Following the update to the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) Enforcement and Penalty Guidelines, the Committee has continued to signal its intention to more heavily leverage enforcement authority as a means to punish and deter non-compliance with requirements imposed under CFIUS Agreements. Particularly for matters that present comparatively increased risk (e.g., sensitivity of data; volume of data; level of foreign investor’s activity) or public profile, independent third-party oversight, usually in the form of a third-party monitor or auditor, has become a tool for both agreement-wide compliance assessments as well as specifically tailored investigations into areas of known or suspected non-compliance. Especially for the latter, at times it may be the case -- though certainly is not always the case -- that the investigation is partially intended to inform the breadth and impact of any identified non-compliance as well as whether the matter should be evaluated for enforcement action.
Ankura has conducted numerous overall compliance audits and monitorships, and tailored non-compliance investigations. Our team has observed certain areas routinely crop up as root causes for non-compliance, which put an organization at materially increased risk of enforcement action. These areas are described below, along with measures that organizations can consider to help mitigate non-compliance risk and, correspondingly, the reputational and financial impact of possible enforcement action. Notably, this is not to infer that enforcement risk exists only if a CFIUS Agreement envisions third-party oversight, only that such oversight has been a tool to observe across various organizations of different sizes and in different sectors common areas of compliance risk under CFIUS Agreements.
1. Written Operational Definitions of Key Terms. CFIUS Agreements often are purposefully broad or ambiguous with respect to key definitions usually set out in the first article of the agreement. Among others, definitions of access, affiliation, communication, third-party relationships, and the scope of sensitive data or asset types to be protected, can be broadly drafted to provide flexibility to ensure that future operational developments, growth, or change to the organization are less likely to result in unintended end-runs of national security priorities.
Broad or ambiguous terms are not necessarily localized within the definitions section. They also may appear in substantive compliance obligations. In some cases, the intentional ambiguity is obvious on its face (e.g., measuring cybersecurity compliance against “industry standard,” to allow an organization to reasonably define a recognized compliance standard that aligns with business operations). In other cases, the need for operational definitions is more implicit (e.g., a requirement related to advance CFIUS Monitoring Agency (CMA) notification before access is provided to a vendor that will support software development efforts requires a consistent application of how the organization will determine what constitutes supporting software development efforts).
At the bottom, the scope of almost any compliance obligation turns first on how that obligation is operationally defined. The possibility of material space between an organization’s interpretation and the CMA’s interpretation of the scope of a compliance obligation creates a material risk of non-compliance and, by extension, a risk of enforcement action. Broad or ambiguous definitions also create a risk that different actors within an organization may interpret or apply compliance provisions in different, inconsistent, or contradictory ways, or in ways that may appear counter to the equities of the CFIUS Agreement. There are various ways to close the gap, but common approaches are (i) a Glossary of Terms Policy that describes how the organization is going to operationally apply all key terms within a CFIUS Agreement, with that policy then generally incorporated into other policies and procedures that address specific compliance obligations; or (ii) including an Operational Definitions section within each policy or procedure that addresses a specific compliance obligation to clearly define the scope of the obligation while ensuring, of course, that identical definitions are applied across policies.
Whichever vehicle is used to define key terms in writing, the best practice is to engage relevant organization stakeholders in the development of consistently executable functional definitions, integrate these functional definitions into relevant organization procedures and processes, and provide the operational definition(s) to the CMAs for awareness and input if the CMAs so desire. While non-objection by the CMAs to a particular operational definition cannot guarantee there will be no future disagreements on compliance scope, it provides some indication of scope alignment. Moreover, at minimum, it demonstrates the organization’s clear intent to implement a compliance program that fully addresses the national security risks of interest to the CMAs in a transparent and trustworthy way. Notably, this best practice would apply both at the initial drafting stage as well as to any material modifications that may be made over time to the operational definition of any key term.
