This article originally appeared in Foreign Investment Watch’s “Best of Guidance” Special Section, April 2024.
For close to two decades, and in particular with the enactment of the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) – the updated Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) regulations – the United States’ posture as a nearly “free-flowing” destination for inbound foreign investment has changed. FIRRMA has provided additional powers to CFIUS to scrutinize certain transactions with the ultimate intent of safeguarding the United States’ national economic security from China, Russia and other nation states that pose threats to the U.S.’s economy and national security.
These additional powers have given rise to increased activity by CFIUS. According to its 2022 Annual Report (issued July 2023), CFIUS reviewed 440 filings in 2022, up four from the previous year and a single year high. The number of notices filed increased to 286, up from 272 in 2021. As in the past, most transactions continue to clear CFIUS review without mitigation agreements or conditions, however, it is notable that cases requiring mitigation increased 68% year over year, from 31 instances in to 2021 to 52 in 2022. The report noted that U.S. Treasury’s Office of Investment Security is continuing to ramp up with additional staff, including the retention of individuals with specific technical expertise, including cybersecurity, technology, and various sciences, while increasing staff in the Office of Investment Security Monitoring & Enforcement.
With this intensified activity and the potential for CFIUS to require a mitigation agreement, companies, their investors, and counsel must be prepared when engaging in international M&A with national security implications. In that regard, merger, acquisition, and investment targets, as well as acquirors should consider the implementation of an insider risk program to mitigate CFIUS vulnerabilities and provide assurance to the Committee that they have taken the appropriate steps to safeguard personally sensitive data, protected technologies, and other intellectual property, trade secrets and data that impacts U.S. economic security (herein “Protected Data”).
What is Insider Risk Within the Context of CFIUS
Insider risk is an increasingly important threat vector to CFIUS, as the complexity of foreign intelligence threats increases and actors deploy more sophisticated intelligence capabilities that are being targeted in new ways against the United States. In addition to committing these resources directly against the economic interests of the U.S., foreign threat actors also attempt to exploit indirect methods to advance their interests, including through investment activities using strawmen, and undisclosed business relationships. These methods are not unknown to CFIUS, and some, if not most of the mitigation agreements entered into by CFIUS involve requirements to address related risks through divestment requirements or other more common mitigants, such as cybersecurity, access controls, and other lockdown measures. However, what about the risks posed by those already inside the organization, who may have gained the trust of his or her employer, but maintain the ability to compromise sensitive information, critical technologies, or other vital intellectual property, that if disclosed, could present a U.S. national security concern?
In the context of CFIUS, insider risks are those threats posed by an individual inside the organization, whether it be a current or former employee, contractor, or legitimate business partner, with the authorized ability to access the organization’s internal resources and systems and effectuate a compromise for the benefit of a foreign economic interest. Note that insider threats need not always include malicious motives or intentional actions. In some instances, these compromises of information can be attributed to negligence or unintentional actions by an insider, such as the employee that is phished by a foreign actor and sensitive data exfiltrated subsequently. CFIUS mitigation agreements do not care about how the Protected Data is lost – whether it be intentional or by accident – only that it is compromised. A high-performing insider risk program will reduce the chances of foreign persons intentionally or unintentionally obtaining protected information.
Implementing a CFIUS-Focused Insider Risk Program
The implementation of an insider risk program geared to addressing CFIUS concerns requires the development of a framework that applies a risk-based approach to identifying, protecting, detecting, and responding to information losses that would present national security concerns. It should be noted that the ability to secure Protected Data, and detect suspected breaches is CFIUS’ paramount concern, as any loss with national security implications would draw more of an “atomic bomb” reaction from the Committee, rather than a “firecracker.” Nevertheless, all components of the framework should be developed and implemented. There are generally four broad steps to implementing an insider risk program to prepare the organization for engagement with CFIUS.
Step 1: Planning
The first step in implementing an insider risk program is the planning stage, during which the organization and stakeholders determine:
- how the program is governed and who owns it (see, Governance Oversight, below);
- the priorities for the insider risk program, including the program’s main objectives, taking into account future transactions that may draw CFIUS scrutiny;
- the identification of the critical systems and assets, with a focus on information and assets that constitute intellectual property or information that would be of value to foreign nations, including that information, per FIRRMA: involved in the development, production, or manufacturing of critical technologies; is required for certain functions with respect to critical infrastructure; or contains sensitive personal data of U.S. citizens;
- the threats to and vulnerabilities of those key systems and assets;
- regulatory requirements and legal issues that may present challenges to implementing the program; and
- guiding principles, policies, and procedures for implementing, operating, and sustaining the program.
