[co-authors: Matt Miller, Christopher Wall, James Branch, Michael Amaral]
Editor’s Note: On July 27, 2022, HaystackID shared an educational webcast on the topic of Committee on Foreign Investment in the United States (CFIUS) compliance. CFIUS is a U.S. government interagency committee with the responsibility to review foreign investments in U.S. businesses and real estate transactions for national security implications. CFIUS is ultimately concerned with protecting the national security of the U.S. via a National Security Agreement (NSA) with the business.
The presentation was developed and shared by our team of experts who are approved by the CFIUS Monitoring Agencies (CMAs) and who bring first-hand delivery of CFIUS Third-Party Provider services in areas ranging from data protection and privacy to identity access management and data loss prevention. During the presentation, our experts discussed and explained many of the best approaches, protocols, and practices for successfully guiding an organization’s data in a world of nation-state bad actors and insider threats.
While the entire recorded presentation is available for on-demand viewing, provided for your convenience is a complete transcript of the presentation.
[Webcast] CFIUS Compliance: Your Organization’s Growth and Investment Strategy May Be a Matter of National Security
Presenting Expert
+ Matt Miller
Senior Vice President, Global Advisory Services Leader, HaystackID
+ Christopher Wall
Data Protection Officer and Special Counsel, Global Privacy and Forensics, HaystackID
+James Branch
Information governance and Data Privacy Consultant, HaystackID
+ Michael Amaral
Director of Global Strategic Technology Partnerships, HaystackID
Presentation Transcript
Moderator
Hello, everyone, and welcome to today’s webinar. We’ve got a great presentation lined up for you today, but before we get started, there are just a few general admin points to cover.
First and foremost, please use the online question tool to post any questions that you have, and we will share them with our speakers. Second, if you experience any technical difficulties today, please let us know using that same questions tool, and a member of our admin team will be on hand to support you. And finally, just to note, this session is being recorded and we’ll be sharing a copy of that with you via email in the coming days.
So, without further ado, I’d like to hand it over to our speakers to get us started.
Matt Miller
Hello, and welcome from HaystackID. I hope you’re having a great week. My name is Matt Miller, and on behalf of the entire team here at HaystackID, I would like to thank you for attending today’s presentation and discussion titled: “CFIUS Compliance: Your Organization’s Growth and Investment Strategy May Be a Matter of National Security”.
Today’s webcast is part of HaystackID’s regular series of educational presentations, developed to ensure listeners are proactively prepared to achieve their cybersecurity, information governance, and eDiscovery objectives.
Our expert presenters for today’s webcast include individuals and experts with a deep understanding of investigation supporting the Committee on Foreign Investments in the United States, more commonly referred to by the acronym CFIUS.
So my name is Matthew Miller. I am the Senior Vice President, Global Information Governance Advisory Services Leader here at HaystackID, based out in LA. I’m currently involved in leading an actual CFIUS third-party monitor provider portion of a client project. I started off as a construction litigation attorney almost 20 years ago, and have been working in the crossover between legal and technology and cybersecurity for about the past 14 years.
Let’s have the rest of our panelists introduce themselves. I believe next up is Chris.
Christopher Wall
Hey, thanks, Matt. So my name is Chris Wall and I’m HaystackID’s DPO (Data Protection Officer), and I also serve as HaystackID’s Special Counsel in our Global Privacy and Forensics practice. I’m a recovering antitrust lawyer, and I’ve pretty much lived and breathed electronic evidence since leaving traditional law practice in 2002. I’ve worked in the discovery, cyber, data analytics, and privacy space for nearly 25 years now. I’ve one of the greatest jobs in the world, as I help our clients navigate privacy regulations, and help protect individuals’ personal information, and help make sure that we’re compliant regarding use, transfer, and all other things data. James?
James Branch
Hey, everybody, this is James Branch. I’ve been in technology for over 30 years, and I’ve had several titles inside the technology industry, including CTO, CISO, and I’ve always handled the compliance and the risk within those organizations, and I’ve been fortunate to work in multiple industries (banking, private equity, real estate), as well as litigation support and services, which is the work I’m obviously doing here now. Great to work with you guys and have this meeting, and over to you Michael.
Michael Amaral
Morning, everybody. Mike Amaral, I run the Strategic Technology Partnership with the Advisory Services group. Basically, I am a data technologist with over 30 years of experience, trying to solve complex data problems using technology. So I work hand-in-hand with Chris and James and Matt, trying to figure out how we can solve problems and operationalize the solutions.
