Companies face unprecedented operational, physical and cyber security challenges that blur the lines between their internal security and US homeland security, while addressing new legal requirements associated with evolving national security laws and regulations. Hunton Andrews Kurth’s National Security Practice, in conjunction with its Cyber and Physical Security Task Force, helps clients to achieve their security goals, satisfy national security requirements, and work with the government to protect corporate and homeland security. Our lawyers have broad government experience at senior levels and personal insight into agency decision making and congressional action. We help clients from a wide range of industries navigate complex national security processes in the executive branch and Congress.
National Security Practice
- Security-Related Compliance and Law Enforcement: Our lawyers help companies comply with security standards such as North American Electric Reliability Corporation (NERC) Reliability Standards, the TSA’s Pipeline Security Directives, National Institute of Standards and Technology (NIST) security standards, and other security regulations and guidance across federal agencies, state public utility commissions and state attorneys general. We advise on compliance with all federal and state information security requirements. We also assist companies with a wide range of compliance issues relating to national security and law enforcement authorities, including the Patriot Act, the Foreign Intelligence Surveillance Act, the Foreign Intelligence Surveillance Act (FISA) Amendments Act and other federal statutes.
- Security-Related Trade Controls: The federal government employs an array of controls over national and energy security-sensitive items, services, and commodities, including International Traffic in Arms Regulations (ITAR) export controls on military-related articles and services, Export Administration Regulations (EAR) on dual-use items, and DOE and FERC authority under the Natural Gas Act over natural gas exports. We work with clients to navigate these requirements to accomplish trade goals in security sensitive areas.
- Foreign Investment and Influence Review: Committee on Foreign Investment in the United States (CFIUS) review of national security issues created by foreign investment in the US has expanded significantly since 2020, with the adoption of new rules mandated by the Foreign Investment Risk Review Modernization Act. We advise clients on all aspects of a transaction relating to national security reviews of foreign investment. This includes whether a CFIUS filing is legally required or advisable, conducting due diligence, negotiating acquisition documents, and where review is necessary, forming a cogent strategy for government approval. We also advise clients on other foreign influence controls including Foreign Agent Registration Act (FARA) reporting requirements for foreign political activity within the US.
- Sanctions and Embargoes: The US Department of Treasury’s Office of Foreign Assets Control (OFAC) administers and enforces trade and economic sanctions against certain countries and territories as well as designated individuals and entities. We counsel clients on compliance with sanctions and trade embargoes under the regulations of OFAC as well as the European Union, the United Kingdom and other jurisdictions. We also provide training on compliance best practices and assist clients with transactional due diligence by helping them identify and mitigate economic sanctions and export controls risks arising out of mergers and acquisitions, joint ventures, contractual relationships and other transactions that may give rise to such risks.
- National Security Division Oversight and Investigations: The DOJ’s National Security Division (NSD) has primary law enforcement authority for counterintelligence and export controls, counterterrorism, and foreign investment review. We advise clients on responding to NSD investigations, conducting internal investigations, and navigating the NSD’s Counterintelligence and Export Control Section’s expectations regarding its enforcement policy for business organizations. We also assist clients with FARA filings and advise on export control and clearance issues.
- Corruption as a National Security Priority: The federal government has designated corruption as a core national security interest and has made clear that it expects US companies to put anti-corruption measures in place. The government has also signaled its intent to require US companies to report beneficial ownership, reduce offshore financial secrecy and otherwise comply with initiatives to combat illicit finance. We assist clients with preparing and implementing compliance programs, conducting internal investigations and working with government agencies to disclose and mitigate threats to national security arising from within the public and private sectors.
- Controlled Unclassified Information/Cybersecurity Maturity Model Certification: The Department of Defense is increasing requirements for contractors to verify protection of Controlled Unclassified Information (CUI) through the Cybersecurity Maturity Model Certification (CMMC) program. Other federal agencies may soon follow. We work with clients to help them understand and inventory what of their information could constitute CUI and develop a plan towards preparing for CMMC accreditation.
- Security Clearances: The federal government is placing new emphasis on providing clearances across the private sector, particularly to critical infrastructure owners and operators. Classified information can be a powerful tool in addressing cyber risks, but handling it involves complex compliance structures. We work with clients, especially those interacting with classified information for the first time, to help them navigate handling requirements to leverage classified information to address growing, serious cyber threats. We also work with clients considering transactions that could implicate security clearance requirements concerning Foreign Ownership Control, or Influence (FOCI) restrictions.
