In today’s interconnected world, US businesses—especially those in the tech and data sectors—are increasingly targeted by malicious foreign investors. On 24 July 2024, the United States National Counterintelligence and Security Center issued an advisory to venture capital firms, private equity groups and startups, warning that foreign intelligence agencies are using investment opportunities to access sensitive US technology.
You might think your business is not on their radar, especially if you do not offer products or services directly related to national security. However, even if your business does not provide a complete solution, it could still serve as a pathway for transferring technology and intellectual property to malicious actors, potentially harming your brand or posing risks to US national security.
Given these serious risks, it is crucial for businesses to take proactive measures.
- Data theft: proprietary information can be stolen and used to undermine your competitive position globally
- Loss of contracts: foreign control might lead to the loss of valuable U.S. government contracts
- Supply chain exclusion: investments from certain countries can result in exclusion from key supply chains
- Unwanted influence: foreign investors may sway corporate decisions to serve their own national interests For national security, the implications are even more severe and include:
- Control over critical technologies: foreign entities could gain control over technologies vital to national defense
- Supply chain vulnerabilities: dependence on foreign-controlled supply chains can create strategic weaknesses
- Facilitation of espionage: investments can facilitate spying and intelligence gathering
- Sensitive data transfer: personal and critical data might end up in the wrong hands
- Enhanced foreign capabilities: acquired data can boost foreign military and economic power
- National security threats: US businesses tied to government contracts become direct targets
The risks of malicious foreign investment
Malicious foreign investments can pose significant threats to both businesses and national security. For businesses, these include:
Eight steps to protect your business
1. Identify and protect critical assets
Start by identifying what is most valuable to your business—whether it is proprietary technology, intellectual property (IP), customer data or other sensitive information. Once identified, secure these assets through encryption, access controls and compartmentalization. Conduct an internal audit to assess existing protections. Appoint a dedicated risk manager to oversee these efforts and ensure legal agreements include strong protective clauses.
2. Know your investor
Understanding who your investors are is key to protecting your business. This involves conducting thorough due diligence to verify their identity, ownership structure and source of funding. As with initial due diligence, businesses should conduct a detailed analysis of the investor’s corporate structure, looking for signs of shell businesses, complex ownership arrangements or intermediaries that could be hiding the investment’s true origin. Look into any connections the investors may have with foreign governments or military entities and ensure they comply with US sanctions and export controls. Regularly audit and monitor the investment relationship to detect any changes in ownership or control that could pose a risk.
3. Limit data sharing
Protect your sensitive information and data by sharing only what is necessary. Establish clear protocols outlining which data can be shared and set strict conditions for sharing. Identify non-negotiable data that should never be disclosed, regardless of investor pressure. Use secure methods for exchanging data and closely monitor data during negotiations to prevent unauthorised access.
4. Engage with federal agencies
Federal agencies like the FBI and the National Counterintelligence and Security Center offer valuable resources and up-to-date threat information. They can provide industry-specific threat briefings and best practices to help you stay informed about the national security landscape. Regular engagement with these agencies helps you stay ahead of potential threats and ensures you remain compliant with regulatory requirements.
5. Establish legal and contractual protections
Protect your business’s critical assets through robust legal agreements. Draft contracts that include clauses safeguarding your intellectual property and proprietary data. Ensure these contracts specify legal recourse in case of breaches and are enforceable in the investor’s home country. Consult legal experts to ensure compliance with both US and international laws.
6. Regularly update security protocols
Keep your security measures up to date to defend against evolving threats. Regularly review and enhance your physical and cybersecurity measures, implement the latest encryption technologies, and update software to address new vulnerabilities. Train your employees in security best practices and conduct periodic risk assessments to identify and fix any weaknesses.
7. Educate and train employees
A well-informed team is your first line of defense. Develop training programs to educate employees about the risks associated with foreign investments and how to recognise potential red flags. Regular workshops and online modules can keep your team up to date on the latest security threats and best practices. Implement a clear system for employees to report any concerns.
8. Develop a crisis response plan
Be prepared for the worst by having a crisis response plan in place. Define roles and responsibilities for key personnel in the event of a security incident. Outline steps for containing breaches, communicating with stakeholders and cooperating with law enforcement. Conduct regular drills to ensure your team can respond swiftly and effectively to real crises.
In today’s environment, the stakes are high—not just for your business but also for national security. It is essential to have a plan to identify and build protocols that secure your critical assets. Taking these proactive steps can save time, money and protect your reputation.