Trust Trustwave but Verify

With very little fanfare, Trustwave, the market leader in cybersecurity in North America, announced last month that they had signed a letter of intent to be acquired by Singtel, Southeast Asia’s largest telecommunication firm.  The absence of concerns voiced in public forums suggests either confidence or apathy on the purchase of the largest cybersecurity firm in the U.S. by a foreign company.  It would appear that the general American public as well as the Federal Government are willing to let this deal pass quietly into completion.

Trustwave is a great American success story.  Established in 1995 in Chicago – it now has over three million customers.  One is hard pressed to find a large bank operating within the U.S. which does not use Trustwave; many of them exclusively.  Even the Secret Service has a long standing relationship with Trustwave.  One can only admire how Trustwave has worked hard to become the predominant and most powerful cybersecurity company in the U.S.

In the current environment, data security breaches are rampant from the White House to our favorite neighborhood restaurant.  This raises the question of whether the sale of a company to a foreign national institution that is so vital to national security is too great a risk.

Singtel and Trustwave have said all the right things to assuage fears.  They affirm they will keep Trustwave independent within the U. S. and maintain “Chinese walls” around sensitive security information.  There is no reason to suggest that there is any insidious intent on the part of Singtel.  Neither is there evidence to suggest that its domicile government intends to improperly use the treasure trove of sensitive information on U. S. companies and institutions that Trustwave has in its possession.  However, it would be prudent for the U.S. government regulators to properly examine Singtel’s prospective purchase of Trustwave and provide guidance on how the company should adhere to specific restrictions to safeguard the sensitive security data it maintains on U.S. companies.

The Committee on Foreign Investment in the United States (CFIUS) was established by executive order in 1975 with the purpose of overseeing national security implications of foreign investors.  The National Security Act of 2007, which is administered by CFIUS has provided the Federal Government with increased opportunities to review acquisitions and mergers of U.S. companies by foreign interests and, when appropriate, block or enforce stipulations (i.e. ongoing monitoring) on such acquisitions for national security reasons.

CFIUS and Congressional oversight can be triggered upon two kinds of acquisitions; 1) Those that may result in a foreign government or an entity controlled by a foreign government taking control of a U.S. company or 2) acquisitions that could result in the control of any critical infrastructure in the United States.  On the surface, it would certainly appear as if the Singtel acquisition of Trustwave falls under the purview of the National Security Act and the jurisdiction of CFIUS.

There is a clear precedent for government intervention resulting in either halting or imposing necessary restrictions on a corporate acquisition when national security is at stake.

In 2005 a Chinese State owned oil and gas company, CNOOC, made an offer to purchase Unocal Corporation.   The U.S. House of Representatives voted for the President to review the transaction at which point CNOOC backed out of the deal in an effort to sooth tensions.

In 2006 Dubai Ports World attempted to acquire terminal operator P&O which managed ports in New York and New Jersey.   Congress opposed the deal, although CFIUS and President George W. Bush had approved it.  This resulted in Dubai Ports World letting the sale of P&O’s U.S. operations go to American International Group, Inc (AIG).

More recently, in 2012 President Obama, acting in the interest of national security, ordered the Ralls Corporation (owned by Chinese company Sany Group) to divest four wind farms in Boardman, Oregon due to the fact that they were located near a U.S. weapon systems training base.

Hopefully, CFIUS will perform its intended purpose and better ensure that America’s ability to defend against cyber attacks will not be compromised by Singtel’s acquisition of Trustwave.

Charles Hoff is CEO of PCI University whose platform helps small business owners understand PCI in plain English.