How Private Equity Can Respond to Foreign Investment Risks

While financial services firms are spending more time addressing emerging information security threats and working to meet evolving regulatory expectations (e.g., the SEC’s recent amendments to Regulation S-P or the Digital Operational Resilience Act in the EU), firms in the private equity (PE) and venture capital (VC) space have been alerted to yet another threat that they will need to monitor.

In July, the United States National Counterintelligence and Security Center (NCSC) issued a bulletin cautioning that foreign threat actors might exploit private investments to infiltrate technology firms that are in the process of attracting new investors, using this opportunity gain access to and steal critical intellectual property and company secrets.

The bulletin notes that these attacks have already occurred, and they pose a significant risk to the economic health of these technology firms, their investing firms, as well as to national security.

The NCSC’s Warning

The NCSC’s bulletin outlines how foreign PE and VC investments, especially investment from Chinese firms, poses a unique risk to firms working to develop emerging technologies, like AI, that align with the broader strategic initiatives of foreign governments. This investment can allow a malicious foreign PE or VC firm to have access U.S. firms’ intellectual property and data as they move through the early stages of the investment process, ostensibly performing the necessary diligence on the technology firm. This intellectual property can then be provided back to the foreign government to advance its own strategic capabilities.

In particular, the bulletin provides examples of U.S., U.K. and E.U. firms that had received investment offers from Chinese VC firms, which were withdrawn once the firm received access to their proprietary technology.

Additionally, foreign threat actors may work to gain access to the sensitive information of firms looking to obtain private investments through a few different approaches, including:

• Working to bypass scrutiny from the Committee on Foreign Investment in the United States (CFIUS) through complex investment structures.
• Channeling investments through U.S. or international intermediaries to mask the true source of the funding.
• Offering minority or limited partnerships to gain access to sensitive information.
• Seeking access to sensitive data under the pretext of conducting due diligence.

These concerns have escalated following the U.S. Department of Defense’s identification of IDG Capital, a Chinese VC firm, as a “Chinese Military Company.” IDG Capital holds investments in over 1,600 companies, including several based in the U.S. Additionally, the U.S. Department of the Treasury has cautioned that private fund advisers may unknowingly facilitate money laundering when forming funds with foreign investments, especially if the source of the funds is not thoroughly vetted.

The Role of PE and VC Firms in Limiting This Risk

While this foreign investment risk will have the most significant impact on the firms looking to gain new investments, PE and VC firms have a duty to provide oversight of the companies in their portfolio and should take an active role in helping the firms in their portfolio address this risk.

This includes:

Raising Awareness of the Information Security Risks. The NCSC’s bulletin provides an opportunity for PE and VC firms to connect with the leadership teams at their portfolio companies to discuss and evaluate how the firms are protecting their trade secrets, critical technology and sensitive information. PE and VC firms can flag this foreign investment risk, demonstrating the potential costs to the portfolio company’s profitability, trade secrets and ability to maintain government contracts, and providing them with red flags to be aware of when foreign investment firms begin to make investment offers. But more importantly, the PE or VC firm can provide guidance on best practices for the portfolio company’s information security programs to help these programs protect their sensitive information from a wide range of potential cyberattacks.

PE and VC firms have a duty to provide oversight of the companies in their portfolio and should take an active role in helping the firms in their portfolio address this risk.

Managing the Risk of Limited/Minority Partnerships. The NCSC bulletin should serve as a reminder to PE and VC firms about the potential risks of limited partner/minority investments. As the bulletin notes, new limited and minority investments are a common tactic foreign threat actors are using to gain access to sensitive or proprietary information from portfolio companies, and PE and VC firms need make sure that there are proper protections in place at their portfolio companies to protect their investments. This can include: guiding the portfolio company on what limitations should be placed on data and information that is provided prior to investment; support conducting rigorous due diligence on firms offering limited or minority partnerships; and providing the portfolio company with the resources and support necessary to monitor the security of their sensitive data and intellectual property.

Performing Proper Diligence when Entering and Exiting Investments. PE and VC firms should be mindful of the risks outlined by the NCSC before entering or exiting their investments into a portfolio company. While it certainly won’t be the only factor that determines the valuation of a technology company, PE and VC firms will be interested in understanding if the portfolio company’s proprietary information has been adequately protected and remains unique to the firm. PE and VC firms should be sure to confirm that the portfolio company’s intellectual property has been appropriately protected prior to investment.

Establishing a Programmatic Approach to Information Security Oversight. One of the most important steps a PE and VC firm can take in response to the NSCS’s bulletin is to make sure they are taking an active role in the oversight of the cyber and information security programs across their portfolio. This includes establishing a formal program to assess, monitor, and improve the cyber and information security programs across their portfolio, as well as ensuring that the portfolio companies have the appropriate resources and capabilities to maintain proper controls and best practices in cyber and information security. This programmatic approach will help minimize the risk of companies within the portfolio losing control of their sensitive information, whether that is to malicious foreign investors or to a more standard cyberattack.

In light of the NCSC’s recent warning on the risks of foreign investments, PE and VC firms must remain vigilant and proactive in safeguarding the sensitive information of their portfolio companies. With foreign threat actors increasingly targeting private investments in an effort to access critical technology and intellectual property, the risks posed to both the firms and broader national security can be significant. By raising awareness about this risk, addressing issues associated with minority and limited partnerships, conducting thorough due diligence, and taking a programmatic approach to information security oversight programs, PE and VC firms can better protect their investments and maintain the profitability of the portfolio companies.

Aaron Pinnick is Senior Manager of Thought Leadership, ACA Aponix

Middle Market Growth is produced by the Association for Corporate Growth. To learn more about the organization and how to become a member, visit www.acg.org.