Matt Miller
Great. And so we can move on to the next slide, and one thing that I’ll quickly point out is the diversity in the group that we have here talking to you today. Data privacy, governance, IT security, IT, it’s a… You need these different, various types of backgrounds to be able to handle these CFIUS projects, and it’s not a one-person-can-do-it show, and that’s why our agenda really covers everything that you’re going to see come up on any one of these types of projects. If we can quickly move to the next slide, because we have a ton of content to cover today.
But we’re going to start at the beginning, in order to understand where CFIUS comes from, and what is the current landscape. We can move to the first slide there.
So what exactly is CFIUS? It is a US government interagency committee that is tasked with identifying and mitigating US national security risks arising from foreign investments in US businesses. It’s a little bit of a mouthful, so we’re going to break that down over the course of the next three slides or so. We can move to the next.
So interagency committee. So the CFIUS committee and some people call it CFIUS, some people call it “the committee”, some people even call it the CMAs, which are the committee members that are managing these different projects, but it’s a group of all these different US government agencies that have a vested interest in protecting the national security of the United States, and protecting it from what? Foreign direct investments in US businesses. So Justice, Defense, State, Commerce, Energy, Homeland Security, the US Trade Representative, and Science and Technology Policy Office, those are the main groups right there that all sit under the chair of the US Treasury. And the ones that we’ve been involved in, typically they’re being headed up by the Department of Justice and Treasury, seem to be the two most vocal teams at least in the different CFIUS ones that we’ve been involved with. Let’s move to the next one.
And so, what do they review is these different kinds of transactions, the transactions that involve these foreign direct investments in the United States, in the event of a merger, an acquisition, a takeover, and taking over the ownership interest in an entity in the US, depending on is it a person, and where are they from, and that’s what a lot of this is about, and when trying to figure out is this a covered transaction that the CFIUS committee is going to review. And when it says mandating a review for specific types of transactions, that means that it’s guaranteed, if you meet certain criteria, that the CFIUS committee is going to be involved in reviewing that transaction. So, let’s move to the next and dig into that a little further.
So national security, what is that itself? What are we trying to protect here? And we’re trying to protect the data in the United States from threats, vulnerabilities, and the consequences, ultimately, to national security, the effects on the US that could reasonably result from the exploitation of vulnerabilities by those foreign threat actors. We put up here that it doesn’t mean economic security, it doesn’t mean economic interest, because there is presidential power to help appoint the CFIUS committees. And so, the structure and the construct of who’s involved will change and vary over time based on administration, who’s the president in charge, will have some effects on the actual CFIUS committee. But if we go forward I think two slides—
Christopher Wall
Matt, I’m going to chime in here. I think we have to point out one thing, if I can, if I can just chime in here.
Matt Miller
Go nuts. Let’s do it.
Christopher Wall
CFIUS has a lot of power here to effect deals happening through foreign investment, right, but I think it’s important to… I don’t think we can say it enough, that the committee tries to take into account the value of a free and open market when considering how to address these national security concerns. I mean, it’s a really tough balancing act in a lot of cases, but that’s what CFIUS is designed to do, is to strike that balance between that free, open market, and addressing national security concerns.
Matt Miller
That’s right. And, Chris, I appreciate you jumping in, and in fact, let me put it out there, guys, that anyone can jump in. You all know so much different stuff about this than I know. I’ve been reading the laws and doing a lot of the project management when you guys are pushing a lot of the buttons, so it’ll be really helpful for our audience.
So with the authority that Chris is talking about that CFIUS has with this broad jurisdiction and deference, over the course of time, this has become more defined. It started all the way back in 1950 with the Defense Production Act. ‘75 under President Ford, that’s when really CFIUS came to be where it is. It came in relation to the crisis related to OPEC and oil, and various global developments in the 1980s with Japanese investments all across the US. That was when the “Exon-Florio” law came in granting the president power to block the president itself, power to block proposed or pending-for mergers or acquisitions and takeovers that threaten to impair our national securities.
And look, we all watch the news, and we’ve suffered some tragedies over the years. I was in New York City… Well, I was in law school, September 11th, 2001, when the terrorist attacks occurred. And then there was, in 2006, a proposal for six US ports to be taken over, shipping ports, in 2006 by Dubai Ports World, and the CFIUS review procedures were brought up and, all of a sudden, gained national attention even though it’d really been out there for a long time. The rules were revamped in ‘08, and we’re going to get into a discussion around FIRRMA, which comes out in 2018, and the Final Rule, which is what we’re operating under today, that the Treasury Department has put out there related to mandatory CFIUS filings. Let’s move on to the next slide, but it’s a good history here.
