• A deal strategy is not a CFIUS strategy.
  • Is national security a highway or an obstacle for your business – or somewhere in between?
  • Soberly assess where you stand with the Committee on Foreign Investment in the United States (“CFIUS”).

The United States and an increasing number of other countries are evaluating the impact of foreign investment on their countries’ national security posture. Generally, foreign investment regulatory regimes allow regulators to approve transactions, block transactions or place conditions on the approval, including divesture of foreign financial interests, data protection controls, and other restrictions that attempt to prevent the exfiltration of intellectual property, confidential or sensitive data, and other know-how into the hands of undesired foreign entities. The risk for companies stemming from national security reviews is on the rise, with domestic regulators taking extra steps to protect their national economic interests. Remaining aloof or ignorant of these regimes is not an option for businesses, whether they be U.S.-based or foreign.

Whether you are a serial filer with CFIUS or have never experienced a CFIUS review, it is imperative for an organization to have a CFIUS strategy that is part of the overall business strategy. It is important to note that a deal strategy is not a CFIUS or national security strategy. Getting a deal done may require acceptance of terms and restrictions that may not fit an entity’s long term business strategy. CFIUS, as well as other nation’s foreign investment regulations, can have a significant impact on business operations, market access, and ultimate business success.


CFIUS jurisdiction expanded significantly in 2018 through the implementation of FIRRMA which swept up a number of previously uncontroversial types of investments, not just controlling stakes.

These changes can be seen through a few examples:

  • Some CFIUS filings were made mandatory and CFIUS was given more assets to proactively police foreign investments, beyond the initial authority held by the committee.
  • Businesses that previously did not consider national security issues or running up against such risks became subject to CFIUS jurisdiction almost overnight.
  • Companies that harbored significant amounts of data on U.S. citizens became national security risks, and thus saw increased scrutiny.
  • Emerging technologies also covered by this expansion now ranged from biotech to AI.
  • Real estate transactions near sensitive government facilities became a designated national security concern.
  • The types of companies impacted expanded beyond your traditional government contractors and weapons manufacturers, and moved to include auto parts and hospitality, and even toys and entertainment.

What does this mean for the landscape at large? Virtually everyone doing business in the U.S. needs to have a fundamental understanding of national security risks of their business to avoid significant, negative impact to their business and its operations.

Company National Security Strategy

A national security strategy for a business will start with an in-depth understanding of the company’s national security profile. It will also include a survey of the company’s data, compliance, security, and cyber practices. The national security strategy will consider the business activities, technology and aspirations of a company. This insight will then influence, and perhaps even fundamentally change, a company’s overall business strategy.


Filing with CFIUS for approval of a transaction or investment will generally result in either a rejection, approval, or approval with conditions.

Approval with conditions will result in a mitigation agreement with CFIUS that may have significant impact on a business’s operations.  These conditions can limit the use of technology, software, facilities, and employees.  It can also limit or prohibit the sharing of information between the domestic entity and foreign investor. What’s more, a mitigation agreement can require separate operations and facilities, and therefore significantly impair any integration of teams and resources between the foreign parent and U.S. subsidiary.

Mitigation agreements may also necessitate significant enhancement of data protections, and cybersecurity systems and practices. Such limitations can have a significant impact on strategy. For example, if a foreign business seeks to buy a U.S. business to obtain their software and incorporate the acquisition into their own software, the company must be aware that CFIUS may block such an effort, and a different strategy will need to be employed to take advantage of the acquisition.  Again, this is why it is important to have a national security strategy as part of an overarching business strategy.


Foreign companies who are frequent investors in the U.S. have become, in many instances, familiar with national security reviews and the process to get through them successfully.  Those companies with the necessary size and resources have their own internal expertise to evaluate the evolving definition of national security concerns. This knowledge allows them to adjust their strategies for investing or engagement with the U.S. market. These companies do their own due diligence on national security risk for a particular transaction, but most importantly, as a test of the entity’s strategy in each sector or business.