During the planning stage it is imperative that all assets and systems that maintain critical assets are considered. It is recommended that organizations develop an asset tracking mechanism to track all critical assets, ensuring that for each asset the following information is maintained: their locations; the identities of those that have access; whether the asset is Protected Data in the purview CFIUS/FIRRMA; and the assets’ owners.
Step 2: Organizing and Preparing
An effective insider risk management program is not unlike most other corporate security or compliance initiatives, which require a holistic approach to risk mitigation that involves a combination of people, processes, and technology. Effectively assembling and integrating the three components is paramount.
Processes and Technology
A high-functioning insider risk program is one that seamlessly fuses information, with adept analysis, and response capabilities to detect and respond to anomalous insider threat behavior. To do so effectively, all relevant information and technology must be made available to the threat team to analyze, not as individual elements in a vacuum, but collectively, in concert with one another, allowing the data to be contextualized and acted upon. Therefore, policies and procedures must be established which dictate how information can be gathered, integrated, synthesized, and reacted to by the insider threat team, when behavior or actions warrant. The types of information that may be made available to the insider threat team would include, information such as:
- employee-centric information, including onboarding information and background checks, as well as human resource files;
- physical access records;
- network access logs, user activity monitoring logs, and other IT logs, including data-loss prevention audit files or other IT audit records;
- travel and expense records;
- financial and conflict of interest disclosures or attestations;
- video surveillance;
- telephone records, as appropriate; and
- other relevant files.
Policies should also include guidelines for the use of the information, including how confidential information may be accessed, used, and stored, and spelling out expectations for stakeholders that providing requested information is compulsory.
A critical aspect of an effective insider risk program is the ability of employees to report anomalous or malicious insider behavior. Threats that are not known cannot be mitigated, and clear reporting channels are essential for raising concerns. Confidential reporting mechanisms, including the use of integrity hotlines and online methods, should be implemented to provide for anonymous reporting of suspicious insider activity. It is important to build confidentiality into the reporting process to encourage insider reporting and prevent insiders of concern from retaliating against those that raise concerns. Educating employees on these communication pathways continuously will overcome reporting challenges and emphasize that leadership is committed to
ensuring compliance.
An insider risk program is highly reliant on technology to monitor insider behavior and supplements people as the primary avenue for identifying and monitoring potentially risky insider actions. When determining the appropriate technology to implement, consider the full range of potential vulnerabilities that may impact the protected information. Some technologies to consider include:
- Data Loss Prevention tools secure communications across emails, the internet, information networks and the cloud, alerting admins when information leaves the host network, preventing the exfiltration of electronic information. Data loss prevention technology can be applied to networks, and on individual devices such as laptops, and can prevent the use of USBs or external devices.
- Privileged Access Management technologies can limit access to certain electronic information, such as document repositories, applications, or even physical locations without the proper credentials.
- Access Control Systems prevent access to facilities and areas within facilities without the presentation of credentials, including swipe cards, fingerprint or biometric recognition, electronic keypads, and security cameras.
- Software and Application Download Limiting Software should be installed on insiders’ personal devices (laptops/tablets and cellphones). The downloading and installation of nonstandard software should be approved on an as-needed basis, and such software should be limited in duration for only as long as needed for the permitted purpose.
People
There are generally two people components that comprise an insider risk program: governance and advisory, usually undertaken by the board of directors and an insider advisory team; and insider threat monitoring and response performed by an insider threat team.
Governance Oversight
A strong oversight function at the board of directors’ level is recommended, to provide direction, ensure adequate resourcing, continually assess effectiveness, and build accountability into the “people aspects” of the program. In addition, boards of directors frequently contain members that serve on more than one board, allowing insider risk best practices and associated learnings to be shared and applied, as appropriate. The board of directors should oversee a working group of senior leadership team members with expertise and/or roles in cybersecurity and technology, physical security, human resources, risk, training, policy development, and an in-depth knowledge of the entities intellectual property and confidential information. This team will be responsible for providing day-to-day oversight of threat monitoring, detection, and investigations practices; provide advice regarding tactics and methodologies; and ensure implemented practices are legal, ethical, and consistent with the goals of preventing the exfiltration Protected Data. The insider risk working group should update the board of directors on a periodic basis with meaningful metrics regarding insider risk threats, investigations, and resolutions to allow the board to assess the efficacy of the program and the return on investment.