So you’ve got the FIRRMA legislation, which has now been refined by the Treasury’s Final Rule. And so, under FIRRMA, under CFIUS, what we’re going to get into is that we’ve got these covered transactions, and that there are critical technologies, critical infrastructure and data in the United States, where, potentially, if this was compromised, would jeopardize the national security interest of the United States. And there’s a test that we’re going to talk about here. This regulatory authorization test is where a US export control license would be required to ship this type of product or service or data. If that would fall within that export control classification, then there’s going to be mandatory review. There’s a handful of… Let’s go to– quickly, let’s look at this because there was a handful– 27 different industries.
If we go to the next slide, there were 27 different industries that were known as the critical industries under FIRRMA. So, those 27 aren’t being adhered to today for this industry test. That’s kind of what the Final Rule replaced, but what is really important coming out of FIRRMA is, number one, it laid all of the grounds for the regulation and the definitions that are primary concern for CFIUS, and it spells out this TID word, which we’re going to really get into right now, related to these critical technologies, critical infrastructures, and sensitive data of the United States citizens, which is what we are really trying to protect here. Let’s move to the next slide.
Christopher Wall
What we’re looking at here, Matt, though, is with FIRRMA, we had this list, and I don’t think it was ever intended to be an exhaustive list, and then with the Final Rule, of course, based on NAICS Code, but… Then with the Final Rule, we’re not restricted to just those. We… It’s clear that we’re not restricted to just those industries. But I think it’s safe to say that if you’re engaging in a deal, or if you’re planning a deal, and you anticipate CFIUS concerns, and you’re in one of those industries, I think it’s a safe bet that you’re going to get some CFIUS scrutiny. Right?
Matt Miller
Yes, that’s… Absolutely. It’s not like they changed the law, and you are making guided missiles and space vehicles, and you no longer have to worry. You certainly do. In fact, it’s probably a heads up, Chris, that if you’re in this industry, there’s a really good chance that you will get a mandatory CFIUS review if you receive foreign investments. So let’s move to the next one, Lucy, thanks.
Alright, so we kind of covered it, but there’s actually a pretty good picture here of what you might see when you’re doing some research about the ownership and the original location of where the people or the organization comes from, the foreign organization that is actually investing in the US company. But what you can see here is on the left-hand side you’ve got literally the reasons for controls that have been set up. Obviously, I highlighted a particular country, because there are a handful of countries that the United States is more worried about, and those are on the right-hand side there, and we we’ll dig into some of the US, basically, security strategies over the past couple of decades that mentioned more than a handful of those countries that are on that list on the bottom right-hand side. But we’re talking about fully authorized by the president United States. There are nine different departments of the US government that all sit on this panel. It is extremely high level at the government, looked at by tons of eyes, every one of these transactions. Can’t stress enough how important it is. So let’s go to the next slide, which is why though? Why is it getting more attention now?
And so we’re going to quickly flip through this—
Christopher Wall
Let’s dive into that a little bit, because I think if we look at today’s markets, regardless of the industry sector, regardless of what they do, every industry today relies heavily on technology, and it’s pretty much digitally based. Because so much of today’s business is done electronically, there’s that ever-present cyber risk to business worldwide, and that cyber risk is equal here, perhaps more dangerous to businesses involved with maintaining the US’s national security. So technology, bad actors, nation states, and plenty of formal and informal organizations, who don’t have the best interest of the US or its citizens in mind, really have recognized the potential profits to be gained from access to, or simply from gathering American organizations’ data. And I think we just have to look at the news. Cyber-attacks are dinner table topics right now. The need for cybersecurity is so mainstream that I see my kids in classes in middle school and high school on cybersecurity. I mean, that’s how mainstream it is today. And while we’ve put into place a lot of controls to mitigate some of that risk, it’s impossible to completely eliminate it. It’s not going away, especially as these bad actors around the world become more sophisticated, and the nature of the attacks evolves.
So over the years, the US has enacted laws to protect the country’s for-profit businesses and to protect its citizens, who are the beneficiaries of those protections. So the bottom line is, I guess, literally the bottom line. We love foreign investment in the US. This is America, we’re a capitalist country. Investment helps drive the US economy, but CFIUS provides a check and balance to make sure that the capitalist principles aren’t outweighed by bad actors, foreign nations or hostile nation states, who want to harvest US citizens’ personal or private information, or do harm to the US in general.
Let’s go to the next one.
Matt Miller
Thank you, Chris. I’m going to come back to you in one sec, Chris, but let’s just… and also, let me tell the audience, you guys are going to have access to the recording here. We’ll be able to get you access to the transcript and the deck, so we don’t have to read every single word on every slide.
