Beware of Wolves in Sheep’s Clothing with Money to Invest

Last week, the National Counterintelligence and Security Center (“NCSC”), the Office of Economic Security and Emerging Technologies (“OESET”) and other coordinating government agencies issued a warning to U.S. venture capital, private equity, and technology startup companies of efforts by foreign threat actors to gain access to intellectual property and proprietary data of U.S. companies (“Sensitive Data”) through foreign-origin private investments. It is not clear what specifically led to the warning to be issued now, but the warning was provided on the Director of National Intelligence’s website as part of the Director’s Safeguarding Our Future initiative which “provides brief overviews of specific foreign intelligence threats.” These foreign investments, the agencies say, are being used to exploit U.S. startup companies and their investors, while putting U.S. economic and national security interests at risk.

Foreign Threat Actors’ Methodologies

The agencies warn that foreign threat actors are actively attempting to circumvent detection by the Committee on Foreign Investment in the United States (“CFIUS”) by cloaking the nature and intent of their investments, as well as their true intent, stealing company knowhow and Sensitive Data in emerging technologies. There are several ways foreign threat actor-investors are attempting to conceal their investments, including:

  • Investing directly via entities with complex ownership structures, shell companies, or companies domiciled offshore in locations known for an absence of transparency;
  • Routing their investments through intermediaries or strawmen within the United States or other countries that do not raise national security concerns; or
  • Using complicated investment structures, including minority and limited partnerships to frustrate source of funds investigative efforts.

Other methodologies deployed by foreign threat actors to exploit U.S. firms are more nefarious. For example, these foreign investors may make efforts to secure access to confidential or proprietary intellectual property prior to making an investment, usually during the due diligence process, and subsequently walking away after receiving the information. In addition, some China-based venture capital firms are making efforts to engage directly with employees of U.S. startups, offering to pay them to exfiltrate sensitive information to China.

Protecting Against Bad Actors

Based upon decades of experience helping organizations prevent against insider risks, there are a few proactive steps U.S. companies, and their domestic investors should take to protect against foreign bad actors’ efforts to compromise their intellectual property. Foremost, it is paramount that prior to engaging with any potential investors, companies take steps to determine, catalog, and protect their most critical confidential information. Such efforts include ensuring:

  • Sensitive Data is identified and marked “Confidential,” “Proprietary,” and/or “Trade Secret,” as appropriate, to ensure that Sensitive Data can be recognized by those requiring access to it;
  • Sensitive Data is protected in the workplace by appropriate physical and electronic safeguards and areas containing Sensitive Data are restricted accordingly;
  • Employees and third parties requiring access to Sensitive Data are educated on the importance of maintaining its confidentiality and steps to take to safeguard the information;
  • Employees and third parties that access Sensitive Data are bound by legal agreements, including non-disclosure agreements, employment agreements, due diligence documentation, and other agreements as appropriate, that acknowledge the Sensitive Data’s confidential, sensitive nature and importance to the company; and
  • The existence of an auditable process for sharing Sensitive Data as part of a robust insider risk strategy.

U.S. companies and their domestic private equity and venture investors that are contemplating raising investment capital should carefully assess prospective foreign investors by undertaking due diligence designed to:

  • Independently confirm that the foreign investors are credible, including their ownership, and their anticipated source of funds;
  • Confirm that the investors are not subject to any U.S. regulatory restrictions, including sanctions or other designations;
  • Ensure that data privacy and other local laws of the foreign investors allow for company information to remain confidential and out of the host government’s purview; and
  • Determine the foreign investors’ other investments and whether they invest in companies engaged in similar businesses in their home country – a potential indicator that their intentions may not be entirely above board.

There is no such thing as “too much diligence” as it relates to considering bringing on a foreign investor, especially from countries racing with the United States to be at the forefront of critical emerging technologies and resources.

What Lies Ahead

Foreign actors will continue to try and exploit security vulnerabilities to gain access to U.S. intellectual property and compete against U.S. companies with their own technologies. Businesses and startups, private equity, and venture investors must remain alert to foreign investors bearing gifts, with undisclosed ulterior motives. While the government will continue to respond, as it has with legislation, such as the enactment of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), among other things expanding the committee’s scope of covered transactions and Executive Orders including Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), Executive Order 14034 of June 9, 2021 (Protecting Americans’ Sensitive Data from Foreign Adversaries), Executive Order 14083 of September 15, 2022 (Ensuring Robust Consideration of Evolving National Security Risks by CFIUS), and Executive Order of February 28, 2024 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern), executives must remain vigilant to the persistent threat of foreign bad actors in disguise.

 

Posted In:


About the Authors

David Holley

David A. Holley

David A. Holley, a Partner with StoneTurn, has more than 30 years of investigative and risk consulting experience and frequently serves as a trusted advisor to corporations, law firms, audit […]

Read Bio