The Matrix

In March 2023, the White House released the National Cybersecurity Strategy, which details the Biden administration’s policy and agency directives to strengthen U.S. cybersecurity across the public and private sectors. Cybersecurity regulations and cybersecurity responses affect both U.S. national security as well as the security and stability of U.S. businesses and individuals. The 2023 National Cybersecurity Strategy replaces the 2018 National Cyber Strategy set forth under the Trump administration and builds on the 2008 Comprehensive National Cybersecurity Initiative set forth under the Obama administration.  

On September 15, 2022, President Biden issued the first Presidential Directive to refine the scope of the Committee for Foreign Investment in the United States (“CFIUS”) following the 2018 Foreign Investment Risk Review Modernization Act of 2018.  CFIUS is empowered to review business transactions that result in a foreign person having ownership or control rights over U.S. companies.  While CFIUS review is a largely voluntary process, it is mandatory when foreign owners or investors may be tied to foreign governments or when a target business is involved with certain critical U.S. technologies.  CFIUS may, as a result of its review, take remedial steps to address national security concerns imposed by the transaction, such as imposing mitigation agreements or third-party monitors.  CFIUS may also refer the transaction for Presidential review. Ultimately, CFIUS can unwind a business transaction – even years after the closing. 

On September 21, 2021, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an updated ransomware advisory (the “2021 Guidance”), which supersedes its 2020 ransomware guidance (the “2020 Guidance”), discussed in a previous post on this blog. 

In the 2021 Guidance, OFAC notes that ransomware payment demands have escalated during the COVID-19 pandemic as U.S. businesses maintain significant online and internet-connected activities.  OFAC identifies a 21 percent increase in ransomware attacks and a 225 percent increase in ransomware losses as reported by the Federal Bureau of Investigation (FBI).  The  pandemic has presented numerous opportunities for cyber actors to target system vulnerabilities, particularly smaller businesses and municipal entities with limited resources for cybersecurity investments as well as entities supporting critical infrastructure, such as hospitals, that are likely to make quick payments to avoid service disruptions to patients. 

Business transactions, management changes or investments involving non-U.S. companies or individuals receiving control or information rights to U.S. companies are subject to review by the U.S. government for national security purposes. There is a particular concern if any sensitive individual or government data is held by the U.S. company.  U.S. companies holding sensitive data should consider whether their business may be subject to CFIUS review prior to entering any investment or engaging in M&A activities.