Consultancy Perspective in FDI National Security Reviews
This chapter describes the role, value proposition and perspective of consultants in the foreign direct investment (FDI) national security review system, with a particular focus on experience in the US context. Today’s rapidly changing global political and economic environment is dramatically affecting the ways in which governments view their national security posture and corresponding approach to FDI controls. As a result, the legal and regulatory landscape is evolving dynamically, with multiple emergent, impactful security and compliance requirements. These requirements must be addressed in a complex business and enterprise environment, frequently requiring expertise and capabilities across a range of disciplines (cybersecurity, data governance, physical security, supply chain, corporate governance, technology controls, finance, compliance, risk management, project management, strategic communications, etc.). Moreover, the FDI review regulatory schemes often contemplate oversight of mitigation agreements by independent third parties with the technical means to validate compliance.
Consultants provide a distinct, critical role in this complex ecosystem. The inherently flexible, solution-focused character of consulting platforms enables the assembly of tailored, diverse capability teams that can help companies, investors, organisations, counsel and government security agencies (GSAs) successfully reconcile complex, sometimes contrasting, business and security equities. Whereas counsel typically provide legal analysis and advocacy directly in support of transaction party interests, consultants provide technical and expert capabilities that often are tasked with vindicating more diverse equities, ranging from fiduciary for GSAs and independent third-party analysis and testing, to advisory work directly supporting client and counsel analysis and activities. The unifying element of these diverse consultancy roles is providing the necessary capability and assurance to facilitate an FDI transaction that accountably addresses both business and security equities. The sine qua non of these consultancy roles is facilitating trust between the transaction parties and the GSAs, based on a foundation of credibly determined, technically verified facts.
For a consultant to be of value, he or she needs to understand both what GSAs care about and how complex organisations can effectively address these policy and security concerns in a dynamic business and enterprise landscape. A consultant needs to deliver a combination of industry, risk management and regulatory expertise, frequently by building a transaction-tailored team with the combined perspective of former business executives, national security professionals, government regulators, cybersecurity experts, investigators and prosecutors, technologists, in-house counsel, law firm attorneys and compliance professionals (among others) to provide customised solutions to address FDI transaction-specific facts and circumstances. Through application of these diverse perspectives and capabilities, consultants can help the parties to a covered FDI transaction identify and reduce business risk, embed security requirements in business systems and processes, facilitate data-driven programme analytics and risk mitigation, assess, build and enhance compliance programmes, and execute required investigations, compliance reviews, audits and monitorships.
A key distinction in the role of consultants is that, typically, they are valuable to the transaction parties only insofar as they are considered to be a trusted, independent and technically credible voice by the relevant GSAs. Accordingly, a record of proven performance, experience-based judgement and demonstrated trustworthiness are fundamental to a consultant’s value proposition.
The rest of this chapter describes in greater detail the specific functions that a consultant most frequently provides in furtherance of this ‘trust but verify’-based role, including as (among other things):
- third-party monitor;
- third-party auditor;
- cybersecurity auditor or analyst;
- independent trustee or director;
- third-party analyst or transaction risk assessor;
- critical technology and sensitive data analyst;
- mitigation measure developer and adviser;
- compliance programme adviser or security programme officer; and
- strategic communications and policy engagement officer.
Third-party monitors (TPMs) are a frequent requirement in sensitive and complex US national security mitigation agreements. They provide persistent presence, programmatic monitoring and deployment of industry-specific technical expertise, among other capabilities, that uniquely facilitate a verified, real-time and efficient operation of FDI mitigation agreement requirements; government security agency assurance that foreign investment risks to national security are effectively and proactively mitigated; and transaction parties’ ability to operate a business that is both successful and compliant with the mitigation agreement. An effective TPM approach is necessarily collaborative and adaptive, enabling a trust-based environment in which all mitigation stakeholder goals can be achieved through iterative, practical interaction and improvement.
