In recent years, the U.S. government has taken a closer look at investments, mergers and acquisitions, and other business activity that may have an impact on U.S. national security. For corporations and investors, this means that deals involving foreign businesses or investment counterparts can fall under considerable scrutiny.

Posted In:


U.S. Mitigation Entities

Two government agencies handle national security threat mitigation in the commercial sector: The Committee on Foreign Investment in the United States (CFIUS) and the Defense Counterintelligence Security Agency (DCSA). CFIUS is an interagency committee that reviews foreign investment to determine if a transaction presents a national security threat. If such a threat is deemed to exist, the transaction can be approved, blocked, or the parties will be required to enter into a mitigation agreement that requires implementation of measures designed to protect U.S. national security. DCSA is an agency within the Department of Defense. One of its primary missions is overseeing the Foreign Owned, Controlled or Influenced (FOCI) program that allows foreign entities access to classified information once they have entered into a mitigation agreement and implemented its requirements. It is not uncommon for foreign entities, especially government contractors, to have mitigation agreements with both CFIUS and DCSA.

Approval, Mitigation, Blocking

Most CFIUS filings are approved without any special requirements. A smaller subset of transactions are approved, but that approval comes with special requirements or mitigation. These special requirements can include hiring only U.S. citizens, maintaining a separate IT system, occupying separate office locations, and/or implementing elevated security systems, for example.

CFIUS will recommend that a transaction be blocked when it presents a threat to national security that cannot be mitigated. We can see from the past blocked transactions that unmitigable transactions frequently involve the transfer of sensitive technologies and involve acquirers who are perceived as adversaries or untrustworthy.

The blocking of transactions is rare. In CFIUS’s history, U.S. Presidents have only blocked nine transactions on CFIUS’s recommendation. While this is seemingly low, it can be misleading. Over the years of CFIUS’s existence, a number of transactions have been proactively withdrawn when the investors have been faced with the likelihood of a Presidential block. In the most recent data available—from 2023—nine CFIUS filings were voluntarily withdrawn and not refiled. It is common that parties who are informed that the transaction is not going to be approved and likely blocked choose not to subsequently refile. In 2023 nine transactions were permanently withdrawn. This is a number equal to all transactions blocked by U.S. Presidents in CFIUS’s existence.  This disparity illustrates that while blocking of transactions by Presidents are scarce, many companies choose to voluntarily withdraw transactions where the outlook is bleak.

National Security Risk Mitigation Process

In most situations, when the CFIUS review identifies a threat to national security, the Committee will work with the transaction parties to craft a mitigation regime that will acceptably reduce the national security threat and allow the transaction to proceed.

What is a National Security Risk?

National security risk can take many forms and is intentionally broad. It may involve potential exposure of information that is deemed critical and/or highly sensitive such as classified information, “know how,” data and data sets, personal identifying information (PII), biometrics, and others. National security could be threatened by an adversary gaining access to technology considered sensitive, critical, emerging, or that would advance an adversary’s technical capabilities. Opportunities for adversaries to observe intelligence gathering can also threaten national security. Increasingly, threats to crucial supply chains can create national security risks as the geopolitical landscape continues to shift.

How CFIUS Mitigation Works

Governance

CFIUS and FOCI mitigation agreements can require special corporate structures that create separation and a degree of independence from a foreign parent or investor. These requirements can include a board with a majority of independent U.S. directors and/or U.S. citizen officers who have specified security obligations; and/or board resolutions that bar foreign parents or investors from accessing sensitive or classified information held by the mitigated entity.

Separation

Mitigation agreements can require a significant amount of physical and operational separation from the foreign investor or parent. Requirements can include separate facilities for the mitigated entity, separate IT systems, separate employees who may be required to be U.S. citizens, separate technology development and/or maintaining an independent roster of vendors and suppliers. By creating entirely separate ecosystems, organizations may bear significant additional cost, administrative, and operational burdens.

Restricting Access

Mitigation measures can include restricting access to entities and individuals considered to pose a national security risk. Access restrictions can be both physical and virtual. Physical security expectations in mitigation agreements often exceed normal practices in commercial companies, frequently requiring facility and technology upgrades. For example, many mitigated entities have separate visitor facilities or sections, and foreign investors could be limited to those areas. Virtual limitations could include access to only certain network drives or information systems. It is also important to highlight that not just foreign employees of a foreign investor or owner are viewed as a risk, but also the U.S. citizen employees of the foreign investor of affiliates. These situations often require sophisticated badging and monitoring systems to fulfill physical access and documentation requirements of mitigation agreements.

Process and Procedure Restrictions

Mitigation efforts are often focused on protecting information such as significant and/or sensitive data sets or technological information. Frequently, commercial entities lack a complete understanding of what information they have and where it is stored. A plethora of policies regarding information storage, access, and protection will be essential. Necessary policies will include a detailed data security plan that most companies do not have until they enter a mitigation agreement.

Cyber Enhancements

Many companies are confident in their cybersecurity regime until there is a detailed look under the hood, or a cyber breach occurs. Mitigation agreements often require elevated and specific cybersecurity controls. These controls often exceed the regime companies have in place and can require significant additional effort and expenditures to meet them.

Auditing

Mitigation agreements often call for auditing of compliance by either the government itself or independent auditors—or both. Diligent record keeping is, therefore, essential to any successful compliance program. Even if an organization’s data security is exemplary, it is not worthwhile if you cannot easily demonstrate such to the Committee. All policies, practices and procedures must have a record or data capture element, or else enhancements to a company’s compliance program can be viewed as unsuccessful by Committee.

Changes to Mitigation Practice Under the Trump Administration

Early indications are that there will likely be increased scrutiny of Chinese investment under the new U.S. Administration. Chinese transactions that have identified national security risks will simply not be approved. No mitigation will be implemented for such transactions. Administration statements indicate that there will be less mitigation or an attempt to limit mitigation requirements for transactions involving close U.S. allies. However, all of this remains to be seen in practice. Investors, corporates, and their counsel should be mindful of the strict protocols required before proceeding with deal approval.

In order to be savvy in today’s investment environment, corporates and investors alike need to be current on shifting Administration priorities as well as the relevant rules, regulations, and impacting transactions that may implicate national security. As international relations continue to evolve, the parameters of a national security concern will evolve alongside. By staying abreast of the latest communications from the government, performing thorough due diligence on all deals, and implementing strong risk management frameworks, dealmakers can proceed with less uncertainty in a challenging environment.


If you have any questions or would like to discuss these topics please reach out to Scott Boylan.

To receive StoneTurn Insights, sign up for our newsletter.

Meet the Author

About the Authors

Scott Boylan Headshot

Scott Boylan

Scott Boylan, a Partner with StoneTurn, has more than 30 years of experience in advising public- and private-sector organizations on a broad range of international legal and business issues, including […]

Read Bio

Tags