By Matthew L. Miller, Esq.
On Thanksgiving of 2014, I received an urgent call asking me to be in London in 24 hours. My assignment was to run the advanced forensics recovery team serving several foreign offices of Sony Pictures in the wake of a devastating cyberattack by North Korea. This hack was conducted in retaliation for “The Interview,” a movie that Sony Pictures produced depicting a plot to assassinate North Korean leader Kim Jong-Un. While these unusual circumstances inspired a lot of jokes, for those of us who witnessed the consequences up close, the situation was far from funny. Not only was it a traumatic period for Sony Pictures employees, but there also was a threat of wider violence in the United States. The hackers warned of plans to attack theaters that screened the movie, causing major theater chains to cancel their screenings out of concern for audience safety. The experience brought home just how real a risk the United States faces from nation-state bad actors targeting U.S. companies.
Since then, an increasing proportion of my work has entailed assisting U.S. companies in their interactions with the Committee on Foreign Investment in the United States (CFIUS), an interagency government committee charged with reviewing foreign investments into U.S. businesses to guard against national security risks. The Committee has broad authority to suspend, modify, or prohibit a transaction from closing in order to address national security concerns. CFIUS also has the power to unwind a completed transaction through forced divestiture. Signaling even more emphasis on CFIUS’s role, on September 15, 2022, President Biden issued the CFIUS Executive Order (EO) that provides warnings to dealmakers regarding areas of heightened interest to the Committee. While the EO does not expand the Committee’s processes or jurisdiction, it clearly reinforces the Committee’s focus, especially regarding the protection of sensitive personal data.
Defining the expanding scope of CFIUS in the service of protecting national security
CFIUS reviews historically have been focused on acquisitions that would give foreigners control of U.S. businesses in sensitive industries such as defense, manufacturing, energy, and technology. But in 2018, the Foreign Investment Risk Review Modernization Act (FIRRMA) widened the scope of CFIUS review to include certain minority investments, specifically in the field of emerging and critical technologies. As a result, CFIUS is now empowered to examine all types of transactions where U.S. businesses may provide intellectual property and technological support to anyone in a foreign country.
Mandatory filing obligations are one key FIRRMA reform. Whereas CFIUS review had previously been triggered purely through a voluntary filing process, FIRRMA mandated filing in the case of: (1) investment in a U.S. “critical” technology, infrastructure, or data (TID) business where a U.S. export controls license would be required to ship the U.S. business’s critical technology to the foreign investor; or (2) foreign government investment in a U.S. TID business. Failure to comply exposes a company to fines up to the value of the transaction.
In 2020, the Treasury Department issued the Final Rule (31 CFR Part 800, Regulations Pertaining To Certain Investments In The United States By Foreign Persons), implementing many of the key portions of FIRRMA around the examination of investments in critical TID businesses and certain real estate and noncontrolling investments. When determining if a transaction could trigger a mandatory declaration, the Final Rule created the “regulatory authorization” test. This test is focused on the export control classification of a U.S. business’s products and technologies and classifications for each of the foreign parties involved, including entities in the foreign investors or acquirers’ upstream ownership chains, the entity’s principal place of business, or the nationality of a person with direct and indirect ownership interests.
Effect of the Committee operating pursuant to all of the new requirements and processes
Unsurprisingly, CFIUS filings have risen in the wake of FIRRMA. In 2021, the first full year in which FIRRMA was in effect, according to the CFIUS 2021 Annual Report to Congress, there were 436 CFIUS filings (including covered transaction declarations (164) and covered transaction notices (272)), an increase from 313 in 2020 (126 declarations and 187 notices), and 325 in 2019 (94 declarations and 231 notices). Of the 436 filings, 50 pertained to companies from Canada, 45 were from China, and 37 were from Japan. Companies from Singapore, South Korea, and the Cayman Islands were also well-represented, with 24 filings from each of those countries. Acquisitions of U.S. critical technology businesses were a clear focus in 2021, with 184 such transactions reviewed, as compared to 122 in 2020 and just 92 in 2019.
Although CFIUS has broad authority, the Committee wields its powers in service of a singular priority. The aim is not to promote run-of-the-mill data privacy or to boost U.S. commercial interests over those of foreign competitors. Rather, the Committee’s mission is to protect the national security interests of the U.S. by preventing foreign nation-state bad actors from entering transactions for the purposes of espionage and counterintelligence aiming to compromise networks and exfiltrate data. Ultimately, the Committee’s mandate is to provide the President of the United States the power to protect the country and its citizens by intervening in transactions. This is a shared responsibility between the U.S. government and the private sector, and the CFIUS review process is not designed to be adversarial. However, companies that neglect to factor CFIUS into their decision-making can quickly find themselves in a predicament.
Examples of business impact
The Sony hack exemplifies the harmful impacts a cyber exfiltration incident can cause to national security. The attackers exfiltrated over 12 terabytes of documents. The content was released to multiple sites without regard for the health and welfare of innocent U.S. citizens impacted by exposure of their sensitive information.
Stories like the Sony hack have continued to pile up year after year as major cyber incidents continue to rain down on businesses in the U.S. Examples include the Colonial Pipeline and JBS Foods. Clearly the CFIUS Committee has taken notice of the broad reaching potential impacts of data compromise. In this climate of political uncertainty and nearly unlimited technology access, CFIUS must prevent foreign investment or acquisition that would threaten U.S. national security if certain deals slipped through without review. That’s why there are specific mandated reviews, notices, and voluntary declarations.