Boiled down, the TPM’s role is to facilitate realisation of the relevant GSAs’ and transaction parties’ reasonable expectations under the mitigation agreement as efficiently as possible in terms of economical expenditure of organisational, financial and emotional capital. When appropriately integrated within a programme of well-designed mitigation controls, an effective TPM performs critical oversight roles that substantially benefit all parties to a mitigation agreement with the Committee on Foreign Investment in the United States, including:
- persistent, real-time mitigation oversight: TPMs are able to engage with and provide oversight of mitigated parties and their agents in a more integrated and persistent way than is possible for GSAs or third-party auditors;
- tailored technical capabilities: as private professional service organisations, TPMs are able (and should, in part, be selected on the basis of their ability) to deliver teams that integrate tailored technical expertise and capabilities appropriate to effectively test and assure the performance and reliability of controls implemented to address mitigation requirements;
- industry perspective: TPMs are able to bring to bear (and should, in part, be selected on the basis of their ability to provide) expertise tailored to the mitigated organisation’s industry;
- mediation and facilitation: TPMs are in a position to act as ‘honest brokers’ between the GSAs and transaction parties by facilitating consistent, recurring and transparent communications and reporting;
- organisational counselling and coaching: TPMs are able to provide authoritative and independent but also pragmatic advice, guidance and perspective to mitigated companies regarding operationalising the systems, processes and controls that are necessary to achieve compliance in a way that supports the organisation’s objectives;
- GSA fiduciary: the TPM typically is contractually and equitably responsible for actively representing the GSA’s expectations and perspective during operationalisation of the mitigation agreement compliance programme;
- independent investigation, assessment and analysis: TPMs provide as-needed independent identification, investigation, review or analysis of sensitive and complex issues, including potential mitigation agreement breaches;
- force multiplication and cost sharing: TPMs are key to expanding the GSAs’ mitigation bandwidth, enabling them to scale tailored, sophisticated resources to monitor numerous mitigation agreements, while maintaining a focus on enforcement and other high-risk priorities. In practical terms, the TPM vehicle substantially shifts the financial cost of monitoring compliance from the GSAs to the parties being monitored; and
- verification-based trust: TPMs help to create the conditions necessary for effective, persistent mitigation agreements: alignment of expectations between the CMAs and transaction parties, substantiated by the CMAs’ evidence-based confidence that the mitigated company will consistently execute in accordance with those expectations or report when it fails to do so.
Good TPMs perform these roles by working with the mitigation agreement stakeholders to systematically define, design and implement a TPM programme that provides effective oversight and monitoring of the particular requirements of the mitigation agreement. This TPM programme plan should integrate with the mitigated entity’s own compliance plan. The foundation for the compliance programme is necessarily the mitigation agreement itself, together with plan and policy documents specified in the agreement. The TPM ultimately will identify and monitor compliance controls intended to provide real-time assurance of the implementation, operation and efficacy of the requirements of the mitigation agreement. Activities frequently associated with the build-out and operation of a TPM programme include:
- deliberate initiation;
- tailored, detailed TPM programme build-out;
- execution of monitoring activities;
- effective programme and project management;
- recurring, risk-focused NSA stakeholder engagement;
- investigations and reporting; and
- addressing substantive requirements specific to the particular mitigation agreement.
TPMs often need to deploy a combination of the capabilities described in this chapter to ably fulfil their responsibilities.
Recent examples of TPM engagements include FDI transactions in the high-technology, financial services, hospitality, critical infrastructure and social media industries. The TPM provides independent oversight of the transaction parties’ compliance with mitigation agreement provisions intended to prevent exploitation of the target by the foreign investor. These measures can include (among others) governance requirements, investor communications restrictions, cybersecurity controls, sensitive information and systems access and management controls, physical security requirements, and related policy and training requirements. In each instance, the TPM engages with the company’s board and leadership to provide strategic, operational and technical monitoring and oversight, including in the design, implementation and maintenance of the overall compliance programme.
Third-party auditors (TPAs) are a frequent mitigation oversight measure required in FDI mitigation agreements. TPAs seek to assess objectively whether the transaction parties have effectively complied with the requirements stated in a mitigation agreement. TPAs generally are GSA fiduciaries and take direction and provide reporting directly to the GSAs. In contrast to the real-time and continuous oversight engagement associated with TPMs, TPAs conduct a time domain-defined assessment. Accordingly, the audit is typically a more arm’s-length, transaction-focused and objectively defined assessment than the iterative and collaborative character of TPM engagements. A well-designed audit will usually incorporate or reference relevant industry-recognised audit standards, such as the International Standards Organization (ISO), the Committee of Sponsoring Organizations or the National Institute of Standards and Technology (NIST), with appropriate adaptation to the particular requirements of the mitigation agreement.
