Following the update to the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) Enforcement and Penalty Guidelines, the Committee has continued to signal its intention to more heavily leverage enforcement authority as a means to punish and deter non-compliance with requirements imposed under CFIUS Agreements. Particularly for matters that present comparatively increased risk (e.g., sensitivity of data; volume of data; level of foreign investor’s activity) or public profile, independent third-party oversight, usually in the form of a third-party monitor or auditor, has become a tool for both agreement-wide compliance assessments as well as specifically tailored investigations into areas of known or suspected non-compliance. Especially for the latter, at times it may be the case -- though certainly is not always the case -- that the investigation is partially intended to inform the breadth and impact of any identified non-compliance as well as whether the matter should be evaluated for enforcement action. 

Ankura has conducted numerous overall compliance audits and monitorships, and tailored non-compliance investigations. Our team has observed certain areas routinely crop up as root causes for non-compliance, which put an organization at materially increased risk of enforcement action. These areas are described below, along with measures that organizations can consider to help mitigate non-compliance risk and, correspondingly, the reputational and financial impact of possible enforcement action. Notably, this is not to infer that enforcement risk exists only if a CFIUS Agreement envisions third-party oversight, only that such oversight has been a tool to observe across various organizations of different sizes and in different sectors common areas of compliance risk under CFIUS Agreements.

1. Written Operational Definitions of Key Terms. CFIUS Agreements often are purposefully broad or ambiguous with respect to key definitions usually set out in the first article of the agreement. Among others, definitions of access, affiliation, communication, third-party relationships, and the scope of sensitive data or asset types to be protected, can be broadly drafted to provide flexibility to ensure that future operational developments, growth, or change to the organization are less likely to result in unintended end-runs of national security priorities.

Broad or ambiguous terms are not necessarily localized within the definitions section. They also may appear in substantive compliance obligations. In some cases, the intentional ambiguity is obvious on its face (e.g., measuring cybersecurity compliance against “industry standard,” to allow an organization to reasonably define a recognized compliance standard that aligns with business operations). In other cases, the need for operational definitions is more implicit (e.g., a requirement related to advance CFIUS Monitoring Agency (CMA) notification before access is provided to a vendor that will support software development efforts requires a consistent application of how the organization will determine what constitutes supporting software development efforts).

At the bottom, the scope of almost any compliance obligation turns first on how that obligation is operationally defined. The possibility of material space between an organization’s interpretation and the CMA’s interpretation of the scope of a compliance obligation creates a material risk of non-compliance and, by extension, a risk of enforcement action. Broad or ambiguous definitions also create a risk that different actors within an organization may interpret or apply compliance provisions in different, inconsistent, or contradictory ways, or in ways that may appear counter to the equities of the CFIUS Agreement. There are various ways to close the gap, but common approaches are (i) a Glossary of Terms Policy that describes how the organization is going to operationally apply all key terms within a CFIUS Agreement, with that policy then generally incorporated into other policies and procedures that address specific compliance obligations; or (ii) including an Operational Definitions section within each policy or procedure that addresses a specific compliance obligation to clearly define the scope of the obligation while ensuring, of course, that identical definitions are applied across policies.

Whichever vehicle is used to define key terms in writing, the best practice is to engage relevant organization stakeholders in the development of consistently executable functional definitions, integrate these functional definitions into relevant organization procedures and processes, and provide the operational definition(s) to the CMAs for awareness and input if the CMAs so desire. While non-objection by the CMAs to a particular operational definition cannot guarantee there will be no future disagreements on compliance scope, it provides some indication of scope alignment. Moreover, at minimum, it demonstrates the organization’s clear intent to implement a compliance program that fully addresses the national security risks of interest to the CMAs in a transparent and trustworthy way. Notably, this best practice would apply both at the initial drafting stage as well as to any material modifications that may be made over time to the operational definition of any key term.

2. Sensitive Asset and Data Mapping. In many if not most cases, the goal of a CFIUS Agreement is to ensure control of access to sensitive data or assets. Access risk takes multiple forms, but most commonly: (i) logical access via approved credentials to a system or application containing the sensitive data; (ii) logical access via insufficient security controls to prevent unauthorized access; (iii) logical access via a properly permitted user impermissibly disseminating information to a prohibited party; or (iv) physical access to a sensitive asset, to hard-copy document containing sensitive data, or to a piece of logical infrastructure through which sensitive data may be accessed (e.g., an on-premises server containing sensitive data). If the organization allows sensitive data to proliferate outside of its environment to the logical environments of third-party vendors supporting the organization, including through Software as a Service (SaaS) applications or other support relationships, that presents another vector of risk. 

