Chinese cybersecurity investment in the U.S.: Is now the best time?

Extensive data breaches have also resulted in the loss of senior executives' jobs, leading some to conclude that “there's no job security when your job is security.” Following the Target breach, CIO Beth Jacob, who had overseen Target's website and internal computer systems since 2008, resigned in March 2014 and CEO Gregg Steinhafel resigned in early May of the same year. Since then, there have been at least nine instances where high-profile data breaches resulted in job losses. However, the Ponemon Report suggests that the real culprit could be the inability of some executives to fully comprehend the impact of the breaches and their direct and destructive connection to a company's revenue, profit, brand and reputation.

The amount of media attention devoted to cybercrime has pushed companies to substantially increase their cybersecurity investments. In the words of one Chief Information Security Officer whose budget has nearly doubled, “Honestly, I have not seen a case where I asked for money and it's been turned down. It's a unique time in the field because of the hype.” Tellingly, the cybersecurity budget for U.S. companies expanded from 2013 to 2015 in all private sectors, including finance, retail and healthcare, according to a study conducted by the Darwin Deason Institute.

Trade secret protection

U.S. cybersecurity demand surges further due to the rising interest in trade secrets protection evidenced by, for example, the proposed Federal DTSA. Trade secrets, compared with other common forms of intellectual property (such as patents, copyrights and trademarks), are unique in that they cease to exist once made public no matter who is at fault. This particular vulnerability is further increased as trade secrets are currently only protected by U.S. state laws at the civil level with one criminal statute at the federal level. This contrasts sharply with traditional IP, where copious federal laws and an entire agency are dedicated to their protection and enforcement.

The recently proposed DTSA (S. 1890, H.R. 3326) will federalize and hopefully strengthen trade secrets rights by: (1) authorizing private civil actions in federal court for trade secret misappropriation; (2) allowing for both injunction and damages in remedies; (3) allowing for up to treble damages for willful misappropriation; and (4) permitting the court to order ex parte seizure of property “necessary to prevent the propagation or dissemination of trade secrets.”

To enjoy the wider protection under the DTSA, however, rights owners must show that their information is a trade secret. This would require the owner to prove that it has taken “reasonable measures to keep such information secret,” similar to the requirements for trade secrets in state laws. While what is “reasonable” under the circumstances varies across industries, courts will typically consider the sophistication of the owner's cybersecurity measures and technologies in guarding any electronically-stored data in determining whether a trade secret exists. Companies hoping to take advantage of the proposed DTSA will have to make sure that their data protection technology is up to industry and regulatory standards. Not only would this spell an additional boost to the already booming cybersecurity technology sector, but also makes partnering with, or investing, in such startups more attractive.

CFIUS review process

The CFIUS, chaired by the Secretary of the Treasury and comprised of representatives from nine federal agencies including the Departments of Defense, State and Homeland Security, has authority to review almost any foreign investment in the U.S. that may have an impact on national security or critical infrastructure. Parties to a foreign investment deal are not required to petition for a review by CFIUS. However, if CFIUS subsequently determines that the transaction raises national security concerns, it can order to rescind the transaction, a decision not subject to a U.S. court review. To avoid the potential catastrophe of recession, parties may initiate a voluntary review, which allows for CFIUS to issue a “no action” decision to protect the parties moving forward.

During the review, CFIUS will, within a 30-day period, analyze the transaction and determine whether it is a “covered transaction,” i.e., any merger, acquisition or takeover which results in foreign control of any person engaged in interstate commerce in the U.S., and, if so, whether it implicates a national security issue. Some transactions may trigger a second 45-day investigation. Ultimately, the investigation may result in a mitigation agreement between CFIUS and the parties or, sometimes, an adverse recommendation to the President who then has 15 days to reach a decision.

Between 2009 and 2011, CFIUS had reviewed approximately 10% of all transactions where foreign firms were acquiring U.S. firms. Nearly 90 percent of those transactions were ultimately completed. Most of the aborted transactions received a negative CFIUS recommendation but not a formal block from the President, and the remaining were cases where the foreign firms preventively withdrew notices before receiving a negative CFIUS response or formal ban.

