This piece is written by Elixirr’s cybersecurity experts, in collaboration with John Lash, Founder of specialised security consultancy, Darkhorse. John has worked with our team for several years on a number of strategic and tactical cybersecurity projects, bringing his deep expertise and knowledge to support across multiple client engagements.

Today, the nations of the world have integrated so much so that digital technology is both apparent in every man-made structure and beamed across the globe wirelessly, and invisibly, by satellites and other devices. All these interconnections present a tremendous opportunity, but also a pathway for bad actors. Cyber threats and incidents are front-page news, causing public humiliation and financial loss to governments and organisations alike. These threats must be dealt with in a way that safeguards national security, protects economic stability and ensures personal privacy.

As global economic conditions continue to be volatile, the landscape for investments, mergers and acquisitions, and other forms of capital markets activity, remains highly dynamic. However, considering the current geopolitical environment, market participants must recognise that not all capital is treated equally – whether a company seeking to raise funds, or investors looking to deploy funds into opportunistic investments worldwide, it varies significantly. A key component of the risk in these investment activities relates to cybersecurity risks, including how resilient a company may be to potential cyber threats and how mature a company’s cybersecurity posture is to protect and defend against a new era of emerging risks. 

Learning from past data breaches

In 2022, 83% of organisations experienced more than one data breach. What’s more, companies suffered an average decline of 7.5% in their stock values after a breach. One well-known example, the ‘SolarWinds Supply Chain Attack’ of 2020, is widely regarded as one of the most audacious cyber espionage campaigns. State-sponsored attackers compromised the software supply chain of SolarWinds, a prominent IT company, which led to the infiltration of numerous government agencies and private corporations, highlighting the far-reaching consequences of compromised supply chains.

Learning from SolarWinds, it’s clear that a National Security Investment Review (NSIR) is hugely important – a NSIR assesses foreign investment in sensitive industries, seeking to minimise risks and prevent adverse national security outcomes. Read on for insights and lessons learned from NSIRs with global institutions across the US, UK and Europe. 

The origin of NSIRs  

The creation of NSIRs can be traced to a variety of contributing factors: national security concerns, foreign investment and risk associated with sensitive technologies.

The Committee on Foreign Investment in the United States (CFIUS) is the main governing body that assesses foreign investments for national security risks. The committee dates to 1988 and the Exon-Florio amendment, which empowered the President of the United States to suspend or prohibit certain merger and acquisition deals that could pose a threat to national security. Since that time, the authority of CFIUS has been expanded twice: once in 2007 by the Foreign Investment and National Security Act of 2007 (FINSA) and again in 2018 by the Foreign Investment Risk Review Modernization Act (FIRRMA). In 2022, President Biden issued the first-ever presidential directive (Executive Order 14083) to further address evolving national security risks and enforcement guidelines; the directive focused on key areas including cybersecurity risks, sensitive data, and US technological leadership. 

Across the pond

In the UK, an equivalent governing body exists, established by the National Security and Investment Act of 2021 (NSIA), which granted the government the power to scrutinise and potentially block or modify investments that pose a threat to national security.

Throughout Europe, NSIRs vary country to country, as there is no pan-European framework for national cybersecurity regulation; although the European Union heavily encourages that member states follow foreign investment screening regulations. As of June 2023, 18 member states now have new or revised regimes in place and 5 are expected to follow suit later this year, leaving Bulgaria as the only member state with neither an existing nor proposed foreign investment screening regime. 

The common thread across NSIRs worldwide is an expansive focus on cybersecurity as it relates to the protection of critical infrastructure, sensitive data and intellectual property of companies and their customers, as well as protecting government operations. Throughout the review process, companies and investors must be able to define how their cybersecurity programs deter and prevent cyberattacks, protect their infrastructure and sensitive data, and remain free from outside interference.

Practical advice

Global interconnectivity and reliance on technology is not slowing down, and therefore cybersecurity will remain the lynchpin of security and compliance efforts. While many companies are already investing heavily in cybersecurity, many of the security conditions imposed by governments during NSIRs involve an expansion of these efforts with respect to cybersecurity posture and model maturity. When considering investment activity that will fall within NSIR regulations, businesses must consider the following: 

  • Implementing strong security controls consistent with global frameworks. This includes considering how the control environment aligns with guidelines and frameworks such as ISO 27001, the Center for Internet Security (CIS) controls, and the standards developed by the National Institute of Standards and Technology (NIST). These frameworks should address the following categories of controls, including but not limited to access controls, inventories of authorised devices, secure configurations, data recovery, log controls, penetration testing, security training, and incident handling and response. 
  • Cybersecurity education across the organisation. Employees are often the weakest link in the security chain, and it is important to train them on how to identify and avoid cyberattacks. 
  • Cyber resilience and response. Companies must have a plan for responding to cyberattacks that will not only address the issue but also ensure business continuity, returning them to business as usual as quickly as possible. 

