The cybersecurity aspects of CFIUS-regulated transactions are highly complex, involving both technological and regulatory considerations.
Regardless of that complexity, the different subject areas touched upon by cybersecurity concerns rely on a common infrastructure.
That is, these concerns rely on the same computer and network servers, the same communication with outside vendors and team members, and arise within the same need to complete cross-border transactions.
Not only, therefore, must these transactions be filtered through the CFIUS lens, they must be analyzed from a cybersecurity standpoint as well. From an operations perspective, systems must be up to the task of dealing with ransomware attacks, hacking events, and insider and other threats.
Critical infrastructure that may otherwise be implicated include as communications, internet service providers, submarine cable systems, satellite systems, specialty metals, chemical weapons, antidotes, energy producers, oil refineries, and pipelines.
We are now seeing many nightmare scenarios involving these critical infrastructure points play out. Cyber-attacks can, we now see, wipe out not just information but can also threaten the operational technology of these critical systems.
It is necessary to be aware of terrorist threats to these systems—but also to analyze these threats within the context of a potential CFIUS deal.
The Cybersecurity & Infrastructure Security Agency, or CISA, is the US governmental agency that is responsible for strengthening the security and resilience of cyberspace. The agency’s purview thus includes any type of privately owned industry in the United States that is managing critical sector services.
To the extent that, in a CFIUS-regulated transaction, a foreign participant or investor is becoming involved with a US business, that business is going to come under increasing scrutiny. This is particularly true given the complication of state actors funding and supporting criminal enterprise.
This is becoming a top priority for the Federal government.
So what are the types of risks that must be analyzed?
The theft of payment and customer information, the disruption of operations, ransomware events, disruption of remote access, and other risks must be considered in any CFIUS-regulated transaction.
It is therefore mandatory to have a cybersecurity plan in place—but what should an adequate cybersecurity plan look like?
The sort of plan that CFIUS will require will be one that protects against cyberattacks on the operation, design, and development of US business’ services, networks, systems, data storage, and facilities.
The plan will have been tested, embedded, and updated to react to ever-evolving threats. It should have been thoroughly vetted to ensure that whatever foreign entity with which one’s networks are communicating are similarly protected.
On the other hand, is cybersecurity planning enough?
A company must comply with whatever standards and measures are required. The Federal government relies on standards from the National Institute of Standards and Technology (“NIST”). These standards are therefore relied upon in turn by private entities to demonstrate compliance.
Compliance with NIST, however, does not provide real-world guarantees.
In other words, a cybersecurity plan must always be adapted to the actual, current threat environment.
Cybersecurity is a moving target that requires constant follow-up and attention. If your business has direct US government connections, it will be even more deeply scrutinized.
It is crucial to ensure that proper inventories are taken.
Joe Whitley of Baker Donelson, Chair of the Mackrell International (MI) White Collar Practice Group moderated a discussion with Michael E. Clark, Alan Enslen, and Aldo M. Leiva in the MI webinar titled “Evolving Foreign Trade Risks” You can view the entire session on our YouTube Channel.