Companies who do not have such internal resources should seek guidance from experts and as their business grows, consider the creation of their own internal expertise. Experienced filers often recognize that CFIUS approval actually helps their business, and typically see the requirements for CFIUS approval as a net positive for their business operations. For example, they may be more proactive in areas such as cybersecurity and disclosures, while incurring the benefit of winning “CFIUS approval” to bolster their reputation on the international stage.

National Security Review Looking Inward

Performing a self-evaluation or having an external resource conduct it for you is always a key element in developing and maintaining a national security strategy. Areas to be tested include current compliance with significant national security concerns such as import, export, sanctions, and anti-bribery laws and regulations. The last thing you would want to experience is the U.S. government informing you of a serious lapse in these areas.  It is not uncommon for these issues to arise in the CFIUS process, but these can typically be avoided with forethought and effort.

Some questions to ask and explore can include:

  • For foreign investors and companies, what is your company’s relationship with your own government?
  • How is your government viewed by the U.S. and CFIUS?
  • Who are your investors and their relationships?
  • Who are your customers?

The country where you are headquartered, or resident, is not necessarily indicative of how you will be viewed by CFIUS and the U.S. government. Your partners, investors, customers, employees, and other stakeholders can all impact how your company is viewed in a national security context.

Even an EU or NATO ally-based company can be problematic if there is a significant relationship between the organization and their home government. The extent of that relationship and its nature can create national security concerns for U.S. national security professionals.  The same would be true if additionally, or alternatively, the company had a supplier customer relationship with another third-country government. It can get complicated quickly. Having visibility of your posture and relationship in the national security world is increasingly a concern of all companies involved in commerce, whether locally or internationally.

National Security Review Looking Outward: U.S. Business National Security Awareness

A key element to any national security evaluation is understanding your relationships with your own government, other governments, and foreign individuals and entities. Relationship mapping and understanding should extend to your partnerships, investors, supply chain, customers, and other third parties.

Do you really know who that investor is who has brought financial resources to your start-up company in the U.S.?  On the face of it, they are a U.K. investor, but did you know that significant amounts of their capital originates from China? Russia? These are common landmines for companies who are unfamiliar with the focus and concerns of U.S. government national security reviews. Conducting due diligence and developing risk mitigation frameworks can help resolve these issues before they even begin.

National Security Meets Strategy

Once you understand your organization’s national security posture, you can then incorporate it into an existing company strategy or develop a strategy that will consider such scenarios.

You may have learned that your company has certain business functions or qualities that may be a national security concern, and that to effectuate your company strategy, you need to alleviate or blunt that concern. Knowing this issue exists, you can conceive ideas and actions that can address the issue.  This could be as simple as meeting with CFIUS to discuss your plans and intentions; or creating a new security regime at the company or sensitive locations; or developing a full-fledged media campaign to explain your values to the American public as well as CFIUS.


No company or investor, whether foreign or U.S.-based, can legally and ethically operate without a fundamental understanding of how national security laws and regulations impact their activities. International or global operations further complicate the calculus. CFIUS is not the only foreign direct investment (FDI) regime on the planet, and we have seen a proliferation of FDI regimes in recent years, where most countries who participate in global trade have some form of FDI process to evaluate investment in their countries. Transactions can easily have multiple countries evaluating the national security impact of a transaction and each country’s view of national security concerns can differ when evaluating the very same transaction. This all indicates that developing a national security strategy as part of overall business strategy is an essential requirement of a well-run operation. The long-term success of a company very well may depend on it. Is your organization prepared?


If you have any questions or would like to find out more about this topic please reach out to Scott Boylan.

To receive StoneTurn Insights, sign up for our newsletter.


Posted In:

Meet the Authors

About the Authors

Scott Boylan Headshot

Scott Boylan

Scott Boylan, a Partner with StoneTurn, has more than 30 years of experience in advising public- and private-sector organizations on a broad range of international legal and business issues, including […]

Read Bio