2. Sensitive Asset and Data Mapping. In many if not most cases, the goal of a CFIUS Agreement is to ensure control of access to sensitive data or assets. Access risk takes multiple forms, but most commonly: (i) logical access via approved credentials to a system or application containing the sensitive data; (ii) logical access via insufficient security controls to prevent unauthorized access; (iii) logical access via a properly permitted user impermissibly disseminating information to a prohibited party; or (iv) physical access to a sensitive asset, to hard-copy document containing sensitive data, or to a piece of logical infrastructure through which sensitive data may be accessed (e.g., an on-premises server containing sensitive data). If the organization allows sensitive data to proliferate outside of its environment to the logical environments of third-party vendors supporting the organization, including through Software as a Service (SaaS) applications or other support relationships, that presents another vector of risk.
While not true in all cases, demonstrating compliance often requires an organization to clearly show that it has comprehensively identified within its own physical and logical environment (and across third-party environments, if applicable) where the sensitive assets or data controlled by the CFIUS Agreement are accessible. Particularly for large organizations with complex logical environments and/or decentralized management structures, sensitive asset and data mapping can be a cumbersome, resource-intensive, and costly endeavor. There also is no one-size-fits-all approach to asset and data mapping. In some cases, particularly where the sensitive data to be protected overlaps with export-controlled information, document marking tools can be used as a means to track where sensitive information lives across a logical environment. In other cases, an application-by-application approach, informed by discussions with key users of each application has been used. These are just two different approaches to effectively map data.
As to third-party risk, it is increasingly common for organizations to not proliferate sensitive data outside of their logical environments. Rather, third parties are provisioned accounts within the organization’s logical environment and are provided access through that account so that the third-party personnel handling the data remain subject to the same types of logical controls (e.g., domain blocking; data loss prevention rules; geoblocking) applied to the organization’s employees. Notably, this practice does not address access risk arising from sensitive data stored outside of the organization’s environment in third-party SaaS applications or with cloud-service providers, and organizations should take care to specifically assess access and proliferation risk associated with sensitive data storage in third-party environments. Regardless, it generally is expected that terms will be negotiated within the third-party contract, wherever feasible, to establish a contractual basis for ensuring that third-party personnel with access to sensitive data abide by CFIUS Agreement-imposed obligations related to access and non-dissemination.
3. Proliferation. Proliferation presents a final common area of compliance risk, that is, even after a compliance obligation is operationally defined and there is a comprehensive analysis of where all sensitive assets and data live, how does an organization ensure either: (i) that the sensitive data does not proliferate to any other system or application where access restrictions or other relevant controls do not apply; or (ii) that security/compliance personnel can identify in relatively real-time and proliferation to a non-controlled system to immediately implement controls to the system or application that now contains sensitive data.
The scope of proliferation controls usually is informed by the compliance obligations imposed by the CFIUS Agreement.
- If the CFIUS Agreement exclusively focuses on non-dissemination of sensitive information to prohibited parties outside of the organization’s environment, then data controls at the perimeter of the IT environment may be sufficient to logically secure the sensitive data, reducing concern about how data may proliferate within the organization’s environment. (Note that this type of restriction may not obviate the data mapping requirement, as the organization still may need to demonstrate that it does not authorize credentials to any non-permitted user to a system or application containing sensitive data, particularly if the CFIUS Agreement or related policies incorporate principles of least privilege).
- If the CFIUS Agreement includes limitations on which of the organization’s employees or third parties may have access to sensitive data, requires advance CMA notification and non-objection before certain persons (e.g., foreign employees or third parties) are provided access to sensitive data, or contains other requirements that effectively require control of sensitive data access at a by-person level, proliferation controls become a necessity for demonstrating comprehensive compliance.
Systems or applications containing structured data often provide functionality for the implementation of rulesets that can restrict access to the system or application and control proliferation. Where data is unstructured, or where employees may control who has access to information, ruleset restrictions often are far more challenging to implement. Routine training, and back-end selective auditing -- particularly around email and collaboration sites as informed by a risk analysis of where sensitive data is more likely to reside -- are common tools to increase the confidence interval that sensitive data access aligns with CFIUS Agreement requirements.
****
The above focus on operational scope, data mapping, and proliferation should not be construed to ignore the criticality of implementing a comprehensive controls regime that is sufficient as to breadth (fully addresses each requirement) and efficacy (operates as intended). Stated differently, clearly defining the scope of obligations, knowing all logical and physical locations where sensitive data resides, and controlling the proliferation of that data, if of marginal value if the actual authorized and unauthorized access controls implemented as to each of the logical and physical locations do not prevent the type of access prohibited by the CFIUS Agreement. Similarly, if organizational leadership does not understand the operational requirements imposed by CFIUS Agreements or if there is a lack of clarity around ownership of critical mitigation functions and operations (e.g., sensitive data identification, classification, transfer, and protection), such misalignment of understanding or operational accountability can result in material non-compliances regardless of the effort undertaken to develop a comprehensive security program.