While a Chinese cybersecurity investment deal is likely to trigger a CFIUS review, the upcoming bilateral investment treaty (BIT) currently negotiated between the two countries may improve the outlook.

U.S.-China bilateral investment treaty

A BIT is a government-to-government agreement that establishes binding rules to facilitate investments between the U.S. and another nation. While it is uncertain exactly when the U.S. and China will finalize their pending BIT, the U.S.-China Business Council's board of directors recently expressed that the swift completion of the BIT is a priority for 2016.

The U.S. adopts a “negative list” approach (which China has also been broadly implementing), in which the terms of the BITs apply to all sectors except those expressly listed as exclusions. This means that investments by foreign entities are treated the same as investments by domestic companies, except for a few sectors specifically excluded from the terms of the treaty. While the U.S. and China are still finalizing their respective lists, the two most recent U.S. BITs with Uruguay (2005) and Rwanda (2008) include the same list of exceptions covering nation-regulated entities such as banks, federal loans and nuclear energy, but exclude cybersecurity technologies. If the U.S.-China BIT also excludes cybersecurity from their negative lists, Chinese firms could be treated equally to U.S. domestic firms in deals and their investments may not trigger a CFIUS review, including those in cybersecurity startups that do not focus on servicing industries on the negative list. That said, the landscape between the U.S. and China in the area of trade secrets protection and cybersecurity has remarkably changed since 2008, which could demand a different negative list than the traditional U.S. list. It remains advisable for Chinese companies to wait until after the BIT is in effect to better gauge the desirability of investing in U.S. cybersecurity startups.

Follow cybersecurity developments… closely

The U.S. cybersecurity industry is expected to grow dramatically over the coming years as companies become progressively more reliant on cybersecurity software to maintain statutory compliance and to protect their data and IP assets. While any large Chinese investment in cybersecurity currently is likely to trigger heightened CFIUS investigation, the upcoming U.S.-China BIT might eliminate the strict scrutiny towards Chinese investments. Chinese firms should closely monitor this progress in order to seize the opportunities to invest in cybersecurity startups in the U.S.

Xiaoyan Zhang, Mayer Brown JSM, Hong Kong, and Diyang Liu, Mayer Brown LLP, New York

The rise of cyber-attacks targeting U.S. companies has led to tightened regulations by the government and increased investment in data privacy. In fact, worldwide spending on cybersecurity technology achieved a record $77 billion in 2015, 80% by U.S. companies. The Defend Trade Secrets Act (DTSA) of 2015, which is currently pending before the U.S. Congress, if enacted, may further boost cybersecurity spending by requiring rights owners to take “reasonable measures to keep such information secret” in order to enjoy the federal protection of trade secrets. Chinese investors, however, have additional timing and regulatory factors to consider before rushing into the seemingly lucrative market. These include a potential heightened review by the Committee on Foreign Investment in the United States (CFIUS) – total investments from China topped other countries for the past three years – and the pending bilateral investment treaty (BIT) between the two nations.

Chinese investment in cybersecurity

The Chinese have been actively investing in the U.S., with a total of $6.4 billion spent in just the first half of 2015. Several of these deals involve U.S. cybersecurity firms. For example, Baidu entered into a joint venture deal with CloudFlare. State-owned Tsinghua Holdings plans to buy a 15% stake in American data storage company Western Digital. Foreign investment into U.S. cybersecurity, however, is subject to strengthened laws and guidelines for presumptively falling under the “critical infrastructure” and/or raising “national security concerns.”

The “critical infrastructure” application came through the Organisation for Economic Cooperation and Development (OECD), to which the U.S. is signatory. Notably, the OECD has a non-binding commitment to treat foreign-controlled firms no less favorably than domestic enterprises pursuant to its Guidelines for Multinational Enterprises. In reviewing the role of investment policies for protecting national security, a paper released by the organization in 2008 categorized cybersecurity under “critical infrastructure” and the field was thus expressly excluded from the scope of this commitment. The Department of Homeland Security similarly defined such infrastructure to cover cybersecurity, reaffirming the critical role of data protection technology in safeguarding critical infrastructure industries from foreign espionage.