Insider Threat Team
The insider threat team, the unit within the insider risk program dedicated to monitoring for and investigating suspected breaches, is usually a cross-functional group of stakeholders whose “day jobs” include information technology (“IT”), legal and compliance, human resources (“HR”), physical security, internal audit, technology, and business unit managers. Where this team sits within the operational structure of the organization varies, with a vast majority of corporates establishing then in either IT or HR, where critical components of the insider monitoring and threat assessing takes place. Regardless of where, it is critical that the team maintain its autonomy, as the ability to respond to and investigate issues across the entire business, at all levels of the corporate hierarchy, is important to producing independent and uninfluenced investigations and reporting.
Even though there is a dedicated threat team to implement the insider risk program, the success of the program is dependent upon the engagement of the entire enterprise. In that regard, and as outlined above, IT, legal, HR, internal audit, executive management and operations must play an active role in the insider risk program, and the insider threat team is the mechanism by which the program is operationalized throughout the organization. The insider threat team will serve as the lead on all efforts to monitor, respond, investigate, and mitigate all insider threat activities, while calling upon the other resources for support. For example, in the instance in which IT detects suspicious activity of an employee sending large email attachments to a third-party email address, it should not act alone. A coordinated effort amongst IT for continuous system monitoring, would necessarily be combined with efforts from HR, who could shed light on any performances issues or other background information, business operations that may have insight into the content of the attachments, and the legal department for insight into suggested next steps. While individual parts of the organization are required to participate, coordination, communication and planning come through the insider risk threat team.
Documentation
One of the key elements of an insider risk program is the ability for the threat team to readily access detailed information and intelligence. Therefore, it is best practice to ensure that every activity undertaken by the insider threat team be memorialized in a report, including not only the findings and results of the effort, but an accurate list of all information accessed and reviewed. Likewise, all data, hard copy and electronically stored, collected for purposes of analysis, as well as outputs from analysis, such as investigative findings and root cause reports should be centrally stored. This will allow the threat team to track threats and threat actors and improve the chances of detecting problematic insider behavior more quickly, leveraging historic datapoints. Lasty, having the information centrally located will permit the quickest possible response to regulators or law enforcement, if necessary.
Step 3: Make it Part of Your Culture
Ensuring the insider risk program takes hold requires a sustained effort of socializing the program throughout the organization. This effort will require extensive training to make certain that employees understand the value the program brings to the organization, as well as to alleviate fears that the program is overreach by leadership or an impingement on their right to privacy or other civil liberties. It is important to make clear that what the company is trying to protect is the company’s value and longevity, through the safeguarding of confidential information, or critical intellectual property, as appropriate, while preserving the company’s reputation and good standing with regulators, business partners, customers, and other stakeholders.
Training should encompass several modules, including: information security training; insider threat awareness training; confidential information handling; and training on the company’s applicable employee agreements, such as those covering confidentiality, computer use, insider trading, non-solicitation, and others as appropriate. The program’s sustainability will be largely dependent upon being able to maintain a regular cadence of training, reinforcing good behaviors, and demonstrating ongoing commitment from the top.
Step 4: Continuous Improvement
Insider risk programs are dynamic and must change as the company’s mission, technology, intellectual property, geographic reach, and other factors develop and mature. Changes in circumstances, including the addition of new investors, new M&A strategies, the addition of new products or services, and evolving supply chains will require the company to revisit the insider threat program to ensure it is meeting the needs of the organization and remaining compliant with the spirit and intent of CFIUS. Benchmarking or auditing the program should be conducted regularly and any gaps mitigated with enhancements to either the people, processes or technology aspects of the program as appropriate.
Conclusion
Insider risk programs are premised on the notion that not one individual within an organization is perfectly positioned to identify and mitigate all business’ activities and operations that pose national security threats and vulnerabilities. As CFIUS continues to scrutinize and prioritize transactions of businesses operating in sensitive sectors and those from countries CFIUS has deemed a concern, preparing for a transaction that may have national security implications for investors, target companies, and acquirors requires undertaking due diligence or risk assessments throughout all phases of a transaction to evaluate CFIUS-related risks and to determine whether to undertake proactive measures. Approaching a transaction with potential national security or CFIUS concerns with an ongoing, effective insider risk program, will be invaluable in demonstrating to CFIUS that the organization is keenly aware of the threats and vulnerabilities associated with its business operations and that mitigation measures are already in place to reduce the likelihood of the vulnerabilities being exploited by insiders or third parties. With the vast majority of CFIUS mitigation agreements focused on safeguarding Protected Data from exfiltration, an insider risk program is among the best opportunities to
obviate the need for such an agreement.
If you have any questions or would like to find out more about this topic please reach out to David Holley.
To receive StoneTurn Insights, sign up for our newsletter.