An FDI mitigation agreement compliance audit is not a financial audit but rather an assessment of the parties’ compliance with the control measures specified in the mitigation agreement. These controls are designed to address national security risks that result from the potential exposure of sensitive economic, technological, informational or physical assets to the threat of potential hostile foreign access or control consequent to the completion of a covered transaction. Specific controls may include physical, data and cybersecurity requirements; data, system and facility access controls, segregation or partition; personnel screening and restrictions on foreign person access; site, infrastructure and system protocols and inspections; data transfer restrictions and review; and trusted person security oversight, among other things. Compliance audits of the management, operational and technical policies, procedures, systems and tools necessary to implement the mitigation controls are often required periodically and the findings are reported to the designated GSAs.
TPAs typically execute compliance audits using some or all of the following:
- preparation of the TPA plan: the TPA team works with the transaction parties to obtain and review relevant information, define requirements and prepare a draft audit plan for GSA review, outlining the audit scope, methodology and a proposed reporting timeline;
- GSA review: the TPA team presents the TPA plan to the GSAs and works with the transaction parties to respond to GSA questions or comments and ensure that the audit plan addresses GSA equities;
- audit execution: the TPA team implements the plan through deliberate requests for information, demonstrations, interviews, site visits and technical testing. The purpose of these activities is to conduct qualitative and technical testing of relevant policies, procedures, systems and transactions to confirm the implementation of effective controls. To the extent permitted by the relevant mitigation agreement and GSAs, the TPA may work with the transaction parties to address identified opportunities calmly; and
- delivery of the TPA report: the TPA team prepares a detailed audit report, describing scope, methodology, results of the controls testing and any identified gaps.
Recent examples of TPA engagements include audits in the automotive technology, professional services, biometrics and social media industries. In these engagements, the TPA audits the target company’s relevant policies, procedures, systems, communications, sensitive data, transactions and corresponding controls to assess compliance with the applicable mitigation requirements. The audit domains typically include a combination of requests for documentary information, transaction testing, demonstrations and inspections, and personnel interviews.
Cybersecurity auditor or assessor
A cybersecurity auditor or assessor (CSA) is a variant of a TPA sometimes required in the context of mitigation agreements involving particular risk regarding the security and integrity of sensitive data, systems and applications. In these circumstances, the mitigation agreement may specify a distinct ‘baseline’ CSA evaluation of the subject entity’s initial controls. Alternatively, the mitigation agreement may specify that a TPM or TPA execute CSA-oriented activities. CSAs typically employ an approach, methods and process similar to the items described above in connection with TPAs, but the activities (and associated CSA competencies) are necessarily more technical in character. CSA evaluations often explicitly rely on a recognised information or system security framework, such as ISO, NIST, or a secure software development life cycle.
Specific activities frequently associated with CSAs include:
- assessing security framework-based controls;
- assessing sensitive data and systems security;
- testing penetration;
- testing the integrity of products and applications;
- reviewing the build environment and supply chain;
- logical testing of systems and applications; and
- code review.
Recent examples of CSA engagements include assessments of companies in the financial services, high technology, data analytics, software and social media industries. CSA-oriented requirements are becoming an increasingly frequent feature of mitigation agreements in the context of escalating cyber threats (such as ransomware and solar winds) across the broader global business environment.
Independent trustee or director
The role of independent trustee or independent director is frequently specified in mitigation agreements to address governance risks by creating insulation between foreign owners and the direction of mitigated entities. In addition to GSA-mandated mitigation agreements, carve-out provisions in several FDI review regimes exempt ‘passive’ foreign ownership (i.e., conditions in which the foreign owner derives only economic benefits and does not seek to exercise control over or access to technical or sensitive information regarding the owned entity) from review or mitigation. By implementing corporate governance structures and processes that ensure a deal is compliant with these carve-outs, foreign investors may continue to participate in a range of transaction opportunities without the risk, uncertainty and time requirements of FDI review. Similar structures and processes also can be applied to GSA-reviewed transactions that require mitigation to credibly insulate sensitive assets, information or operations from foreign control as a necessary part of a transaction mitigation agreement. These structures may be applied for a limited period, as in the case of a mandatory divestiture.