An inbound transaction may trigger a CFIUS review if it raises “national security concerns” or has an impact on “critical infrastructure.” For example, U.S. President Barack Obama blocked a Chinese company from building wind turbines near an Oregon Navy military facility in September 2012, the first time a president has blocked a foreign investor over national security concerns in 22 years. A month later, the U.S. Congress released a report alleging that China's two largest telecom equipment manufacturers, Huawei Technologies and ZTE, are a security threat and should be blocked from acquiring American companies. Similar security concerns caused Huawei to abandon a bid to buy 3Com in 2008. In exercising his right to issue a blocking order, President Obama referred to the recommendation and investigation made by CFIUS.

Cyber-attacks and regulations

Cybersecurity is generally defined as whether and how electronic data and systems are protected from attack, loss or other compromises. In the U.S., cyber-attacks have been increasing in frequency, scale, and sophistication. A 2014 McAfee study estimates that the worldwide annual economic cost of cybercrimes is between $375 billion and $575 billion. The costs of defending cybercrimes involving intrusion detection, data recovery and remediation have also increased steeply. For example, a Ponemon Institute survey of 59 U.S. firms in 2014 found that the average annual expenditures for responding to cyber-attacks amounted to $12.7 million, up 96% over the previous five years.

In addition to the direct costs of cybercrime defense, U.S. companies also face heavy civil liabilities imposed by myriad cybersecurity laws, which consist of a complex network of over 50 federal statutes and multiple rulings from the Federal Trade Commission (FTC). The 2013 data breach of Target Inc. (the “big box” store chain) spawned numerous class action suits filed by private citizens resulting in millions of dollars of settlement. Seven of those civil suits against Target were filed on the very day that the company disclosed the breach. In addition, the FTC has taken actions against companies that fail to provide reasonable cybersecurity measures. For example, the FTC brought a suit against Wyndham Worldwide Corp. (a hotel chain) under Section 5 of the FTC Act for three data breaches between 2008 and 2010, where hackers allegedly stole more than 619,000 credit and debit card numbers. The FTC alleged that Wyndham had inadequately protected consumer data by using outdated software that couldn't receive security updates. The settlement reached last year requires Wyndham to implement and maintain a comprehensive and prescribed information security program designed to effectively protect the security of customer payment-card information.

Extensive data breaches have also resulted in the loss of senior executives' jobs, leading some to conclude that “there's no job security when your job is security.” Following the Target breach, CIO Beth Jacob, who had overseen Target's website and internal computer systems since 2008, resigned in March 2014 and CEO Gregg Steinhafel resigned in early May of the same year. Since then, there have been at least nine instances where high-profile data breaches resulted in job losses. However, the Ponemon Report suggests that the real culprit could be the inability of some executives to fully comprehend the impact of the breaches and their direct and destructive connection to a company's revenue, profit, brand and reputation.

The amount of media attention devoted to cybercrime has pushed companies to substantially increase their cybersecurity investments. In the words of one Chief Information Security Officer whose budget has nearly doubled, “Honestly, I have not seen a case where I asked for money and it's been turned down. It's a unique time in the field because of the hype.” Tellingly, the cybersecurity budget for U.S. companies expanded from 2013 to 2015 in all private sectors, including finance, retail and healthcare, according to a study conducted by the Darwin Deason Institute.

Trade secret protection

U.S. cybersecurity demand surges further due to the rising interest in trade secrets protection evidenced by, for example, the proposed Federal DTSA. Trade secrets, compared with other common forms of intellectual property (such as patents, copyrights and trademarks), are unique in that they cease to exist once made public no matter who is at fault. This particular vulnerability is further increased as trade secrets are currently only protected by U.S. state laws at the civil level with one criminal statute at the federal level. This contrasts sharply with traditional IP, where copious federal laws and an entire agency are dedicated to their protection and enforcement.

The recently proposed DTSA (S. 1890, H.R. 3326) will federalize and hopefully strengthen trade secrets rights by: (1) authorizing private civil actions in federal court for trade secret misappropriation; (2) allowing for both injunction and damages in remedies; (3) allowing for up to treble damages for willful misappropriation; and (4) permitting the court to order ex parte seizure of property “necessary to prevent the propagation or dissemination of trade secrets.”

