July 25, 2024

Podcast - Navigating M&A Due Diligence: Safeguarding Security Clearances

Are We All Clear? Facilitating Security Clearances

In the ninth episode of "Are We All Clear? Facilitating Security Clearances," host Molly O'Casey and International Trade attorney Antonia Tzinova delve into the critical aspects of due diligence for facility and personnel clearances in mergers and acquisitions (M&A) transactions. Drawing from her extensive experience, Ms. Tzinova guides listeners through the complexities of the National Industrial Security Program Operating Manual (NISPOM) and its impact on cleared facilities and personnel.

Key topics covered include:

  • the importance of timely notifications to the Defense Counterintelligence and Security Agency (DCSA) during ownership changes
  • considerations for mitigating foreign ownership, control or influence (FOCI) in M&A deals
  • essential steps for sellers in preparing for due diligence
  • potential compliance violations and mitigation strategies

Listen to more episodes of Are We All Clear? here.

Molly O'Casey: Welcome to the ninth episode of "Are We All Clear?" the Podcast on facilitating security clearances. I'm your host, Molly O'Casey, an international trade associate with Holland & Knight's Washington, D.C., office. Today's episode will discuss due diligence on facility and personnel clearance compliance in the context of M&A transactions. Today's speaker is Antonia Tzinova. Antonia is a partner with the International Trade Group in our D.C. office. Antonia leads Holland & Knight's CFIUS and Industrial Security Team, as well as the Committee on Foreign Investment in the U.S. Welcome back to the podcast, Antonia.

Antonia Tzinova: Thank you, Molly. Good to be here. Thank you for having me again.

Molly O'Casey: Of course. As a starting point, can you tell us a little bit about due diligence in an M&A or mergers and acquisitions context, like when does due diligence occur in the M&A deal and what are the implications?

Antonia Tzinova: Sure. In any M&A transaction — and just for the uninitiated, M&A stands for mergers and acquisitions  — anytime an M&A transaction takes place, the buyer would conduct considerable due diligence on the target company just to make sure that they don't buy trouble. There are different regulatory regimes that are being reviewed but also existing contracts. The overall goal is to make sure that the company is not in violation of its obligations under various laws and regulations, and also doesn't have outstanding obligations, issues that may unfold after the purchase is concluded and will at that point be a problem for the buyer. So in a typical M&A transaction, you would have due diligence performed early on, and then to the extent issues are disclosed, the parties would try to address and accommodate so that everybody leaves happy and with better awareness of what they’re dealing with.

Molly O’Casey: Sounds like a pretty involved process. Within that, what are the implications of facility security clearances and personnel security clearances for M&A due diligence?

Antonia Tzinova: So we've been talking about facility clearances and personnel clearances for a while on this show. And you know that these come in the context of a company that is cleared. When a, that target company in an M&A transaction is a company that performs unclassified contracts, the buyer would conduct due diligence to confirm that the cleared company has conducted its business and complies with laws. The overarching regulatory regime here is set up in the National Industrial Security Program Operating Manual, the NISPOM, which establishes the requirements and obligations for a cleared company and its cleared personnel. So, during M&A due diligence, we would just be looking at how the company has complied with its NISPOM requirements.

Molly O'Casey: Right. And then the NISPOM is the manual published by the Department of Defense that generally outlines the industrial security program intended to protect classified information.

Antonia Tzinova: That's right.

Molly O'Casey: Could you outline the considerations for this type of due diligence in an M&A deal?

Antonia Tzinova: Sure. And so just at the start, I mean, each party in the M&A transaction has its own interest in this process. From the perspective of the buyer, it is important to know that it is not taking on liability for past violations of the target company, and that the company would be able to continue to perform on classified contracts post-closing. From the perspective of the seller, it is important to understand the nature of the buyer. And from the perspective of the seller and the company, I would say because it's the company who is regulated and they need to report their certain conditions to DCSA. So it's important to understand the nature of the buyer and whether the buyer is cleared or not, whether there is any foreign ownership involved that needs to be mitigated prior to closing, so that when closing occurs, the cleared company can continue performing on its classified contracts without interruption for the sale itself, even though you know post-closing they're out of the picture. In some transactions, there may be an earnout payment negotiated that is based on certain business targets that the company can achieve post-closing, and it's important for the company to be able to continue performing on classified contracts in order to meet those business targets. And so the seller also has an interest in how due diligence unfolds, and that everybody performs and meets their obligations so that we have a successful transaction. One thing to keep in mind is as due diligence, we understand what's the nature of the parties involved and what type of pre- and post-closing notifications will be required to DCSA. And so due diligence helps us determine how to go about that.

