UK government requires Chinese-controlled company to appoint CSO with security clearance

Written By fra juniper

Key points

  • The UK government issued a final order under the National Security and Investment Act (NSIA) on 27 November, the second in the space of a month. 

  • As with the previous ruling, this final order concerns the acquisition of a UK company working in a sensitive area by an entity ultimately controlled by a Chinese actor.

  • The previous ruling unwound the acquisition entirely, whereas this one follows the broader trend of NSIA final orders imposing changes in security governance.

  • The UK government has ordered that the company appoint a chief security officer (CSO) with a UK security clearance. 

  • This is the sixth time the UK government has used a final order to impose a vetted or otherwise government-approved person to a senior position in a company. 

The UK government has for the second time this month exercised powers granted under the National Security and Investment Act 2021 to intervene in the acquisition of a UK technology company by a Chinese entity. 

The final order published on 27 November 2024 pertains to UK company IsotopX Ltd, a manufacturer of export controlled mass spectrometry equipment. The order sets out two transactions through which an entity identified as a “Future Industry Investment Fund II” gained a 32% shareholding in IsotopX, triggering a review under the Act. 

China is not named in the final order, which only partially describes the chain of transactions involved in the acquisition. A review of online company registry data and other sources suggests the involvement of a network of companies registered in Hong Kong and the British Virgin Islands. Future Industry Investment Fund II is a China-registered entity - [LINK].

Comparison with previous final orders

The order notes that the transaction will be permitted to proceed pending certain changes. This contrasts with the previous ruling this month, which ordered the transaction to be unwound. The changes, which are only broadly described in the final order, concern security governance, policy, process, and personnel at the UK company at the centre of the acquisition.

The final order follows the general trend under which the NSIA is increasingly being used not to block or unwind transactions, but instead to impose behavioural changes on the company involved. These changes range from restrictions on the transfer of sensitive manufacturing capability offshore, through to security governance, to requirements to notify the UK government of proposed changes to management structures. 

These changes go beyond cyber or information security to encompass a broad approach to protective security, encompassing cyber, physical, and personnel security. Personnel security is a clear focus in the most recent final order. Among the required changes are the introduction of protocols around business travel and visits to the UK company’s site - these speak to a concern around insider threat and travel security risks.

The requirement set out in the greatest detail in the final order concerns security governance and personnel security. The final order requires that IsotopX appoint “a Chief Security Officer with UK Security Vetting clearance”. This is the sixth time a final order has required a company to introduce a security cleared or government-appointed senior member of staff. The chart below tracks the number of final orders that have included this requirement over time. 

Implications of the decision

  • This ruling underlines the degree of scrutiny that the UK government is applying to transactions involving the acquisition of sensitive technologies by Chinese-controlled entities.

  • The complexity of the chain of transactions described in this case underlines the importance of due diligence for companies and investors. 

  • For companies that fall under the scope of the NSIA, the development of a mature protective security function is increasingly likely to be a prerequisite for successful mergers and acquisitions.

  • The imposition of a security cleared senior management will enable companies’ security functions to access intelligence from within the UK intelligence community and other sources.

  • The prospect of the imposition of cleared security personnel may also serve as a deterrent to actors considering purchasing companies as a conduit for illicit technology transfer and intellectual property theft. 

SECURED is approved by the NPSA to provide protective security assessments for companies, research institutions, and investors. Our security practitioners help entities secure their intellectual property, build operational and financial resilience, and cultivate a positive organisational security culture. We provide research on the national security implications of emerging technologies as part of our scientific and technical intelligence assessment capability.  


If you have any questions, or to subscribe for further updates on this subject, please contact hello@secured-research.com.

fra juniper
Previous

Higher Education Cyber News Digest
Next

Higher Education Cyber News Digest