How evolving CFIUS regulations are introducing increased challenges to US foreign investment

National consulting services — US foreign investment and CFIUS due diligence

Connect with us to learn more about CFIUS compliance

Contact us

Man climbing a rock wall

The Committee on Foreign Investment in the United States — widening its reach and raising the bar.

The Committee on Foreign Investment in the United States (CFIUS) is a US government interagency committee whose responsibility is to review foreign investments of US businesses for national security implications. Historically, CFIUS reviews have been focused on acquisitions resulting in foreign control of US businesses in industries representing traditional national security interests (i.e., defense contractors, manufacturing, high tech, oil and gas). In August 2018, the President signed into law the Foreign Investment Risk Review Modernization Act, which reformed, revamped and revitalized CFIUS. The enhanced law expanded CFIUS’s reach and, notably, also included minority investments, specifically in the field of emerging and critical technologies.

This introduced the ability of CFIUS to take a more critical look at all types of transactions where US businesses may provide intellectual property and technological support to anyone in a foreign country.

Foreign investors, and US companies alike, must be prepared to deal with additional regulatory hurdles. Businesses must consider critical data assets, their existing security controls and mitigation strategies to close any gaps. Lack of preparedness can cause major delays in deal closings and, in certain instances, deal rejections altogether. The heightened scrutiny of these transactions has also led to historical fines levied by CFIUS. Noncompliance with mitigation agreements can cost an organization up to $250,000 per violation or up to the value of the covered transaction, whichever is greater.

EY teams can help your organization throughout the entire CFIUS life cycle, supporting your company’s growth and investment strategy.

How EY teams can help

EY cybersecurity service offerings can assist organizations throughout the CFIUS life cycle. EY CFIUS cybersecurity services harness knowledge of industry-recognized cyber practices (i.e., ISO, NIST) and enterprise-level critical information asset identification and apply leading, next-gen cybersecurity EY offerings focusing on the access, protection and monitoring of your organization’s most critical assets. The thorough and proven EY methodologies support CFIUS readiness, strategic mitigation planning, mitigation implementation and holistic program development, as well as independent audits and assessments of CFIUS compliance.

EY CFIUS cybersecurity services

 [AC1]Sub headThe Committee on Foreign Investment in

the United States — widening its reach and

raising the bar[AC1]

 

 

The Committee on Foreign Investment in the United States (CFIUS) is a US government interagency committee whose responsibility is to review foreign investments of US businesses for national security implications. Historically,

CFIUS reviews have been focused on acquisitions resulting in foreign control of US businesses in industries representing traditional national security interests (i.e., defense contractors, manufacturing, high tech, oil and gas). In August 2018, the President signed into law the Foreign Investment

Risk Review Modernization Act, which reformed, revamped and revitalized CFIUS. The enhanced law expanded CFIUS’s reach and, notably, also included minority investments, specifically in the field of emerging and critical technologies.

This introduced the ability of CFIUS to take a more critical look at all types of transactions where US businesses may provide intellectual property and technological support to anyone in a foreign country.

Foreign investors, and US companies alike, must be prepared to deal with additional regulatory hurdles. Businesses must consider critical data assets, their existing security controls and mitigation strategies to close any gaps. Lack of preparedness can cause major delays in deal closings and, in certain instances, deal rejections altogether. The heightened scrutiny of these transactions has also led to historical fines levied by CFIUS. Noncompliance with mitigation agreements

can cost an organization up to $250,000 per violation or up to the value of the covered transaction, whichever is greater.

EY teams can help your organization throughout the entire CFIUS life cycle, supporting your company’s growth and investment strategy.


 [AC1]Sub head

  • Readiness

    Understanding your organization’s current cybersecurity administrative controls and technical competencies, and how they align with CFIUS’s requirements

  • Risk assessment and mitigation planning

    Mapping current capabilities to requirements agreed to in your National Security Agreement (NSA) and industry-leading practices, identifying key gaps and creating remediation plans to close associated gaps

  • Implementation support and program development

    Supporting the implementation of mitigation plans to meet NSA requirements, inclusive of building entire CFIUS-specific security compliance programs

  • Security monitoring

    Periodically analyzing in-scope systems for unauthorized use or access, attending important meetings, and leading and supporting communications with CFIUS, all while keeping a watchful eye on overall compliance risk and escalating as required by your NSA

  • Independent audits, compliance assessments and reporting

    Reviewing NSAs, existing controls, mitigation plans and program developments for accuracy and overall compliance; developing reports for internal use or delivery to regulatory bodies

EY services aligned to the CIFUS life cycle

Critical asset protection and planning

Although there are many essential aspects to meet your organization’s CFIUS and NSA requirements, the most challenging and critical requirements focus on the identification and safeguarding of critical information assets. The completeness and accuracy of enterprise-critical asset identification, monitoring and security are vital for a comprehensive CFIUS cybersecurity program.

EY teams can assist you with the following:

Diagnose
  • Collect, review and assess policies, procedures and standards to understand existing security controls
  • Meet with the organization’s business, cybersecurity and risk professionals to gain an understanding of the cybersecurity program
  • Assess administrative and technical controls against global standards (i.e., ISO, NIST) and leading practices to identify gaps
  • Interview and shadow data stewards of relevant data sets to review business processes and the business’s understanding of critical data sets
Plan
  • Create mitigation initiatives with a focus on enhancing identification of critical information and closing identified gaps in security controls
Help implement
  • Leverage critical EY asset identification toolkit to analyze digital assets and identify regulatory controlled information; collaborate closely with the business for efficiency and accuracy
  • Based on critical asset analysis, build use cases and a data attribute listing for ongoing identification and protection of required information
  • Identify a segmented, controlled environment and migrate identified information, or close security gaps in existing identified systems, transforming the cybersecurity program to meet CFIUS requirements
  • Help implement robust monitoring and auditing capabilities for periodic reporting to CFIUS monitoring agencies

Related articles