Asset Management – Compliance & ESG | Norwegian national security strategy: key takeaways for asset managers and their portfolio companies

Background and legal context

Norwegian asset managers are accustomed to dealing with certain security aspects. For example, Norwegian asset managers are subject to mandatory obligations under anti-money laundering regulations which requires them to conduct certain investigations into, for instance, their investors prior to onboarding into their funds. Furthermore, asset managers are also required to conduct investigations into their investors and other counterparties to ensure compliance with sanctions legislation. Similar obligations apply to their portfolio companies. For certain investments, both in Norway and in other jurisdictions, rules on ‘foreign direct investments’ apply, such as the Norwegian Security Act. These rules typically apply for investments with a nexus to critical infrastructure or other national security interests such as defense.

Based on our experience and discussions with representatives of relevant Norwegian authorities, security risks for asset managers are not necessarily mitigated simply by ensuring compliance with these laws. Additional assessments and considerations beyond legal requirements may be necessary to safeguard financial interests and assets. This need has been more prominent after the publication of the national security strategy. The strategy emphasises that Norway is facing its most severe security situation since the World War II, with  a higher degree of uncertainty than what we have had for the last 50 preceding years. The situation requires effort from all segments of society, including the private sector, to address the challenges at the intersection of security, economics, and technology.

Security risk scenarios for asset managers and their portfolio companies

The strategy acknowledges China’s key position in the global economy and its importance for Norway as a trade partner. However, it also recognises the security threat posed by China and advocates for increased vigilance in dealings with Chinese actors. It also supports the avoidance altogether of cooperation with China in certain sensitive areas. Furthermore, the strategy emphasises that China and Russia employ a range of tactics, including cyberattacks, sabotage and disinformation, to exploit vulnerabilities in Europe and to achieve their strategic objectives. Norwegian asset managers are not immune to these threats.

Security risks can arise in several situations within the business activities of asset managers, including when onboarding investors, making new investments or add-ons, when portfolio companies enter new supplier-, customer-, or collaborative agreements or enter new markets or other engagements with third parties. Generally, security risk is prevalent where there are foreign entities or individuals involved, either directly or indirectly through e.g. ownership, which is often the case in material or strategically important engagements.

Asset managers and their portfolio companies should focus their attention and efforts to those areas where the risk is highest, which typically is in relation to engagements with a link – directly or indirectly – to high-risk regimes. This may include Russia and China, but also third countries and partners collaborating with these regimes. For instance, individuals and entities representing Russia, China, and other authoritarian regimes, are increasingly making minority investments in companies or joint ventures and entering into other types of cooperative agreements, which can provide access to sensitive information which may be used for unwanted purposes. Additionally, foreign suppliers linked to individuals or entities associated with authoritarian regimes pose a similar threat. Supplier engagements can easily be exploited for information and espionage purposes.

Additionally, asset managers should be aware of the risk that investments in goods and services that are not currently perceived as security threats, may become reclassified as such, particularly if new technology or intellectual property emerges within a portfolio company. This may trigger certain requirements and restrictions, including the potential for government intervention. Examples may include technology that has not been classified as defence products or having dual-use capabilities, but which may be deemed valuable to authoritarian regimes in the future. Portfolio investments’ value may be significantly impacted if security risks and concerns are not adequately addressed.

BAHR comments

The first Norwegian strategy on security is a positive development, and it should be received as a clear signal that the government sees security concerns as a key priority going forward. While the strategy admittedly is quite high-level and general in its form, there are certain key takeaways that we believe asset managers should make note of. The Norwegian government, based on all its available intelligence and insights, sees severe security threats against Norway, including Norwegian businesses and assets. The government calls upon the private sector to take their part in addressing and handling security risks, thereby protecting both privately owned assets but also contributing to overall resilience. The strategy also anticipates certain regulatory amendments that aim to enhance resilience, and which are expected to impact asset managers.

In coming newsletters, BAHR will explore specific security-related legal and regulatory considerations that are relevant for asset managers, including anticipated regulatory changes. However, and as stated above, security risks and concerns are not necessarily adequately addressed simply by following the rules. We recommend Norwegian asset managers to evaluate their holistic approach to security and identify potential risks and concerns in their operations and within their portfolio companies, focusing on risks that may disrupt or materially harm its business activities.

We recommend the following risk mitigation measures: