretary of Defense as the Senior Military Assistant to the Undersecretary of Defense for Policy.
+ Matthew Miller
Senior Vice President of Information Governance and Data Privacy, HaystackID
Matthew Miller is a non-practicing attorney with over 18 years of experience. Miller specifically focuses on providing eDiscovery, information governance, data privacy, data protection, and forensic solutions to his clients. Prior to joining HaystackID, he was with Consilio, and prior to that, Miller spent six years at Ernst & Young LLP (EY) in the Forensic Technology & Discovery Services division of the Fraud Investigations & Dispute Services practice.
+ Nate Latessa
Executive Vice President of Advisory Services, HaystackID
Nate Latessa is the Executive Vice President of Advisory Services at Haystack ID. With over two decades of experience, he is a prominent figure in information governance and eDiscovery. Latessa has been instrumental in devising strategies for effective eDiscovery and information management, aiding corporations and law firms in handling electronic evidence. His expertise in using advanced eDiscovery tools has streamlined litigation processes, while his understanding of data and legal compliance has distinguished him in the field.
About HaystackID®
HaystackID solves complex data challenges related to legal, compliance, regulatory, and cyber events. Core offerings include Global Advisory, Data Discovery Intelligence, HaystackID Core® Platform, and AI-enhanced Global Managed Review powered by its proprietary platform, ReviewRight®. Repeatedly recognized as one of the world’s most trusted legal industry providers by prestigious publishers such as Chambers, Gartner, IDC, and Legaltech News, HaystackID implements innovative cyber discovery, enterprise solutions, and legal and compliance offerings to leading companies and legal practices around the world. HaystackID offers highly curated and customized offerings while prioritizing security, privacy, and integrity. For more information about how HaystackID can help solve unique legal enterprise needs, please visit HaystackID.com.
Assisted by GAI and LLM technologies.
Source: HaystackID