Molly O'Casey: Right. So it's kind of at the due diligence stage where you identify if either the buyer or the seller has an issue that's going to prevent the deal from going forward.

Antonia Tzinova: That's right. Yeah. Or, you know, if issues are identified, how do we address them to everyone's satisfaction.

Molly O'Casey: Right. You mentioned pre- and post-closing notifications. Can you expand on that, on the types of notifications required?

Antonia Tzinova: Sure. So every cleared contractor needs to keep DCSA informed of any material changes to its ownership. That's key. And then NISPOM doesn't necessarily prescribe the reporting period when this needs to happen, but when ownership changes the cleared company needs to notify DCSA. So we have taken it as a rule, to provide a courtesy notice to DCSA pre-closing and then follow up with a full changed condition package post-closing. I believe that you have discussed that topic on a prior episode where we, you know, notified DCSA of, provided full detail on the new ownership officers and directors, etc. in a purely domestic transaction. This pre-closing courtesy notification happens relatively close to closing, and then the full notice of the material change takes place post-closing. In the case of a foreign ownership on the side of the buyer introducing foreign ownership into the cleared company, we work with DCSA ahead of closing, and there is a pre-closing notification and that not only notifies DCSA of the type of foreign ownership introduced — whether it's passive or active, how it comes through — but also addresses the type of appropriate mitigation. So this is the one that would approve on the appropriate FOCI mitigation, and FOCI stands for foreign ownership, control or influence. And depending on the type of foreign ownership, we have different mitigation measures. It could be simple exclusionary resolutions of the board of the parties to the transaction, but it could be something more strenuous, like a special security agreement or proxy agreement. And the key is kind of the most stringent form of mitigation, though, depends on the circumstances, the level of clearance and the type of foreign ownership.

Molly O'Casey: Got it. So just because the deal is closed doesn't mean you're off the hook.

Antonia Tzinova: Oh, no. I mean, like the due diligence help you to get informed of what follows. But post-closing, you have quite a lot of work to do.

Molly O'Casey: Good to know. How do you approach due diligence for FCLs and PCLs?

Antonia Tzinova: Well, I mean, you and I have worked in a number of transactions. So, so, you know, how we, we do it? We start with a few basic questions. Does the target company have a facility clearance is the first one, right? I mean, do we need to even raise the issue? If yes, at what level? Is the facility clearance possessory or non-possessory? Meaning whether the company can have or store classified information at its own facility on the buyer side. Does the buyer itself have a facility clearance? Is the buyer U.S. owned? Is there any foreign ownership in the chain of ownership of the buyer? And that goes all the way up to the ultimate parent company so that we consider what are the appropriate notifications that need to be made to DCSA. And then we take it from there, that basic initial inquiry into the business, target company and the buyer informs us of what additional questions to ask about the company's classified contracts, the buyer's organizational structure, compliance issues, etc.

Molly O'Casey: Right. And like you said, having foreign ownership tends to have implications for the level of security clearance available. It doesn't necessarily preclude obtaining the security clearance, but you have more work to do on mitigation and notifying the government.

Antonia Tzinova: That is right. I mean, the U.S. is a very open environment in foreign investment. And I don't know if there is another country around the world that would allow foreign ownership in cleared contractors, but that comes with strings attached. And so if foreign ownership is identified, it has to be mitigated. And so as I mentioned, there are different forms of mitigation. Some of them are pretty stringent.

Molly O'Casey: And if I'm a buyer looking to purchase a company, what do I need to be thinking about when conducting the M&A due diligence?

Antonia Tzinova: Right. So regardless of whether the buyer's foreign or domestic, it is important as a, is a first audit to confirm that all paperwork of the cleared company is in order, that the company has implemented compliance policies and procedures and follow through, that they have conducted appropriate training. It is also important that the company has worked with DCSA to address any vulnerabilities that DCSA may have identified during regular audits. If violations are discovered as part of due diligence, it is important to consider how this would affect the transaction, and this may affect timing of closing. It may affect the purchase price. It may introduce certain indemnity provisions, you know, special indemnity for possible financial implications of a undisclosed violation. And then it also informs the buyer of the required disclosures to DCSA pre- and post-closing.

Molly O'Casey: And I'm definitely going to ask you more about what to do with violations. But in the meantime, is this only a buyer's concern? If I'm a seller, can I take my summer holidays and wait for the buyer to get back to the question?