Finally, drafting policies, comprehensively mapping sensitive data and assets, and implementing proliferation controls can take a significant amount of time. While those efforts are ongoing, organizations must identify and implement interim mitigation controls to reduce non-compliance risk while a more comprehensive control regime is being defined and implemented. For example, not immediately knowing everywhere that sensitive data resides should not stop an organization from implementing controls for all locations where the company reasonably believes that the sensitive data resides.
Nevertheless, in the final analysis, it often will be the case that as an organization spends more time under the requirements imposed by a CFIUS Agreement, the CMAs increasingly will expect a level of analytical rigor and sophistication around compliance, coupled with the implementation of responsive controls, that demonstrate that the national security risk has been correctly and comprehensively defined, scoped, and addressed. With enforcement increasingly becoming a tool used by CFIUS to address and deter non-compliance, the reputational and financial risk associated with not achieving over reasonable time that level of analytical rigor to the CMA’s satisfaction presents a level of reputational and financial risk that most organizations are not likely to accept.
How Ankura Can Help
CFIUS Compliance Advisory Services. Ankura advises organizations during the negotiation of a CFIUS Agreement and after a CFIUS Agreement has been signed on developing and implementing a comprehensive security program that identifies and addresses each substantive obligation imposed by the CFIUS Agreement, helps ensure open communication and transparency with the CMAs, drives toward solutions that best align with the organization’s operational goals and financial realities, and mitigates national security risk. There is no one-size-fits-all approach to security program implementation, and so Ankura draws on a broad range of experience as an advisor, third-party monitor, and third-party auditor across various industries to help develop compliance approaches tailored to the specific needs and equities and an organization that is likely to satisfy the national security equities of the CMAs.
CFIUS Mitigation Services. In the event a material breach is identified that requires a significant amplification of the current security program to re-establish the trust relationship between the organization and the CMAs, Ankura has been retained in a limited capacity to specifically advise organizations on the development and implementation of additional controls and reporting mechanisms specifically responsive to the root cause of the material breach. These efforts often involve assessing whether the root cause of the breach may extend to create risk associated with other components of the security program, and if so, to identify and mitigate those risks as well.
CFIUS Third-Party Auditor. Where required by the terms of a CFIUS Agreement, Ankura routinely serves in the third-party auditor (TPA) role providing a point-in-time assessment of an organization’s current compliance state relative to its obligations under a CFIUS Agreement. Ankura adopts a “problem-solution” approach to CFIUS audits. If issues or findings are identified during the course of the audit, they are immediately made known to the organization, along with suggestions on how the organization might address the issue or finding, so that at the time of report delivery, Ankura is not only reporting the issue or finding but also the steps that the organization has completed or is undertaking to retroactively and prospectively mitigate the identified concern.
CFIUS Third-Party Monitor. Where required by the terms of a CFIUS Agreement, Ankura routinely services the third-party monitor (TPM) providing day-to-day oversight and advisory services to organizations on their implementation of compliance programs. Ankura approaches TPM services as a “partner” to the organization, working hand-in-glove with Security Officers and Security Directors to develop and implement comprehensive security programs that, as quickly as possible, reach a steady state of compliance across all requirements imposed by the CFIUS Agreement. Ankura approaches TPM roles with a “problem-solution” approach, such there where Ankura’s testing identifies an issue or concern, that is immediately raised with the organization in the context of how controls might be implemented or modified to mitigate the identified risk. Our approach also relies heavily on facilitating direct, consistent, and transparent communication between the organization and the CMAs to help establish conditions of mutual trust. Finally, consistent with the “partner” approach, Ankura can provide organizations the benefit of our extensive experience developing and implementing security programs across different sectors and for organizations of different sizes and sophistication to provide guidance on how each organization might tailor security programs to achieve compliance in a manner that is fiscally achievable, reasonably implementable, and operationally maintainable.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