But let’s go, just real quick, to the next slide. But I wanted to show you here – and the panelists, we all thought “What is the national security strategy for the different administrations over the past two decades? Do they have any themes?” And there is a theme. They specifically name countries. Each different president over the past 20 years about us being vigilant and protecting ourselves from, namely the actions that get taken by the governments and government state-sponsored bad actors from China, Russia, and a tie for third between Iran and North Korea. Let’s go to the next one, Chris.
These countries, there’s a lot of trends going on. What are we seeing?
Christopher Wall
So, we mentioned really briefly earlier that CFIUS doesn’t provide precedent, mainly because their decisions aren’t published, for the most part, and because every deal is reviewed on its own merits. But we can definitely look at trends to see where the activity is and what’s likely to get scrutiny. So, to that end, I guess it’s instructive to look at the evolution of CFIUS over the years, and particularly from 2011 through 2020, which I guess were the latest years we were able to get data in time for us to do this presentation anyway.
And during that period, there were over 1,600 notices filed for transactions that were subject to CFIUS jurisdiction under Section 721. Approximately three-quarters of those notices were either in the manufacturing sector, that’s about 40%, or in finance, information, and the services sector, which is about 37%. And the remainder of the notices were in mining, utilities, and construction. And in, I guess, wholesale trade and transportation for the most part. So, that’s where the emphasis has been in those nine years. And anecdotally, over the last two years anyway, where we’ve seen a little bit of an uptick in CFIUS activity, that trend has continued. I don’t have the formal stats to share here, but that’s anecdotally where it stands. Let’s go to the next one.
So, we do need to look at market dynamics for why CFIUS and why now. And over the last decade, we’re all familiar with changing to new ways of working, and not just with the pandemic. But over the last decade, companies across all sectors have had to invest a lot of time and a lot of money in their digital transformation to support hybrid, remote and, well, agile working, I guess. So, technology transactions accounted for almost half of the worldwide technology sector deals in 2021, half. And there’s been a corresponding increase in the demand for underlying infrastructure. understandably, that includes fiber and other telecoms, and data centers, and not to mention the investment in P/E and infrastructure funds, generally. So, cybersecurity is obviously a very active space, and it’s big business, although probably not as big for the security companies as it is for the bad actors themselves. But companies that provide the underlying security services continue to grow quickly and fuel a lot of M&A activity.
So, in short, I guess, the nature of the deals that we’re seeing today is why CFIUS has more application. These are all areas where the money is and P/E and investments, generally, should kind of gravitate towards where the money is. And we live in a global economy, and much of the P/E and investment funds used for this kind of M&A activity isn’t US-sourced. Let’s go to the next one, Lucy.
So, finally, I guess we should mention that we’re seeing more activity on the CFIUS front because the money is there to make it happen. FIRRMA, as Matt mentioned, introduced numerous changes. Along with mandatory filings came mandatory filing fees. If you can charge for it, you should because it’s the American way.
FIRRMA also introduced fines, which we’ll talk about a little later in our discussion here this afternoon. But with those fines and fees, CFIUS now has funding to the tune of about 20 million a year, and staffing to go along with it. That $20 million comes, at least in part, from CFIUS filing fees and penalties.
So, when we ask the question about why now, at least some part of that answer lies in the fact that with increased funding comes an increased need to spend that funding. I think we can move to the next one, Lucy.
Matt Miller
So, Chris, can you get this started about what different types of transactions are actually covered? Because we talked about a couple of different types of covered transactions at the beginning.
Christopher Wall
Yes, let’s get into the meat of this a little bit. We talk about CFIUS Review, but let’s talk about what kinds of deals can they review. Let’s go to the next one, I think I’ve got an illustration there.
They have jurisdiction over any “covered transactions”. And those covered transactions essentially fall into three categories. First, real estate transactions. Second, control transactions, which are the historical or traditional basis for CFIUS jurisdiction. That’s where a foreign entity gets control of a US business. And then the third area are investment transactions. That’s what was brought about with FIRRMA. So, we’re going to talk about each one of those three types of transactions in turn.
But I’m also going to mention really quickly here that the committee can also look at transactions when they involve a change in rights, which occurs when a change in rights could result in a covered control transaction or a covered investment transaction, so adding in rights, maybe that’s voting rights or something.
And then second, for evasion or circumvention transactions, which occur when the structure of the transaction is designed or maybe is intended specifically to evade or circumvent CFIUS’s oversight. So, they also have the jurisdiction to look at those. Let’s go to the next one and talk about real estate.
We’re not going to spend much time here at all on this particular aspect of CFIUS’s jurisdiction. But there are situations where acquisitions of real estate may be subjected to CFIUS review. For example, where a foreign person or a government wants to purchase land close to a US military installation or a sensitive US government facility. In those cases, those real estate transactions are subject to the same kind of analysis that CFIUS would give to other deals. And of course, CFIUS can look at change of rights or evasion, circumvention considerations with real estate transactions as they would with any other.
