National Counterintelligence and Security Center Warns Against Use of Investments by Foreign Adversaries

Author

Aaron Pinnick

Publish Date

Type

Cyber Alert

Topics
  • AML and Financial Crime
  • Cybersecurity
  • Portfolio Company Risk Management
  • Private Fund

On Wednesday, July 24th, the United States (U.S.) National Counterintelligence and Security Center (NCSC) published a bulletin warning that foreign threat actors may use private investments – such as venture capital and private equity – to exploit tech startups, presenting a potential threat to economic and national security. The NCSC outlined the potential threat, indicators that may be associated with investment efforts by foreign threat actors, as well as mitigation steps that can be taken by U.S. companies.

The Threat

The NCSC notes that venture capital (VC) investment from China has focused on emerging technology sectors such as AI and other People's Republic of China (PRC) government priorities, sparking concerns regarding the use of VC investments as a gateway for foreign threat actors to obtain intellectual property and data associated with U.S. firms. Recent developments have heightened this concern, with IDG Capital, a Chinese VC being identified by the U.S. Department of Defense as a “Chinese Military Company.” The firm has investments in more than 1,600 companies including several in the United States.

Additionally, the U.S. Department of the Treasury has also noted that advisers may unintentionally engage in money laundering activities when a private fund is formed with foreign investments, without an appropriate understanding of the origin of the funds.

More specifically, foreign threat actors may:

  • Structure their investments to avoid scrutiny from the Committee on Foreign Investment in the United States (CFIUS)
  • Route investments through intermediaries in the U.S. or other countries to obscure the source of the investment.
  • Use minority and limited partner investments.
  • Attempt to acquire sensitive or proprietary data under the guise of due diligence.

These efforts can result in:

  • Loss of Market Share - Should proprietary data be obtained by foreign threat actors, it may be used to compete against the startup, resulting in loss of market share.
  • Loss of US Government Contracts and Funding - Startups with investment by foreign threat actors can be denied U.S. government contracts and funding.
  • Undue Foreign Influence - Corporate decisions or direction benefiting foreign threat actors may result from investment by the same, to the detriment of the U.S. based startup.
  • Loss of Data and Technology - Foreign threat actors can acquire data and technology from U.S. startups that advances their nation’s economic and military capabilities at the expense of the U.S.
  • Targeting by Threat Actors - Startups contracted with the U.S. government may be targeted by foreign threat actors to threaten U.S. national security.

Indicators to Watch For:

U.S. startups should be aware of activities that may indicate attempted investment by foreign threat actors, such as:

  • Foreign investors with complex ownership structures, such as separate entities with the same key personnel or shell companies with no substantive purpose.
  • Foreign investments performed through intermediaries, such as funds, partners or other intermediaries in the US or other countries.
  • Foreign investments that are made indirectly through US firms or other firms in which they are limited partners.
  • Foreign investment offers that are accompanied by requests for sensitive or proprietary data prior to investment.
  • Foreign investments accompanied by requests for transfer of intellectual property in exchange for capital.

How to Mitigate or Prevent Investment by Foreign Threat Actors

U.S. firms can take steps to safeguard themselves against investment by foreign threat actors:

  • Identify and protect critical assets to prevent most valuable data and proprietary technologies from being affected by contracts and investment agreements. Firms should ensure legal and contractual agreements protecting these assets are enforceable in the investor’s home country.
  • Investors should be scrutinized for potential risks. Firms should verify investor information, including ownership and origin of their funding. Investors should be vetted to determine whether they are subject to sanctions, export controls, or similar.
  • Exposure of data and any intellectual property should be limited, and protocols should be established to ensure any sensitive data is handled appropriately and only shared with vetted investors if there is an absolute need.

How We Help

  • Portfolio Company Oversight
    ACA Vantage for Cyber
    , can provide ongoing visibility to monitor and oversee your portfolio companies’ cyber health, giving you control to navigate risk, add value, and gain a competitive advantage. Powered by ACA Aponix®, ACA Vantage for Cyber combines our renowned advisory service with our award-winning regulatory technology, ComplianceAlpha®, and our exclusive "RealRisk" risk assessment methodology.
  •  AML Advisory, Managed Services, and Technology
    ACA’s AML and Financial Crimes practice provides solutions to help firms address threats and regulatory obligations associated with financial crime. We work with investment advisers and broker-dealers, among others, to assess risk, develop policies and procedures, and perform independent tests and gap analyses. Our support can incorporate our ComplianceAlpha® AML KYC/CIP solution and managed services to help your firm meet its data screening, ongoing monitoring, remediation and reporting needs.

Reach out to your ACA consultant, or contact us to find out how ACA can help you meet your AML and portfolio company oversight requirements.

Contact us