In appropriate situations, an expert consultant (in combination with expert counsel) can assist in operationalising collateral trusts, voting trusts, special purpose vehicles, or other tailored governance structures, to achieve transaction party objectives while appropriately insulating the transaction from active foreign ownership and associated mitigation risks. These solutions frequently require a combination of:
- expert financial and transactional perspective coupled with financial institution capabilities;
- deep understanding of financial and national security risks relating to FDI transactions;
- experience in operationalising FDI trust vehicles tailored to particular transaction circumstances;
- credible, bespoke risk assessments, mitigation control design, audits and monitoring;
- collaborative engagement with investors, stakeholders, counsel and (where necessary) GSAs; and
- integrated technical solutions to mitigate compliance and control risks.
Recent examples of these engagements include trusts in the financial services, aerospace and medical technology industries.
Third-party analysis and transaction risk assessment
To maximise opportunities for success in FDI review, transaction parties need to understand, from the GSA’s perspective, the potential threats posed by a foreign acquirer and the vulnerabilities of the target company’s sensitive assets or operations to foreign access, control and exploitation. Achieving this understanding early in the deal process, well before direct engagement with GSAs, enables the transaction parties and their counsel to design and plan transactions that both anticipate and proactively address the national security issues and concerns likely to be raised by GSAs. In addition, mitigation agreements sometimes require that transaction parties retain an independent third-party analyst to provide an evaluation of the exploitation risks and appropriate mitigation measures presented by a particular transaction or entity.
Expert consultants are able to draw on a range of transaction experience, technical capabilities and diverse perspectives to facilitate achieving situational understanding. Third-party analysts work with transaction parties and their counsel to comprehensively assess the potential national security threats posed by foreign buyers and their management personnel as well as consider the vulnerabilities of the target entity or asset. Relevant activities include the following:
- Foreign party diligence: using a combination of diverse in-house, open-source and partner collection sources, and sound, disciplined analytic tradecraft, third-party analysts provide clients and their counsel with unparalleled insight into the foreign parties that may be involved in an investment transaction. From an analysis of the political, economic, sociological, technological, legal and environmental circumstances of the foreign investor’s host country, to specific information about the foreign buyer’s structure, business and governmental relationships, criminal history and places of operation (among other data elements), consultants provide essential, independent information and analysis of foreign parties to an FDI transaction to help transaction parties make informed investment and transactional decisions.
- Target entity vulnerability reviews: TPAs review all management, operational and technical controls concerning critical infrastructure, technology or sensitive information. This includes network and data protection, cybersecurity, personnel screening, and physical and system accesses to help discern both general and specific national security vulnerabilities that may be present as a result of a proposed foreign investment transaction.
- Comprehensive risk assessments: TPAs leverage both their due diligence and vulnerability review expertise and capabilities to generate comprehensive national security risk assessments for clients and their counsel. These risk assessments provide insight into the overall position of GSAs with respect to a proposed transaction and the mitigation measures, if any, to be required as a condition of the clearance of the transaction.
Recent examples of third-party analysis engagements include assessments of companies in the software, financial services, telecommunications and semiconductor industries.
Critical technology and sensitive data analyst
Recent FDI review regulatory reforms, such as the US Foreign Investment Risk Review Modernization Act, require technical analysis of the sensitivity or criticality of the technologies, data and infrastructure implicated by an FDI transaction to determine whether FDI review is required. These analyses often raise mixed questions requiring application of detailed regulatory provisions to complex technical facts. They may also require technically enabled or automated discovery regarding the target entity’s data, technologies and infrastructure to identify the issues that need to be evaluated. Investors, targets and counsel sometimes have an incomplete picture of what they know and need assistance to identify and define the relevant information and issues.
In such technically complex situations, able consultants combine expertise in cybersecurity, data governance, technology controls, regulatory and business operations to help transaction parties and counsel quickly inventory and classify products, technologies, data, services and infrastructure to enable timely planning and decision-making.