Antonia Tzinova: Well, I mean, you know, the temperature on these transactions, right. They're go, go, go. So nobody take vacation until it clears. Sorry, Molly. But, as mentioned earlier, each party in the M&A transaction has an interest in this. And so the seller in the company would want to conduct their own preliminary review of the available documentation that is likely to be requested by the buyer. Straighten out any issues, get organized, build a library of documents that will facilitate buyer's due diligence. And we know, based on experience, are likely to be requested by the buyer. They should only conduct their own due diligence on the buyer to learn if there is any foreign ownership that must be reported and mitigated prior to closing. I mean the, the rule is pretty clear. Anytime there is 5 percent or more foreign ownership on the buyer side, whether it's direct or indirect, it must be reported to the DCSA, and DCSA must approve an acceptable FOCI mitigation. And as I mentioned earlier, FOCI stands for foreign ownership, control or influence. And so each party in the M&A transaction needs to take this seriously because we are dealing with classified information and national security concerns.

Molly O'Casey: Well, there's nothing I love more than a library full of documents.

Antonia Tzinova: Yes. Well organized, please.

Molly O'Casey: I imagine this process is much easier where both companies have security facility clearance. Is it still possible for a buyer to purchase a company where the buyer does not have a facility security clearance? And could you describe how that process unfolds?

Antonia Tzinova: Yes. I mean, it is possible, and it happens quite often. We see a lot of those transactions in the context of private equity investments. They are private equity funds that build portfolios of companies that operate in the defense and aerospace sectors. And oftentimes the target company will have that contact. And while the private equity fund may have a great company in its portfolio to serve as the buyer, the buying entity, oftentimes the investment is through just a holding company that is not cleared itself. And in that case, in addition to conducting due diligence to confirm that the target company's in compliance with this form requirements, we would also consider whether there is any foreign investment in the private equity fund that needs to be reported prior to closing. Who will be appointed as the company's management team post-closing? Do these people have personnel clearance? Do we need to keep some of the current management in the position of the senior management official and the chairman of the board? Do we need to have a reorganization at the target company level, so that it would allow post-closing for the parent company to remain uncleared? These are all issues that we take into consideration in a non-cleared buyer transaction. And all this is usually coordinated with the M&A and the tax teams to determine the best post-closing structure that would ensure the cleared company is able to continue performing on classified contracts but also, places, you know, relatively little burden on the companies that are outside of the, the company, immediate parent, and all the way up to the parent company.

Molly O'Casey: Yeah, the defense and aerospace deals are always super interesting.

Antonia Tzinova: Yes. And a lot of interesting issues there. I agree.

Molly O'Casey: I'm just hoping one day I can justify putting space lawyer on my business card personally.

Antonia Tzinova: Well, perseverance and time.

Molly O'Casey: As promised, could you tell us about the violations that might be uncovered during due diligence? Have you encountered any horror stories?

Antonia Tzinova: Well, luckily, we haven't had horror stories in our experience recently, but, yeah, things happen. I mean, an example of, noncompliance, I would say, is a cleared company that hasn't implemented an insider threat compliance program. I mean, that's a mandatory requirement in this world. And we've seen, we're seeing companies who haven't done it. Or we may see an incident of compromising classified information. And this could have been reported or may not have been reported, I mean, and it just shows up in the diligence. And that's usually an employee who fails to follow established protocols and procedures and so has created risk for classified information leaking out of, you know, secure environments. These need to be reported as soon as discovered, and actions need to be taken immediately to mitigate any consequences. And clearly, company needs to work with DCSA and with its customer to address these. So those are the type of issues that we see. Sometimes it could be just reporting recordkeeping, you know, deficiencies, I would call it. My general experience is companies performing on classified contracts are good corporate citizens and they have a good awareness of their responsibilities.

Molly O'Casey: That's good to hear. Do these violations prevent the M&A deal from going forward? And if not, what's the timeline for remedying them?

Antonia Tzinova: As a good lawyer, I have to say it depends right? But generally, no. I mean, when parties, we've had cases where a transaction may fall apart, it's not necessarily because of DCSA compliance only. I mean, there's usually something else that's going on. If there are concerns, there are ways to, to take care of it. I mean, it could be adjustment in price. It could be setting up a special indemnity in the purchase agreement. What the, how does that look like? I mean, we set up a reasonable period of time within which an issue can be resolved with DCSA, and then we provide for reimbursement for any penalties assessed or any legal costs accumulated by the buyer and the company. And as part of this special indemnity, we may require that the company notifies DCSA and corrects the issue before closing, so it may affect the timeline. Oftentimes, parties find a way to work out these issues and still have a transaction close.