Again, with that said, during today’s session – and we’re going to be talking strictly about control and investment jurisdiction and not about real estate, just because it doesn’t come up too frequently with what we’re talking about primarily today. Let’s go to the next one, Lucy.
So, I think we ought to move on and talk a little bit about the traditional purview of CFIUS. James, do you want to chime in here?
James Branch
Sure, thanks, Chris. So, covered control transactions, take a look at that first paragraph on the top right. “Any transaction… by or with any foreign person that could result in foreign control of any US business, including such a transaction carried out through a joint venture.”
If we break that down a little, we see that all of these definitions are loose by design. The word “transactions” includes mergers and acquisitions, the acquisitions of any equity or voting interests, joint ventures, or even a long-term lease. The term “could result in control” language is interpreted broadly by CFIUS. So, if there’s a remote possibility that the deal will result in a change in control, CFIUS will want to look at it.
And then there’s the term “US business” is also broadly defined by CFIUS, and it includes pretty much any business that is engaged in interstate commerce in the US, that includes a US branch or a subsidiary of a non-US company. That said, a foreign company that has no real presence, no employees, but maybe provides sales or support in the US is probably not a US business.
And then there’s the word “foreign”. That word, “foreign”, means that the ultimate owner is US businesses that are owned or controlled by foreigners are still foreign persons. We’ll send this over to Mike on the next slide.
Michael Amaral
Thanks, James. We’ve talked about control transactions, but really where we’re seeing the most action over the last few years, especially, is in the investment transactions. If you recall, FIRRMA granted CFIUS jurisdiction to review non-controlling investment in certain US businesses. And you’ll hear that commonly referred to as TID, and that stands for critical technology, critical infrastructure, and data.
And as Chris mentioned earlier, we’re becoming a global economy, global society where data is all in the cloud, and data now has a value to it. But what’s really interesting here is it’s not controlling interest. So, it’s saying covered investment transactions are those that Foreign Investment Risk Review Act of 2018 gain non-controlling interest of US businesses. So, it doesn’t have to be ownership anymore. And if we move to the next slide, we’ll start breaking down the actual covered pieces of it.
Critical technologies are defined as items on the United States Munitions List, Commerce Control List which we talked about earlier, nuclear equipment, select agents and toxins, emerging and fundamental technologies controlled under the Export Control Reform Act. It’s a lot of legalese. But the US, basically, looks at these transactions if you’re in one of these critical technology industries, and can apply the same rules to it. Next slide.
Critical infrastructure. We’ve all watched the news and we saw a US pipeline get shut down because of ransomware and those things. We don’t want foreign – if you are involved in critical telecommunications, satellites, financial market, power systems, you could almost guarantee CFIUS is going to get involved in any transaction that involves foreign investment. Next slide.
Really, where we’ve seen the most growth is in the data piece. Any business that engages with sensitive data, maintain, collect, directly, or indirectly the sensitive personal data of US citizens.
Christopher Wall
So, Mike, I’m the privacy guy, so you know I’ve got to weigh in on this.
Michael Amaral
Yes, to me, Chris, this is the biggest piece of where we’re seeing the activity.
Christopher Wall
Clearly, as we live in a digital world and information sharing is critical to doing business, whatever your business is. But arguably, control of that information is probably even more critical. So, we’re all familiar with the idea of losing access control of our personal information, it’s called identity theft. So, obviously, unfettered access to personal information can put individuals at risk for fraud and identity theft.
But similarly, for a business having control of a million or more individuals’ personal data can create a significant national security risk. And so, we’ve outlined here three threshold criteria for when data, when this D part of TID comes into play and CFIUS can exert jurisdiction.
The data has to identify a real person, that’s not a company, an actual person. And just as with most privacy laws here, if that data is aggregated, or de-identified, or anonymized, it’s likely exempt. It’s not going to meet that criterion.
The other criterion is financial data, which includes consumer reports, insurance applications, or health info, or some genetic data. Or if the business collects data for over a million individuals, that’s what I mentioned before. Or if it intends to collect over a million individuals.
So, if they’re a business entity collecting data, kind of that’s their business model, that’s going to subject them to this jurisdiction.
So, there’s a lot of overlap here with privacy laws, specifically in Illinois, Texas, Washington with their biometrics laws, and existing and imminent privacy laws in California, Colorado, Connecticut, Utah, and Virginia. If you’re in compliance with those privacy laws already, there’s a good chance that you already have a headstart for this kind of CFIUS scrutiny.
Michael Amaral
And Chris, I just wanted to point out that that million individuals, they don’t have to be US citizens.