Businesses, however, want to avoid having their transactions blocked or unwound because they could not meet the standards that CFIUS demands on behalf of protecting U.S. national security interests. In 2018, a very public example occurred when CFIUS blocked Broadcom’s potential acquisition of Qualcomm. Think of the economic impact that this government intervention caused with global supply chain ripple effects for critical technology used in many high-end technology products. Other organizations can learn from their example and anticipate what will happen with CFIUS, mitigating risks today rather than waiting until it is too late to provide sufficient controls to satisfy the CFIUS Committee expectations.
Accounting for CFIUS concerns as a critical part of deal analysis and negotiation
In an era of globalized capital pools, U.S. companies understandably are inclined to entertain investments from non-U.S. entities in addition to those from American investors. When all goes well, foreign investment can enable a U.S. business to grow significantly, benefitting the company’s U.S.-based employees and the wider U.S. economy. But technology, infrastructure, or data companies considering whether to accept foreign capital must be aware of CFIUS and its implications: a financial analysis that neglects to account for enterprise risk in relation to CFIUS is dangerously incomplete. The point is not to avoid foreign investment altogether, but rather to appreciate the likely complexities — companies must take a proactive approach to anticipating and addressing potential CFIUS concerns throughout the deal process.
Where CFIUS may be in play, it is important to understand the nature and duration of regulatory hurdles. Lack of preparation can delay deal closings significantly, or even lead to a deal’s rejection. An appropriately proactive approach starts with critically and objectively analyzing CFIUS concerns that may arise from the transaction. What mitigation terms may be required to address the concerns? Are those terms feasible?
Mitigation of CFIUS concerns should be embedded in the draft agreements defining the deal. Critical steps include ensuring that an adequate policy framework is in place, particularly for IT and cyber security. The U.S. company must identify protected data from American nationals and implement security protocols for handling that data. More broadly, it should ensure it knows the location of all protected and sensitive data and should implement role-based access controls to limit access to the appropriate employees. The stronger the company’s information governance structures more generally, the better positioned it will be to design and execute CFIUS-specific mitigation measures.
Complying with a CFIUS mitigation agreement
Although CFIUS will block transactions that raise the gravest concerns, a more common outcome is a negotiated mitigation agreement whereby the U.S. company commits to instituting safeguards to address the risks identified. Over 150 of these agreements are currently in place, and although each is tailored to the particular threat to be mitigated, there are some common patterns. A mitigation agreement would typically prohibit the integration of IT systems and/or operations with those of a foreign company and would ensure that the foreign investor does not influence decisions of significance to national security. Among the matters to be addressed would be storage and access to sensitive personal data and to software source code. The agreement may limit the handling of certain products and services only to U.S. citizens physically present in the United States. It also may restrict intellectual property transfers or impose limits on contracting with the U.S. government.
Creating adequate governance structures is an important component of a mitigation agreement. Foreign participation on the board of directors is typically limited, if not prohibited. Additionally, the information that a foreign investor may be permitted to receive will be restricted. The company will generally appoint a security director to the board, tasked specifically with protecting the national security interest of the United States. It is also typical to appoint a security officer responsible for overseeing compliance with the full mitigation agreement.
CFIUS mitigation agreement compliance is a multifaceted process. The agreement will specify which government agencies are to play a lead oversight role, and the company must commit to periodic reporting to these agencies both on an annual basis and upon the occurrence of specified events. From time to time, the agencies will conduct on-site compliance reviews, but the bulk of auditing and monitoring is outsourced to third-party private sector service providers, as specified in the terms of the mitigation agreement. If anomalies or breaches are discovered or suspected, the lead agencies will conduct investigations and remedial actions, ranging from the imposition of financial penalties to the unilateral initiation of another review of the transaction.
The necessity of taking CFIUS review into account
At the time of the Sony Pictures hack, CFIUS reviews typically were not a topic of national conversation. Increasingly, however, the United States government, the business sector, and the broader public are paying closer attention to the threats posed by foreign nation-state bad actors like North Korea and increasingly China. The enactment of FIRRMA and the rising volume of CFIUS filings, along with substantially greater press coverage of these issues, are indicators that we are in a new era with respect to CFIUS review. Companies that fail to adjust accordingly will jeopardize their ability to navigate growth, either in the acquisition or strategic investment context.
Had Sony Pictures had the foresight to implement some of the measures that are required under CFIUS, even though they were not subject to an investigation, the results would not have been so devastating. This unfortunate incident exemplifies the vulnerabilities that lead to cyber breach-related harm caused by a foreign state, and thus the need for CFIUS reviews and investigations when investments or acquisitions are contemplated with foreign entities and persons. Because each CFIUS filing is distinct, involving a unique set of objectives tailored to the transaction, there is no standard template for how to handle CFIUS compliance. However, by getting proactive with your technology, controls, and response team, your organization will be in a better position to realize its growth and investment strategy, while avoiding harm to U.S. national security interests.
About the Author
Matthew L. Miller, Esq., Senior Vice President, Global Information Governance Advisory Services Leader, at HaystackID, a specialized eDiscovery services firm handling complex, data-intensive investigations and litigation. With nearly 20 years of field experience, a background in legal, forensics, and eDiscovery, followed by privacy, governance, and incident response, Matt is a multi-disciplined industry expert on organizational data challenges. He has led highly complex data breach incident response-related forensic investigations and multi-national, petabyte-scale data governance and privacy engagements, in addition to acting as a neutral eDiscovery expert and leading a 3rd party protected data monitor CFIUS program engagement.