National Security Services

With some states and the federal government’s increased and expanded scrutiny of transactions involving foreign entities and investors, making sure you are well prepared to address national security concerns is key. We can assist organizations to understand their national security risk through the identification of key risk areas and to develop appropriate mitigation measures. For those entities subject to CFIUS and Team Telecom mitigation agreements, we serve as fair and unbiased third-party auditors and monitors. Our team of experts has evaluated compliance with National Security Agreements and Letters of Assurance, developed remediation plans to address deficiencies, and reported findings to both the transaction parties and the government. We maintain excellent working relationships with CFIUS Monitoring Agencies (“CMAs”) which can be helpful in the often-stressful environment of audits and monitorships. Our credibility with the government and reputation as fair but firm monitors and auditors provides confidence to ensure cost effective compliance.

Our team is fully equipped to evaluate compliance with CFIUS mitigation measures, such as:

• Providing guidelines for handling and protecting U.S. government, customer, and other sensitive information
• Reviewing and conducting assessments against cybersecurity standards and  frameworks  to reduce the risk to business information, sensitive data, and proprietary information
• Conducting reviews of third-party vendors and contracts to ensure they comply with the requirements of mitigation plans
• Assessing supply chains to determine if national security risks exist and the identification of potential risky vendors
• Reviewing and tracking of mandated employee, vendor and contractor cybersecurity and compliance training required under specific plans
• Developing and assessing relevant control plans such as a Visitor Access Plans, Technology Control Plans, Electronic Communications Plans, and others, as needed
• Providing documentation and independent assessment of compliance to the CMAs as required
• Assisting in balancing ongoing business activity during implementation of a mitigation plan

Relevant Experience:

• Guidepost served as the multi-year CFIUS monitor for a foreign owned data analytics company collecting US person information. In the role as monitor, Guidepost worked with both the Transaction Parties, their outside counsel, and the CMA (Department of Justice) to review internal controls around data privacy, information and physical security, personnel, training, and compliance reporting.
• Guidepost served as a CFIUS monitor for a US based robotics company with a significant foreign investor. This engagement involved multi-year oversight of the company’s systems, its protection efforts around its sensitive intellectual property, its physical security, and personnel security. As monitor, we worked collaboratively with the US based entity and its outside counsel ensuring consistent and transparent communication with the CMA (DOD).
• Guidepost served as the independent, third-party auditor for a domestic telecommunications company acquired by a foreign conglomerate and subject to a National Security Agreement with Team Telecom. This engagement evaluates policies and procedures, physical and cyber-security controls and overall compliance with provisions required to protect U.S. national security and law enforcement interests.
• Guidepost served as third-party auditor for a UK based biotechnology firm bought by a foreign investor. Guidepost’s role was to determine and validate that specific intellectual property acquired by the UK firm was no longer in its possession or available to foreign investors.

Guidepost currently serves as the CFIUS Third-Party Monitor for a technology company that manufactures advanced products critical for government, military, and aerospace applications. This ongoing engagement evaluates the client’s compliance with the terms and conditions of a National Security Agreement as they relate to governance, marketing and sales activities, export controls, network security and reporting.

Guidepost served as the CFIUS third-party auditor for a consulting and contract Clinical Research Organization (“CRO”). Guidepost completed an audit of the company’s representation to the CFIUS monitoring agencies that it did not possess certain types of sensitive genetic sequencing data that the company agreed it would not maintain pursuant to their National Security Agreement. Guidepost evaluated, verified, and validated the search methodologies the company employed, the employee compliance training program and the company’s entire business process.

In each of the above related experiences, Guidepost developed and maintained excellent professional relationships with both clients and the CMAs. Our efforts were regularly documented and provided to the CMAs as validation.

Complying with economic sanctions and export controls requires continued vigilance. Just in the past several years, there have been several major changes to sanctions regulations. With our National Security services, we can ensure you are prepared. We develop compliance plans and perform critical monitoring of anti-money laundering (AML) and the U.S. economic sanctions programs by reviewing benchmarking and operationalizing compliance programs to meet US Treasury Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Asset Control (OFAC) expectations.

We also assist with trade compliance matters, including compliance with the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR).

Relevant Experience

• Guidepost was engaged to conduct an independent audit of the OFAC sanctions compliance program of a large international European bank pursuant to a settlement agreement with the U.S. Federal Reserve System. The team reviewed the Bank’s risk assessment, OFAC sanctions policies and procedures and the implementation and execution of those policies. The review also included testing of USD payments, including transaction processing and trade finance activities. The team tested the sanctions screening capabilities and control environment. The team also reviewed historic stopped payments and the alert assessment process as used by the bank to clear alerts.

• Pursuant to an appointment by the NYS DFS, Guidepost worked under an Independent Consultant to monitor and address the Bank’s AML and sanctions regulations compliance. The team reviewed the Bank’s sanctions and anti-money laundering programs, procedures, and software programs; provided recommendations for software improvements and procedures; and improved OFAC filter rates as well as identified potential money-laundering issues. Additionally, we supported the Consultant in overseeing NYS DFS’s suspension of U.S. dollar clearing. We conducted on-site compliance reviews in more than 12 countries, reviewing policies and procedures relating to money laundering policies and procedures.

We treat cyber threat mitigation with a holistic and top-level planning approach through our comprehensive threat, risk, and vulnerability management services to protect against a full spectrum of cybersecurity, physical security, and privacy compliance issues. These innovative capabilities are specifically designed to improve cyber defense capabilities and prevent or remediate any incidents when they occur.

Cybersecurity and privacy go hand in hand. As a result, our team works collaboratively to ensure both areas are considered and addressed in tandem.

Post-Breach Remediation

Guidepost is currently assisting a domestic telecommunications carrier with its recovery and remediation efforts following a simultaneous state-sponsored data breach and ransomware attack. Services include providing overall cybersecurity guidance to IT staff for system recovery and hardening, incident response and analysis, network re-architecture, system redesign and implementation, evaluating network and dataflow diagrams and creating system standards and configurations. Guidepost is assisting the client by evaluating and helping to implement comprehensive endpoint protection for workstations, laptops and servers, mobile device management, network protection (e.g., firewalls, IDS/IPS), identity management/directory services, anti-malware, and patch management solutions.

Comprehensive Security/Privacy Evaluation 

At the behest of its largest client, an outsourced processor of e-commerce orders retained Guidepost to conduct a comprehensive privacy and cybersecurity assessment of its global operations. Guidepost evaluated and improved the client’s governance structure, policies and procedures, employee training, and technology controls to address GDPR and CCPA privacy objectives, industry best practices for cybersecurity, and Payment Card Industry (PCI) compliance.

FTC Independent Privacy Compliance Review

Subject to an FTC Order, a global provider of one of the most widely used healthcare apps selected Guidepost to conduct an independent, third-party Compliance Review of its data privacy practices. After receiving FTC approval to serve in this capacity, Guidepost conducted a comprehensive evaluation to  determine whether the company maintained compliance with certain core privacy principles; whether the company’s privacy practices were consistent with its privacy policy;  whether the company adequately informed individuals about the mechanisms through which they may pursue complaints regarding the company’s privacy practices; and whether there were any gaps or weaknesses in the privacy practices assessed. As part of the Compliance Review, Guidepost identified specific evidence (including, but not limited to, documents reviewed, sampling and technical testing performed, and interviews conducted) examined to make such determinations and identifications and explained why the evidence examined was sufficient to justify the findings.