Christopher Wall
Yes, that’s a really—
Michael Amaral
That makes this even a broader net.
Christopher Wall
The focus, of course, is on US citizens. That’s the important thing. And if we look at personal data protections around the world, we can see a lot of different approaches to privacy in different places. The GDPR, for instance in Europe, emphasizes protection of the individual. China’s PIPL and other privacy or security laws focus on protecting the state. And in the US, we focus on the rights of the consumer, and CFIUS translates that consumer protection writ large into protection of US national interests. Sorry, I can talk a lot about this. So, let’s move onto the next one.
Matt Miller
Guys, that’s a great setup with the TID’s for bringing it to the second half of this discussion. And what does this mean for the actual companies, the people who are on this phone call listening in, and the different types of professionals? So, let’s go to the next one, Lucy. Let’s talk a little bit about how enterprise risk management is really now a function of the entire organization when CFIUS is involved.
And that’s because the potential implications of these rules that have evolved since the Defense Act of 1950. We’ve got 70 years’ worth of background here, and it affects every single line of business withinside the organization. Let’s look at the next one. Let’s talk about this with the team. Let’s break down with the folks here on the phone.
Chris, you want to talk a little bit about – we’re going to go line of business by line of business. What does it mean for this department, the legal department, what do they have to do in a CFIUS transaction?
Christopher Wall
I’d look at, primarily, three different ways. And legal plays a coordinating role since it needs to have a fundamental understanding of the other team members’ roles and bring them together in negotiating terms with CFIUS and CMAs and leveraging their various roles and responsibilities.
So, I would say the second thing is legal is also responsible for negotiating mitigation terms, which we’re going to talk about here, I think, briefly. Those mitigations have to protect US interests without too much hardship on the business itself, or chilling the positive effects of international investment.
And I guess the third area and maybe the most important is legal plays that critical role in negotiating the roles – lots of roles here – played by monitors and service providers, who will implement the negotiated mitigations that CFIUS puts in place.
Matt Miller
And Mike, what about compliance? What is that team going to be dealing with during one of these responses or ongoing mitigation activities?
Michael Amaral
Matt, they’re a key component in this. They’re one of the major stakeholders. They’re the evaluator of enterprise risk. And they end up working with the audit team to supply the monitor with the reports. They work with security and privacy to ensure that we have all the controls in place, that we’re hearing with not only the NSA but any other rules that we need to apply to here.
Matt Miller
So, Chris, compliance, the privacy crossover Mike just talked about.
Christopher Wall
Sure, yes, I mentioned this before, but a lot of the analysis that we do here is very similar to what you might do with a privacy assessment. And it involves classification of the data, identification of data flows, including identification of third-party access. Identification of potential breach or data loss risks, and putting in place appropriate controls to mitigate those risks.
And so, CFIUS mitigations may look different from regular privacy mitigations, and may be layered on top of existing and newly implemented privacy controls. But the foundations are going to be essentially the same. That’s going to be the big part.
And I will just mention one little academic note here about privacy in the CFIUS context. And in the privacy world, we tend to look at everything in terms of who is the data controller and who is the processor. But hypothetically, let’s say, a US social media company is engaged in the business of collecting short video clips. Anyway, when that business… and they receive investment from a foreign investor, when that business has to engage a third-party monitor or an auditor, that monitor or auditor has a fiduciary duty to the US government, and not to either party to the transaction.
So, in privacy terms, that raises real questions about whether the monitor is a controller or a processor. Normally, it would be pretty clear, but that’s something that you need to look at closely as you put together your NSAs, so your agreements and how you’re going to accomplish the mitigation that the committee puts in place.
Matt Miller
And so, from an information governance perspective, you’ve got to operationalize all these different policies on the network when there’s relevant records containing sensitive and material non-public technical information so that these controls can be implemented by the IT security team, right James?
James Branch
Yes. Security, you really need to pay close attention to this one because besides just safeguarding your infrastructure and your data from outside, you also – the NSA or the CFIUS contract may specify that you need to isolate the data from even the foreign investors that are a part of the structure. The CFIUS may say these clients can’t have access to that data, especially if it’s US personal data. That’s something else that you definitely want to be factoring in.
Matt Miller
And so, Lucy, let’s real quick go through the next – to the costs here, the filing fees and penalties.
So, look, there’s a transaction, it’s about to take place. 1% of that transaction, not to exceed 300,000, that’s the first fee that’s going to be paid. In many of the different cases, as we’ve talked about, it’s going to be mandatory to file with the CFIUS committee.