To enjoy the wider protection under the DTSA, however, rights owners must show that their information is a trade secret. This would require the owner to prove that it has taken “reasonable measures to keep such information secret,” similar to the requirements for trade secrets in state laws. While what is “reasonable” under the circumstances varies across industries, courts will typically consider the sophistication of the owner's cybersecurity measures and technologies in guarding any electronically-stored data in determining whether a trade secret exists. Companies hoping to take advantage of the proposed DTSA will have to make sure that their data protection technology is up to industry and regulatory standards. Not only would this spell an additional boost to the already booming cybersecurity technology sector, but also makes partnering with, or investing, in such startups more attractive.

CFIUS review process

The CFIUS, chaired by the Secretary of the Treasury and comprised of representatives from nine federal agencies including the Departments of Defense, State and Homeland Security, has authority to review almost any foreign investment in the U.S. that may have an impact on national security or critical infrastructure. Parties to a foreign investment deal are not required to petition for a review by CFIUS. However, if CFIUS subsequently determines that the transaction raises national security concerns, it can order to rescind the transaction, a decision not subject to a U.S. court review. To avoid the potential catastrophe of recession, parties may initiate a voluntary review, which allows for CFIUS to issue a “no action” decision to protect the parties moving forward.

During the review, CFIUS will, within a 30-day period, analyze the transaction and determine whether it is a “covered transaction,” i.e., any merger, acquisition or takeover which results in foreign control of any person engaged in interstate commerce in the U.S., and, if so, whether it implicates a national security issue. Some transactions may trigger a second 45-day investigation. Ultimately, the investigation may result in a mitigation agreement between CFIUS and the parties or, sometimes, an adverse recommendation to the President who then has 15 days to reach a decision.

Between 2009 and 2011, CFIUS had reviewed approximately 10% of all transactions where foreign firms were acquiring U.S. firms. Nearly 90 percent of those transactions were ultimately completed. Most of the aborted transactions received a negative CFIUS recommendation but not a formal block from the President, and the remaining were cases where the foreign firms preventively withdrew notices before receiving a negative CFIUS response or formal ban.

While a Chinese cybersecurity investment deal is likely to trigger a CFIUS review, the upcoming bilateral investment treaty (BIT) currently negotiated between the two countries may improve the outlook.

U.S.-China bilateral investment treaty

A BIT is a government-to-government agreement that establishes binding rules to facilitate investments between the U.S. and another nation. While it is uncertain exactly when the U.S. and China will finalize their pending BIT, the U.S.-China Business Council's board of directors recently expressed that the swift completion of the BIT is a priority for 2016.

The U.S. adopts a “negative list” approach (which China has also been broadly implementing), in which the terms of the BITs apply to all sectors except those expressly listed as exclusions. This means that investments by foreign entities are treated the same as investments by domestic companies, except for a few sectors specifically excluded from the terms of the treaty. While the U.S. and China are still finalizing their respective lists, the two most recent U.S. BITs with Uruguay (2005) and Rwanda (2008) include the same list of exceptions covering nation-regulated entities such as banks, federal loans and nuclear energy, but exclude cybersecurity technologies. If the U.S.-China BIT also excludes cybersecurity from their negative lists, Chinese firms could be treated equally to U.S. domestic firms in deals and their investments may not trigger a CFIUS review, including those in cybersecurity startups that do not focus on servicing industries on the negative list. That said, the landscape between the U.S. and China in the area of trade secrets protection and cybersecurity has remarkably changed since 2008, which could demand a different negative list than the traditional U.S. list. It remains advisable for Chinese companies to wait until after the BIT is in effect to better gauge the desirability of investing in U.S. cybersecurity startups.

Follow cybersecurity developments… closely

The U.S. cybersecurity industry is expected to grow dramatically over the coming years as companies become progressively more reliant on cybersecurity software to maintain statutory compliance and to protect their data and IP assets. While any large Chinese investment in cybersecurity currently is likely to trigger heightened CFIUS investigation, the upcoming U.S.-China BIT might eliminate the strict scrutiny towards Chinese investments. Chinese firms should closely monitor this progress in order to seize the opportunities to invest in cybersecurity startups in the U.S.

Xiaoyan Zhang, Mayer Brown JSM, Hong Kong, and Diyang Liu, Mayer Brown LLP, New York