Wed, Apr 24, 2019

$1M Fine Crystalizes Importance of Well-Ordered CFIUS Compliance Program

On April 12, 2019, the Committee on Foreign Investment in the United States (CFIUS) published a short notice on its resources web page. The notice described a US$1 million penalty “imposed for repeated breaches of a 2016 CFIUS mitigation agreement, including failure to establish requisite security policies and failure to provide adequate reports to CFIUS.” Published without fanfare or further explanation, the notice represents the first known instance of CFIUS imposing a civilian monetary penalty for breaching a mitigation agreement. Not only did CFIUS impose a hefty fine, but also it may have opened the door for a complete re-review of the mitigated transaction. The CFIUS statute provides for the government to unilaterally initiate a review of previously reviewed transactions “if any party to the transaction … intentionally materially breaches a mitigation agreement …” A second review, should one occur, is likely to be costly and to result in a less favorable outcome than the first review.

The message for parties going through CFIUS review is clear: design and implement a serious, well-ordered CFIUS compliance program. 

Prepare

Preparation for a successful CFIUS compliance program can, in fact, begin before filing a notice with the committee. That preparation should start with a clear-eyed assessment of your current security controls, covering all aspects of your business, including physical security and cyber security. The controls you have in place today will become the foundation of any new controls designed to implement CFIUS mitigation. Companies who understand their baseline can more accurately predict the level of effort and timeframe necessary to implement new controls that CFIUS may seek. Well-prepared parties appreciate which new security controls are practical to implement, and which will be more challenging. That knowledge can be especially helping during mitigation negotiations with CFIUS, when the parties to the transaction may have an opportunity to request the terms of the agreement reflect the practicality of the necessary controls. When the agreement is finally signed, well-prepared parties are also equipped to begin quickly integrating new controls into existing policies and procedures. Because they know where they are starting, they know where to go next.

Organize

Handed a signed letter of assurances or national security agreement to implement, busy compliance and security officers frequently need sign posts, marking the critical path to expeditious full compliance. At this stage, an organized, prioritized implementation plan becomes an indispensable tool. Typical mitigation agreements require certain deliverables and actions sooner than others. For example, an information security plan might be required 60 days after the effective date. While important markers, these deadlines, built into the agreement, don’t always tell the full story. Achieving some more distant agreement milestones may necessitate precursor actions that must be taken immediately. As an example, an annual report due in a year may require a review of visitor logs. To achieve compliance, however, the security team must begin collecting and preserving visitor logs immediately. Though managing the complexity of these compliance programs can be challenging, backward planning from the due date of the first annual report can be an effective method for organizing your compliance team’s efforts.

Communicate

Frequent, open communication about your CFIUS compliance program establishes expectations at all levels of your business and creates the relationships that enable the business to weather unexpected contingencies. Communication should begin with the most senior members of the company, including the board of directors and the CEO. Without authentic leadership support, even the most diligent security officer faces an uphill battle operating an effective CFIUS compliance program. In addition to managing upward to the board, CFIUS compliance teams need to send clear top-down communications that broadly share the compliance expectations with company staff. For staff working in particularly sensitive areas, these communications efforts may even warrant an annual certification program affirming staff awareness and understanding.

Finally, parties should actively communicate with the CFIUS monitoring agencies. Entering into a CFIUS mitigation agreement is similar to entering any other long-term relationship — communication increases confidence and creates strength in the face of adversity. Despite upfront planning, sometimes security officers discover previously unrevealed issues that may affect compliance with the agreement. In those circumstances, expeditious communication with the monitoring agency, including a remediation plan with frequent milestones, could be the difference between success and failure.

Expert Assistance is Available

For some companies, the CFIUS process is their first direct encounter with the national security apparatus of the U.S. As the recent CFIUS fine demonstrates, failure to comply with the obligations that may result from that encounter can be costly. Expert assistance is available, however, in the form of experienced CFIUS attorneys and risk solutions firms like Kroll, a division of Duff & Phelps.

Contact us with questions about your CFIUS compliance program.

 


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.