Molly O'Casey: So kind of stressful. But not, not a deal breaker.

Antonia Tzinova: Right. As I said, has to be taken in context with everything else going on as part of the transaction.

Molly O'Casey: What would be the consequences of a violation of the NISPOM if somebody didn't catch it?

Antonia Tzinova: Right. So, I mean, in the, the ultimate one, the worst possible case scenario is losing the facility clearance. And with that, the ability to perform unclassified contracts or bidding on new ones. This, however, is reserved for the most egregious violations and kind of wanton disregard by the cleared company or the parties involved. Like maybe the parties to the M&A transaction — for example, we know that a couple of years ago, a cleared company was acquired by a buyer with foreign ownership in its structure. The parties engaged with CFIUS, the Committee on Foreign Ownership in the U.S., but did not think of notifying the DCSA of the issue, even though the target company had a facility clearance. And so DCSA learned of the transaction post-closing. And, needless to say, they were upset about that. And so, I think that they used the case to make a point to the industry, and, as a result, they terminated the facility clearance. As they said, however, this is the extreme, more often, you know, DCSA would outline vulnerabilities, and I would expect that companies address those within 30 days. And so, in due diligence, what we like to see is evidence that the company has addressed those. And as mentioned earlier, this might be just recordkeeping deficiencies. It may be, you know, certain procedures that need to be put in place, maybe training or insider threat program training particularly. So, you know, as I said, most companies are very cognizant of their responsibilities under the NISPOM and, and take it very seriously. They undergo training by DCSA and by their customers on how to safeguard classified information. And so, you know, violations tend to be relatively minor. And then, I mean, we have the case of compromised classified information. That's typically an employee who was not following protocol. And if that is the case, DCSA has discretion on how to handle it. Depending on the circumstances, the employer may be reprimanded. They may be taken off the project for a while. The ultimate penalty for an employee would be losing their facility clearance and being suspended or losing it indefinitely. But as I said, it all depends on the circumstances and how the company works to address those and whether it cooperates with DCSA and whether it acts promptly.

Molly O'Casey: I love that language, though. Egregious violations and wanton disregard.

Antonia Tzinova: That that is very lawyer speak. Right?

Molly O'Casey: I mean, it's a great line. I feel like Jane Austen would be jealous.

Antonia Tzinova: Yeah, I mean, I like another one. And I tell you, I swear. My son is 10 years old, and he's been listening to me speaking. And especially during the pandemic years, on various calls. And he's learned need to know basis. I was taking him to the movies a month ago with some of his friends from school, and the three of them were sitting there in the back seat. And then somebody asked him a question, and he's like, this is information that is on a need to know basis only. Yeah. I'm driving, right, and I'm like excuse me? What did you say? And by the end of the ride, the other kids have picked on that. Beautiful. Beautiful vocabulary.

Molly O'Casey: Well, thank you so much for coming on and discussing M&A deals, Antonia.

Antonia Tzinova: Absolutely. My pleasure.

Molly O'Casey: This area is full of acronyms. This week's episode had a few that we're becoming familiar with, which were Defense Counterintelligence and Security Agency or DCSA, facility security clearance or FCL, personnel security clearance or PCL, the National Industrial Security Program Operating Manual or NISPOM, foreign ownership, control or influence or FOCI. And if you're not familiar with it, mergers and acquisitions, which is M&A. Each episode, we ask our speaker to explain an acronym that featured in the episode with wrong answers only. Antonia, would you like to choose an acronym?

Antonia Tzinova: Yeah. I mean, so, you know, when we were discussing what should be the name of this podcast of yours we were considering "What I FO”I."’ I'm thinking that that doesn't need to be spelled out, but just to be a little bit more politically correct. And I choose PCL, post-closing liquidity, as mine. So PCL stands for personnel security clearance. And I think post-closing liquidity is appropriate because we talked so much on this episode about not buying trouble and how M&A due diligence helps identify issues and be able to be proactive about addressing and curing problems so that the cleared business can continue operating smoothly post-closing. So I'm going to stick with that: PCL, post-closing liquidity.

Molly O'Casey: And not buying trouble.

Antonia Tzinova: And not buying trouble.

Molly O'Casey: Well, thank you so much.

Antonia Tzinova: Absolutely a pleasure.

Molly O'Casey: On our next episode, we will be discussing FOCI mitigation of a cleared company. I hope everyone has a great week in the meantime.

Related Insights