For companies that receive regulatory approval at the conclusion of their NSIR, there may be an agreement in place with the governmental authority to maintain certain cybersecurity protocols to mitigate against national security risks. In these cases, the company must develop and operationalise a robust cybersecurity program to comply with that agreement. If the company does not meet those obligations, governmental authorities can impose penalties for non-compliance. 

The reality of non-compliance

The US government authorises CFIUS to impose monetary penalties (in 2019, the government issued a USD 1 million civil penalty) and to seek other penalties (directed notices, action plans, etc.) for violations of the guidelines. Typical violations include failure to file timely notices, non-compliance with CFIUS mitigations, material misstatement and omission or false certification. CFIUS relies on a variety of sources for information such as the US government, publicly available information and third-party providers, (e.g., auditors and monitors).

In the UK, the enforcement of non-compliance is dealt with by the governmental group called the Investment Security Unit (ISU) residing within the Department for Business Energy and Industrial Strategy (BEIS). Penalties can apply to individuals, businesses or both. For individuals, the penalty will be based on a percentage of income, whereas for businesses the maximum penalty is greater than 5 percent of annual turnover or an amount up to GBP 10 million.

To highlight two European examples of penalties related to non-compliance with foreign direct investment regulations (France and Germany respectively), an investment made without authorisation can result in the issuance of injunctions to file an application for authorisation, to reverse the transaction or to modify the investment. Penalties of twice the amount of the investment, 10 percent of the target’s annual turnover or EUR 5 million can be imposed, whichever is greatest. In Germany, an intentional breach is punishable by imprisonment for up to 5 years or a fine; however, breaches due to negligence are punishable by an administrative fine of up to EUR 500,000. 

Both business imperative and mandated requirement 

Ultimately, while cybersecurity should be a business imperative for companies given the potential commercial ramifications, in certain cases with respect to NSIRs, the cybersecurity environment is a mandated requirement with the potential for significant penalties. Given the technological integration of the modern world, the US, UK, Europe and other modern economies across the globe face cooperative challenges including legal frameworks (huge differences regarding data protection laws, liability frameworks and breach notification requirements that hinder collaboration), cultural norms (political considerations that affect the prioritisation of cybersecurity), economic structures and technology landscapes. 

Some notable initiatives to promote interregional cybersecurity are as follows:

  • GDPR (Europe): The General Data Protection Regulation (GDPR) is a significant effort to harmonise data protection regulations across the European Union. It sets a common standard for data protection and privacy, influencing how organisations handle personal data.
  • NIS Directive (Europe): The EU Directive on Security of Network and Information Systems (NIS Directive) aims to achieve a common level of cybersecurity across EU member states, particularly for critical infrastructure sectors.
  • EU-US Privacy Shield: While no longer in effect, the EU-US Privacy Shield was an attempt to facilitate the transfer of personal data between the EU and the US by ensuring that American companies met European data protection standards.
  • Cybersecurity Information Sharing: Initiatives that promote the sharing of cybersecurity threat intelligence and best practices among nations can indirectly lead to some level of harmonisation; examples include the US Cyber Information Sharing Act (CISA) of 2015 and similar efforts in other regions.
  • International Standards (ISO): The International Organisation for Standardisation (ISO) develops cybersecurity standards (e.g., ISO 27001) that can provide a common framework for organisations worldwide, encouraging alignment across regions.

Take action, today

Based on our collective experience in this space, we urge that you apply these learnings to your businesses. The motivations behind these NSIR regulations include expansive provisions to protect the cybersecurity interests of critical infrastructure, preserving technological leadership and safeguarding sensitive information from foreign control. In all three regions, the creation of these reviews highlights the increasing understanding of national security risks associated with foreign investments.

Importantly, having a well-established and maintained cybersecurity program within an organisation will help a company navigate a national security review from the onset. The ability to provide an evidence-based and programmatic approach will provide regulators with key information necessary to help achieve a positive outcome. At the conclusion of a merger, acquisition, or foreign investment deal, enhancing the maturity of your cybersecurity program will aid in preventing any future issues which may cause commercial harm or incur regulatory penalties.

Our teams of experts at both Elixirr and Darkhorse have the ability and experience to help you navigate the complex process of national security investment reviews in a constantly evolving, technologically connected world. 

Connect with us