June 15, 2021

National Security: CFIUS’s Cybersecurity Compliance Expectations

Recent cyber attacks targeting U.S. businesses & President Biden’s executive order aimed at enhancing the nation’s cybersecurity posture have focused attention on the need for companies to improve their own cyber defenses.  This FTI memo says that those efforts to improve cybersecurity are even more critical for companies that may become subject to CFIUS’s scrutiny.

In the current environment, U.S. businesses involved with critical technologies, infrastructure or sensitive data could face increased governmental scrutiny. If those businesses are backed by foreign investors, failure to satisfy that scrutiny could result in greater difficulty in obtaining CFIUS approval for future deals or, in the worst case scenario, an order to divest from a previously completed transaction. This excerpt from the memo provides some of the actions parties should take to help ensure that they are prepared to meet CFIUS’s cyber compliance expectations:

For parties pursuing a deal, assessing cybersecurity posture is critical to meeting CFIUS’ compliance expectations. That might seem straightforward, but it’s easy to get caught in a web of potentially overlapping compliance and regulatory standards. Here are primary actions parties must consider:

– Conduct a regulatory gap assessment to identify necessary changes that need to be made to achieve compliance across export controls, data privacy, and cybersecurity obligations

– Assess the data environment, the control status of any sensitive technology, security infrastructure, and existing cybersecurity policies, procedure, and processes

– Design a control development and revision strategy that will recommend technology solutions, human resources protocol, and policy changes

These actions can enhance a company’s overall cybersecurity posture, and can also reduce corporate risks and reduce the costs associated storing and securing data.  The memo cautions that parties pursuing an M&A transaction should pay particularly close attention to these first moves, since cyber risk is often overlooked or given less attention than it merits pre-closing. Proactively identifying and addressing areas of vulnerability early on in the process can help to put the deal on a better footing in the event of CFIUS review.

John Jenkins