Recent examples of these engagements include assessments of companies in the industrial, aerospace, biomedical and high-technology industries.
Mitigation planning, design and implementation
When national security risks are presented in FDI transactions, preparation is critical for success. The transaction needs to be designed and mitigation strategies need to be developed to proactively address GSA concerns. Typical measures regarding security agreements come in the form of policies, procedures, operational processes or systems modifications that limit foreign control of, or access to, sensitive information, products, services, technologies and infrastructure. Soundly designed, proactively presented mitigation can be the difference between obtaining clearance with a sustainable set of requirements versus getting blocked or saddled with unsustainable controls.
Consultants work with transaction parties and counsel to plan, design, implement and test mitigation measures that effectively and efficiently address national security concerns without unnecessarily burdening business operations. Frequent activities include:
- mitigation planning: consultants can help to map identified and likely national security risks to a target entity’s existing policies, processes and systems (existing or planned) that govern the control of, and access to, sensitive data, technology, products, services or critical infrastructure. The consultant then analyses the gaps between the existing and planned business operations regarding those issues to develop mitigation plans and other recommendations for review with representatives of the transaction parties and, where appropriate, the GSA;
- design of mitigation controls: consultants collaborate closely with clients and their legal counsel to design mitigation measures that are pragmatic and efficient, based on the perceived level of risk. Controls should include minimised constraints on business operations and can encompass controls, processes and protocols for trusted person oversight and management of critical operations, protection of sensitive data, cybersecurity, personnel screening and physical and system access;
- implementation of controls: consultants work with government agencies and transaction parties to construct and put into place precise, auditable management structures, policies, processes, systems and controls that effectively address any national security risks identified in a transaction. Measures include drafting control-specific policies and procedures and selecting appropriate software, technology, systems and tools; and
- testing of mitigation measures: consultants independently test and validate mitigation controls to ensure that they are operating effectively. If needed, the consultants will then assist in designing and implementing changes and enhancements.
Recent examples of mitigation design engagements include companies in the financial services and high technology industries.
Security office as a service
Parties subject to GSA mitigation agreements typically are required to designate a corporate officer responsible for compliance and to implement compliance controls in the form of policies, procedures, operational processes and systems that limit control of, or access to, sensitive information, products, services, technologies and infrastructure. The successful implementation of these mitigation efforts depends heavily on the capabilities available to the organisation. Particularly in the context of mitigation agreements with extensive, complex and technical requirements, or where the mitigated entity does not have mature compliance capabilities, consultants can perform a number of helpful activities, including:
- senior national security leadership: consultants who have served in senior roles within GSAs, executive business leaders and compliance professionals can provide senior level leadership and (with GSA concurrence) serve as acting mitigation compliance officers;
- programme office: consultants can help organisations create and operationalise GSA-mandated compliance programmes. Professionals with relevant subject matter expertise and experience will integrate with organisation stakeholders to efficiently design, implement and run a mitigation compliance programme; and
- area-specific assistance: consultants can deploy a range of technical expertise and capabilities to assist transaction parties with addressing various mitigation agreement requirements. (The table, below, sets out some of these requirements.)
|Issue area||Assistance examples|
|Proximity and access|
Recent examples of this type of engagement include companies in the biotechnology, data analytics and critical infrastructure industries.
Strategic communications and engagement
FDI reviews implicate tangled issues of national security, economic and social policy, and politics. Although GSAs typically are focused on what they understand to be core national security equities, political actors, business competitors and other policy entrepreneurs may seek to influence the FDI review process to achieve preferred outcomes in particular transactions. Consultants with a perspective as politicians, policy makers, strategists or industry leaders can assist transaction parties and counsel with evaluation, response and engagement to navigate these complex developments.
Recent examples of this type of complex engagement include assistance to companies that have been publicly identified as subject to FDI review, including (among others) Qualcomm, Inc and TikTok.
1 Randall H Cook, Waqas Shahid, Alan Levesque and Vincent Mekles are senior managing directors at Ankura Consulting Group. The authors wish to acknowledge the contributions of Gabrielle (Elle) Labitt (associate) in preparing the chapter.