Christopher Wall
This is the fear of god part of the presentation. What happens if you ignore CFIUS? What does it cost if you don’t? And I think the key takeaway from this particular slide or the part of our presentation is since the passage of FIRRMA, CFIUS has imposed at least three six and seven-figure fines for mitigation agreement breaches. So, it has teeth, and I think that’s the real takeaway here.
Matt Miller
Yes, the next slide. And so, there is a methodology for the CFIUS committee of how they come to those fines. And they are here.
At the end of the day, I think what’s important here is that this is to incentivize companies to do the right thing. The committee itself, and it’s bulleted at the bottom, I’ve seen this firsthand. Open communication with the committee, especially if there’s a breach, they want you to self-report. It’s supposed to be a partnership between the CFIUS committee and the monitor, and the provider, and the company itself to protect the security interests of the United States. We’ve got to be thinking from a 50,000-foot view, not the 5,000-foot view, just what’s right in front of you. So, let’s move into the section, and probably the most important part of this that everyone’s been waiting for is how do we get ready.
There are all these laws. We’ve been through it. There are all the different kinds of companies that they have jurisdictions over, that the government has jurisdiction over in this particular context. Mike, how about some – what are the… out of this list of tips, give us your top two or three that stand out, that have come up in the different projects that we’ve been working on.
Michael Amaral
Matt, to me, and I think Chris mentioned it earlier, if you’re the company seeking an investment and you have your security policies in place, you have a good privacy framework in place, you know where this critical information is, and it’s already secured. When you bring the transaction to CFIUS, there will be less concerns about next steps. Really, if you treat CFIUS, as Chris said, as almost as a form of a privacy program, or a privacy mandate depending on your industry, or especially the data side of it, if you prepare the same way you would put that program in place for the California Privacy Act or any of the other upcoming ones, you’ll have a good starting point towards compliance with whatever your NSA turns out to be.
Matt Miller
So, let’s go to the next one. On these proactive tips, I think, James, from your role, you come out of IT security, you’ve seen this thing firsthand, you’re working on the ground, in between the monitor, as the provider of data services dealing with the CMAs. Tell us about these IT security proactive tips. What can these teams do to get ready?
James Branch
The key word on this slide is the very first one, it’s “proactive”. You want to get on these things, you want to get on them quickly, or at least put together a plan, and then communicate the plan back to CFIUS. And then execute that plan.
And I’ll just quickly go through these, but the items that I found that they really like to understand that you’re doing, role-based access controls, assess and enhance management and administration of protected data, infrastructure, and technology. And then there’s the DLP, IAM, the SIEMs, and the MDMs, those are all great, you want to put those things together and have a plan if you don’t already.
You want to make use of limited access protocols, and the principle of least privilege. Put that together. Have that ready for the CMA.
And have a good data classification policy and data map. You should know where all your protected data is located, and who has access to that data. The protected data should only exist in defined locations defined in the NSA.
Thank you, Matt.
Matt Miller
That’s great. And so, let’s talk about getting right into – let’s skip a couple of slides here, just in the interest of time. Let’s start talking about this plan itself.
So, James, you just hit on a couple of these topics. We’ve got, what, about 12 topics here, actually maybe 15. Each one of these different things that you see in the box, each one of these is important in this project.
James, give me your top three that, on a daily basis, you’re dealing with.
James Branch
The ones that really go a long way, that can really get you the biggest bang for the buck is change management. Have a really good defined program for change management, and have a combination of technical and administrative and management people inside that committee reviewing the changes, and then signing off on it. You want to make sure everybody is represented.
Risk management, that’s also something. Don’t underestimate the value of risk management. Especially the technical people, they love to work on those things and say, “Hey, let’s do what-if. What’s the worst that could happen here for this situation and this situation?”
And then the last one here I want to talk about is the security awareness education and testing. To me, this is one of those areas that is never set up as good as I’d like to see it. I’d like to see this to be a monthly awareness training for employees. You want to first embed the seed, but then you want to consistently remind them and say… the common thing you’ll hear people say is you are the last layer of defense, and that’s what the end-users are. You want to keep reminding them of that.
And all of these are important, but those are my top three, Matt.
Matt Miller
James, that hit on something we started talking about is that it does really run to everybody in the organization, that everyone does have a responsibility here to help protect the security interests.
Mike, you’re doing this on a day-to-day basis as well. You’re working with systems admins. Are there a couple more on this list that stand out to you?
Michael Amaral
Again, and I go back to I’m a data guy. And so, really, it’s access controls, and make sure we know who is accessing it and why they need access to it. Role-based permissions. And like James said in the earlier slide, least privilege access. Just because you and I do the same job function, we may not need the same access to the data, or whatever the protected item is.
Matt Miller
So, how do we put that plan in place, James, Mike?
