close
close

NCSC warns US startups and investors about foreign bad actors with money to spend | StoneTurn

Posted on by darion

Beware of wolves in sheep’s clothing who have money to invest

Last week, the National Counterintelligence and Security Center (“NCSC”), the Office of Economic Security and Emerging Technologies (“OESET”), and other coordinating government agencies issued a warning to U.S. venture capital firms, private equity firms, and technology startups about efforts by foreign threat actors to gain access to intellectual property and proprietary data of U.S. companies (“Sensitive Data”) through foreign private investments. It is unclear what specifically prompted the issuance of the warning, but the warning was posted on the website of the Director of National Intelligence as part of his Protecting our future initiative that “provides brief overviews of specific threats posed by foreign intelligence.” These foreign investments, the agencies say, are used to exploit American start-ups and their investors, while putting U.S. economic and national security interests at risk.

Foreign Threat Actors Methodologies

The agencies warn that foreign threat actors are actively attempting to circumvent Committee on Foreign Investment in the United States (“CFIUS”) detection by masking the nature and intent of their investments, as well as their true intentions, stealing company know-how and confidential data in emerging technologies. There are several ways that foreign threat actors-investors attempt to conceal their investments, including:

  • Investing directly through entities with complex ownership structures, shell companies or companies based outside the country in locations known for their lack of transparency;
  • Channeling your investments through intermediaries or front persons in the United States or other countries that do not raise national security concerns; or
  • The use of complex investment structures, including minority and limited partnerships, to complicate investigations into the sources of financing.

Other methodologies used by foreign threat actors to exploit U.S. companies are more nefarious. For example, these foreign investors may make efforts to secure access to confidential or proprietary intellectual property before investing, typically during the due diligence process, and then walk away after receiving the information. Additionally, some Chinese venture capital firms make efforts to directly engage employees of U.S. startups, offering to pay them to steal sensitive information to China.

Protection against bad actors

Based on decades of experience helping organizations address insider risk, there are several proactive steps that U.S. companies and their domestic investors should take to protect themselves from foreign bad actors seeking to infringe on their intellectual property. First and foremost, before engaging with potential investors, companies should take steps to identify, catalog, and protect their most important confidential information. Such steps include ensuring:

  • Sensitive Data is identified and marked as “Confidential”, “Proprietary” and/or “Trade Secret”, as applicable, to ensure that Sensitive Data is identifiable to those requiring access to it;
  • Confidential Data is protected in the workplace by appropriate physical and electronic safeguards, and areas containing Confidential Data are subject to appropriate restrictions;
  • Employees and third parties requiring access to Confidential Data are trained on the importance of maintaining its confidentiality and the steps to take to safeguard that information;
  • Employees and third parties who have access to Confidential Data are bound by legal agreements, including nondisclosure agreements, employment agreements, due diligence documentation and other agreements, as applicable, that recognize the confidential, sensitive nature and importance of the Confidential Data to the Company; and
  • The existence of an auditable process for sharing Confidential Data as part of a robust insider risk protection strategy.

U.S. companies and domestic private equity and venture capital investors considering raising investment capital should carefully evaluate potential foreign investors, conducting due diligence to:

  • Independently confirm the credibility of foreign investors, including their ownership and anticipated source of financing;
  • Confirm that investors are not subject to any U.S. regulatory restrictions, including sanctions or other restrictions;
  • Ensure that data privacy laws and other local regulations applicable to foreign investors allow for the confidentiality of company information and are not subject to the jurisdiction of the host country government; and
  • Identify other investments made by foreign investors and whether they are investing in companies doing similar business in their home country – this is a potential indicator that their intentions may not be entirely honest.

There is no such thing as “too much diligence” when considering attracting foreign investment, especially from countries that are competing with the United States for leadership in key emerging technologies and resources.

What awaits us

Foreign actors will continue to try to exploit vulnerabilities to gain access to U.S. intellectual property and compete with U.S. companies that have their own technologies. Enterprises and startups, private equity and venture capitalists must remain vigilant against foreign investors who bring gifts with undisclosed ulterior motives. While the government will continue to respond, as it has done through legislation such as the enactment of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), among other things, by expanding the scope of covered transactions under the commission and executive orders, including Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), Executive Order 14034 of June 9, 2021 (Protecting Americans’ Sensitive Data from Foreign Adversaries), Executive Order 14083 of September 15, 2022 (Ensuring CFIUS’s Accurate Consideration of Evolving National Security Threats), and Executive Order of February 28, 2024 (Preventing Access to Bulk Sensitive Personal Information of Americans and U.S. Government Data by Countries of Concern), executives must remain vigilant about the continuing threat from foreign bad actors working in the shadows.