- Supply Chain Security: Supply chain vulnerabilities have emerged as a major security concern within both the public and private sectors. We work with clients to develop supply chain security protocols within their procurement process. We also assist clients complying with growing supply chain security laws such as Section 889 of the 2019 National Defense Authorization Act, and Department of Commerce Information and Communications Technology and Services regulations.
Cyber and Physical Security Task Force
The Cyber and Physical Security Task Force combines talent from across Hunton to provide clients with multidisciplinary assistance addressing legal, policy and reputational risks associated with physical and cyber threats to business operations and mission-critical information assets. Leveraging the firm’s industry-leading Privacy and Cybersecurity Practice and more than a dozen other leading practice groups, this firmwide task force assists clients in areas such as:
- Security Risk Management and Preparedness: Preparation and planning are critically important to preventing or mitigating the effects of a cyber or physical security attack. We work with clients “left of boom” to assist them in preparing to address a serious security incident, including negotiating agreements with third party incident response experts, updating incident response plans, conducting executive level and legal table top exercises, negotiating insurance policies, strengthening collaborative relationships with law enforcement and intelligence community agencies, updating security policies and improving security-related governance, and addressing supply chain risk. Through these services, we help clients to bridge their technical, business and legal incident response capabilities, while leveraging other internal client assets such as communications, human resources, and government relations. This enables clients to respond effectively to an attack and mitigate legal risk and the harm to mission critical operational assets, reputation, and the business in general.
- SAFETY Act Certification and Security Insurance Coverage: Companies are faced with catastrophic cyber and physical risks posed by terrorist, nation-state, and criminal threats. We work with clients to develop mitigation strategies for these risks. This includes reducing liabilities associated with terrorist attacks by seeking legal protections for physical or cybersecurity programs from the Department of Homeland Security (DHS) under the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act. We also coordinate with Hunton’s Insurance Coverage Practice to assist companies with insurance coverage for physical and cybersecurity incidents.
- Security Incident Response and Crisis Management: Our firm is a leader in investigating and counseling clients on the response to cyberattacks, insider threats and acts of sabotage. We perform investigations under privilege, manage forensics investigators and other external experts, and assist clients with fulfilling legal obligations identified during the investigation, particularly individual, contractual and government notification requirements, and manage litigation and regulatory enforcement proceedings. We also assist clients in managing the full panoply of activities associated with such attacks, including for example restoration and recovery, insurance coverage, internal and external communications, government demands for information, and congressional hearings.
- Mandatory Cyber Incident Reporting: As cyberattacks on entities providing critical public services grow, the government is increasingly requiring the reporting of cyber incidents at the federal level, including for example the Transportation Security Administration (TSA) Pipeline Security Directives and Chemical Facility Anti-Terrorism Standards (CFATS), and at the state level, such as the New York Department of Financial Services cybersecurity regulations. We assist client with compliance in this area and help them to understand new federal and state requirements.
- Private-Public Security Partnerships: Government agencies are expanding programs to work with the private sector to enhance security. The Department of Energy’s Cyber Sentry and the Joint Cyber Defense Collaborative at DHS, and the Electricity Subsection Action Plan are examples of the types of opportunities available now for owners and operators of critical infrastructure to enhance their own security posture while supporting government initiatives to strengthen homeland security. We work with clients to develop strategies and negotiate the terms of engagement for participating in such voluntary information-sharing partnerships.
- Protecting Security-Related Information: While information sharing is a powerful tool to mitigate security risks, companies need assurance that their sensitive information will be protected. By crafting sharing agreements and identifying information designations carrying specific legal protections – such as the Cybersecurity Information Sharing Act’s Cyber Threat Indicator and Defensive Measure, Protected Critical Infrastructure Information, and Critical Electric Infrastructure Information – we work with clients to protect sensitive information provided to the government from disclosure under the Freedom of Information Act (FOIA) and even from regulatory use.
- Security Policy Advocacy and Congressional Investigations: We advise on executive branch and congressional activity relating to physical and cybersecurity, including policies and programs, pending legislation, hearings, inquiries and investigations. We have substantial experience representing clients in high-profile investigations by Congress, while protecting applicable privileges and avoiding conflicts. We maintain strong relationships with officials in Congress, the administration and federal regulatory bodies, as well as with state legislatures, executive and regulatory branches, local governing bodies and international forums.