James Branch
What we’ve been doing is having three stages with our CFIUS contracts that we’ve done. There’s the first stage, and this is prior to the filing stage. And you want to assess the impact on your business and your operational areas as well as your technology and data privacy. That’s prior to the filing. And you want to have a good plan and make sure that you’re addressing all of those things.
And then you get into stage two. And when you get into that stage, and this is after the filing and you really start to focus on items such as risk assessment, mitigation planning, as well as getting ready for planning for audits and compliance assessments. That’s stage two, and I’m really going through this fast because of time here.
And then there’s stage three. And this is the mitigation after your organization and the CFIUS CMAs sign the NSA. You want to run tabletop exercises. You want to have your penetration testing inside here. Our Gantt charts are not rocket science, but the sequencing of the stage towards remediating gaps and improving protection is a science. Those are the ones that come to the top of my head here.
Mike, what about you? Do you have a couple you want to add here?
Michael Amaral
No, I think this is important, but in stage two, this is an ever-breathing – there is no end to the CFIUS involvement once you’re involved in one of these transactions.
And so, it’s a continually improving and redefining process. So, this is stage one, stage two, and stage three. But really, stage three will fall back to stage two. You’ll reassess, you’ll re-mitigate, and you’ll report through the whole process.
Matt Miller
That’s right. Lucy, let’s go to the last section here and if we can go to the next slide. Chris, some final thoughts around getting this third-party monitor and provider in place.
Christopher Wall
As part of your mitigation plan, the NSA requires a third-party monitor, or an auditor, I guess. That third-party monitor has to have on-point experience, has to have some technical and industry expertise, and some trusted objectivity, especially when it comes to the complex technologies, and data, and the types of transactions subject to NSAs.
That third-party monitor should be comprised of a whole team, a team of professionals. And not just a big personality or a well-qualified single person. And that team should, again, have demonstrable technical skills, industry knowledge, and proven leadership and credibility. So, we can go to the next one, I guess.
Matt Miller
And we’ve talked a lot about this team. James, talk to us quickly about data protection, sensitive personal data. How does that play across all of these different functions, the data privacy officer, the information security officer, risk and compliance officer?
James Branch
Yes, it’s really important, especially for transactions that involve data of US citizens. You’ll see another term here, I want to introduce here late into the slides is the “third-party provider”.
If the transaction involves a lot of US data, the NSA contract may require another party to be – in addition to the monitor, but they call it the third-party provider, and then what they do is they actually oversee the data. Their job is to take the extra steps in order to make sure that that data is well protected, not just from your traditional firewalls and things like that. As I talked about it earlier, they want to know exactly who has access to that data. And they don’t want the foreign investment to be able to have access to that data.
And so, the skill sets of a DPO and a CISO, a CCO, and a CRO, you really need to have all of those on your team in order to put that type of a plan together.
Matt, I’m going to send this back to you.
Matt Miller
So, we talked a lot about the ways that we can get there, the different groups that need to be involved, some of the skill sets that they need to have. And that there is a method to the madness to be able to handle these types of complicated transactions. We typically set them up with a diagnose-plan-and-implement phase, clearly, as discussed in the past couple of slides by James and Mike. We could literally – we have enough content in here that we could have probably talked to you for three, four hours.
And if there’s anyone out there in the audience that would like to talk further, we certainly would be happy to do that. And considering that today’s webcast presentation is being recorded for future on-demand viewing, and a copy of the presentation will be available for all attendees once the on-demand version is done, we expect those items to be available on the HaystackID website soon after we complete this presentation.
So, that is where we are at. And at this time, we have brought you to the end. We hope we’ve given you some ideas, some takeaways, some conceptual things that you might be able to put in place at your organization. We, again, are really out here to try and help companies get through these transactions in a more efficient and cost-effective manner. I think that our cross-disciplinary team brings such different viewpoints to the table, with all the field experience that we’ve seen that we can bring that and help your cross-disciplinary team work better.
And I really want to thank my cross-disciplinary team, the entire team for all of the information and insight. And I want to thank everybody in the audience. We understand it takes time to get here and sit with us today, and we appreciate you for making that time in your schedule for today’s webcast.
We also hope you’ll have an opportunity to attend our August monthly webcast currently scheduled for August 17th and August 31st. These upcoming webcasts will feature expert presentations and discussions ranging from Blockchain and cryptocurrency investigations to data mining and incident response. And you can learn more about those and register for upcoming webcasts, and review our whole library of on-demand webcasts on our website at haystackid.com. we’ve got ones that Chris and I have participated in that are up there related to data privacy, IT security, information governance, and that’s all on haystackid.com.
So, thank you again for attending today, and have a great day. We really appreciate it.