While not true in all cases, demonstrating compliance often requires an organization to clearly show that it has comprehensively identified within its own physical and logical environment (and across third-party environments, if applicable) where the sensitive assets or data controlled by the CFIUS Agreement are accessible. Particularly for large organizations with complex logical environments and/or decentralized management structures, sensitive asset and data mapping can be a cumbersome, resource-intensive, and costly endeavor. There also is no one-size-fits-all approach to asset and data mapping. In some cases, particularly where the sensitive data to be protected overlaps with export-controlled information, document marking tools can be used as a means to track where sensitive information lives across a logical environment. In other cases, an application-by-application approach, informed by discussions with key users of each application has been used. These are just two different approaches to effectively map data.

As to third-party risk, it is increasingly common for organizations to not proliferate sensitive data outside of their logical environments. Rather, third parties are provisioned accounts within the organization’s logical environment and are provided access through that account so that the third-party personnel handling the data remain subject to the same types of logical controls (e.g., domain blocking; data loss prevention rules; geoblocking) applied to the organization’s employees. Notably, this practice does not address access risk arising from sensitive data stored outside of the organization’s environment in third-party SaaS applications or with cloud-service providers, and organizations should take care to specifically assess access and proliferation risk associated with sensitive data storage in third-party environments. Regardless, it generally is expected that terms will be negotiated within the third-party contract, wherever feasible, to establish a contractual basis for ensuring that third-party personnel with access to sensitive data abide by CFIUS Agreement-imposed obligations related to access and non-dissemination.

3. Proliferation. Proliferation presents a final common area of compliance risk, that is, even after a compliance obligation is operationally defined and there is a comprehensive analysis of where all sensitive assets and data live, how does an organization ensure either: (i) that the sensitive data does not proliferate to any other system or application where access restrictions or other relevant controls do not apply; or (ii) that security/compliance personnel can identify in relatively real-time and proliferation to a non-controlled system to immediately implement controls to the system or application that now contains sensitive data. 

The scope of proliferation controls usually is informed by the compliance obligations imposed by the CFIUS Agreement. 

• If the CFIUS Agreement exclusively focuses on non-dissemination of sensitive information to prohibited parties outside of the organization’s environment, then data controls at the perimeter of the IT environment may be sufficient to logically secure the sensitive data, reducing concern about how data may proliferate within the organization’s environment. (Note that this type of restriction may not obviate the data mapping requirement, as the organization still may need to demonstrate that it does not authorize credentials to any non-permitted user to a system or application containing sensitive data, particularly if the CFIUS Agreement or related policies incorporate principles of least privilege).  
• If the CFIUS Agreement includes limitations on which of the organization’s employees or third parties may have access to sensitive data, requires advance CMA notification and non-objection before certain persons (e.g., foreign employees or third parties) are provided access to sensitive data, or contains other requirements that effectively require control of sensitive data access at a by-person level, proliferation controls become a necessity for demonstrating comprehensive compliance. 

Systems or applications containing structured data often provide functionality for the implementation of rulesets that can restrict access to the system or application and control proliferation. Where data is unstructured, or where employees may control who has access to information, ruleset restrictions often are far more challenging to implement. Routine training, and back-end selective auditing -- particularly around email and collaboration sites as informed by a risk analysis of where sensitive data is more likely to reside -- are common tools to increase the confidence interval that sensitive data access aligns with CFIUS Agreement requirements.

****

The above focus on operational scope, data mapping, and proliferation should not be construed to ignore the criticality of implementing a comprehensive controls regime that is sufficient as to breadth (fully addresses each requirement) and efficacy (operates as intended). Stated differently, clearly defining the scope of obligations, knowing all logical and physical locations where sensitive data resides, and controlling the proliferation of that data, if of marginal value if the actual authorized and unauthorized access controls implemented as to each of the logical and physical locations do not prevent the type of access prohibited by the CFIUS Agreement. Similarly, if organizational leadership does not understand the operational requirements imposed by CFIUS Agreements or if there is a lack of clarity around ownership of critical mitigation functions and operations (e.g., sensitive data identification, classification, transfer, and protection), such misalignment of understanding or operational accountability can result in material non-compliances regardless of the effort undertaken to develop a comprehensive security program.

Finally, drafting policies, comprehensively mapping sensitive data and assets, and implementing proliferation controls can take a significant amount of time. While those efforts are ongoing, organizations must identify and implement interim mitigation controls to reduce non-compliance risk while a more comprehensive control regime is being defined and implemented. For example, not immediately knowing everywhere that sensitive data resides should not stop an organization from implementing controls for all locations where the company reasonably believes that the sensitive data resides.

Nevertheless, in the final analysis, it often will be the case that as an organization spends more time under the requirements imposed by a CFIUS Agreement, the CMAs increasingly will expect a level of analytical rigor and sophistication around compliance, coupled with the implementation of responsive controls, that demonstrate that the national security risk has been correctly and comprehensively defined, scoped, and addressed. With enforcement increasingly becoming a tool used by CFIUS to address and deter non-compliance, the reputational and financial risk associated with not achieving over reasonable time that level of analytical rigor to the CMA’s satisfaction presents a level of reputational and financial risk that most organizations are not likely to accept.