How evolving CFIUS regulations are introducing increased challenges to US foreign investment
National consulting services — US foreign investment and CFIUS due diligence
The Committee on Foreign Investment in the United States — widening its reach and raising the bar.
The Committee on Foreign Investment in the United States (CFIUS) is a US government interagency committee whose responsibility is to review foreign investments of US businesses for national security implications. Historically, CFIUS reviews have been focused on acquisitions resulting in foreign control of US businesses in industries representing traditional national security interests (i.e., defense contractors, manufacturing, high tech, oil and gas). In August 2018, the President signed into law the Foreign Investment Risk Review Modernization Act, which reformed, revamped and revitalized CFIUS. The enhanced law expanded CFIUS’s reach and, notably, also included minority investments, specifically in the field of emerging and critical technologies.
This introduced the ability of CFIUS to take a more critical look at all types of transactions where US businesses may provide intellectual property and technological support to anyone in a foreign country.
Foreign investors, and US companies alike, must be prepared to deal with additional regulatory hurdles. Businesses must consider critical data assets, their existing security controls and mitigation strategies to close any gaps. Lack of preparedness can cause major delays in deal closings and, in certain instances, deal rejections altogether. The heightened scrutiny of these transactions has also led to historical fines levied by CFIUS. Noncompliance with mitigation agreements can cost an organization up to $250,000 per violation or up to the value of the covered transaction, whichever is greater.
EY teams can help your organization throughout the entire CFIUS life cycle, supporting your company’s growth and investment strategy.
How EY teams can help
EY cybersecurity service offerings can assist organizations throughout the CFIUS life cycle. EY CFIUS cybersecurity services harness knowledge of industry-recognized cyber practices (i.e., ISO, NIST) and enterprise-level critical information asset identification and apply leading, next-gen cybersecurity EY offerings focusing on the access, protection and monitoring of your organization’s most critical assets. The thorough and proven EY methodologies support CFIUS readiness, strategic mitigation planning, mitigation implementation and holistic program development, as well as independent audits and assessments of CFIUS compliance.
EY CFIUS cybersecurity services
Understanding your organization’s current cybersecurity administrative controls and technical competencies, and how they align with CFIUS’s requirements
Mapping current capabilities to requirements agreed to in your National Security Agreement (NSA) and industry-leading practices, identifying key gaps and creating remediation plans to close associated gaps
Supporting the implementation of mitigation plans to meet NSA requirements, inclusive of building entire CFIUS-specific security compliance programs
Periodically analyzing in-scope systems for unauthorized use or access, attending important meetings, and leading and supporting communications with CFIUS, all while keeping a watchful eye on overall compliance risk and escalating as required by your NSA
Reviewing NSAs, existing controls, mitigation plans and program developments for accuracy and overall compliance; developing reports for internal use or delivery to regulatory bodies
Critical asset protection and planning
Although there are many essential aspects to meet your organization’s CFIUS and NSA requirements, the most challenging and critical requirements focus on the identification and safeguarding of critical information assets. The completeness and accuracy of enterprise-critical asset identification, monitoring and security are vital for a comprehensive CFIUS cybersecurity program.
EY teams can assist you with the following:
- Collect, review and assess policies, procedures and standards to understand existing security controls
- Meet with the organization’s business, cybersecurity and risk professionals to gain an understanding of the cybersecurity program
- Assess administrative and technical controls against global standards (i.e., ISO, NIST) and leading practices to identify gaps
- Interview and shadow data stewards of relevant data sets to review business processes and the business’s understanding of critical data sets
- Create mitigation initiatives with a focus on enhancing identification of critical information and closing identified gaps in security controls
- Leverage critical EY asset identification toolkit to analyze digital assets and identify regulatory controlled information; collaborate closely with the business for efficiency and accuracy
- Based on critical asset analysis, build use cases and a data attribute listing for ongoing identification and protection of required information
- Identify a segmented, controlled environment and migrate identified information, or close security gaps in existing identified systems, transforming the cybersecurity program to meet CFIUS requirements
- Help implement robust monitoring and auditing capabilities for periodic reporting to CFIUS monitoring agencies