Key Takeaways:
- FOCI risks arise when foreign ownership or influence over suppliers creates hidden exposure to espionage, disruption, or regulatory violations.
- Proactive FOCI management requires continuous monitoring of supplier ownership structures.
- 80% of organizations experienced supply chain disruptions linked to geopolitical issues.
Your supply chain is a web of global connections.
This brings efficiency but also hidden dangers.
One of the most significant yet overlooked threats is Foreign Ownership, Control, or Influence (FOCI).
For procurement leaders, understanding FOCI is no longer optional.
It is a crucial element of modern risk management.
This guide explains what FOCI risk is, who it impacts, the consequences of ignoring it, and how to build a proactive defense.
What Are FOCI Risks?
FOCI (Foreign Ownership, Control, or Influence) refers to situations where a foreign entity can directly or indirectly affect a company’s operations, decision-making, data access, or strategic direction.
The National Counterintelligence and Security Center (NCSC) defines it as a circumstance that could result in unauthorized foreign access to classified information or influence over a company’s operations.
FOCI risks arise whenever a foreign interest gains enough influence over one of your suppliers to steer its decisions.
This influence need not be majority ownership; it can stem from direct equity stakes, golden shares, board-level ties, or even foreign regulations.
In other words, a supplier might be compelled by local intelligence laws, government contracts, or hidden agreements to act on behalf of a foreign power.
Complex supply chain relationships provide influence. Financial leverage or contractual obligations can create vulnerabilities.
The goal is to identify any pathway where a foreign interest could compromise your company’s integrity or the security of your data and products.
These risks expose organizations to espionage, cyber intrusions, and hidden dependencies.
A foreign-linked supplier might provide outsiders with backdoor access to sensitive systems or data.
For example, analysts warn that FOCI can allow “unauthorized access to sensitive U.S. data” or disrupt critical infrastructure, technology, or supply operations.
In practice, a Chinese-owned vendor, for example, could be required by Chinese law to hand customer data to the government, or a joint venture with a hostile nation could allow spies to infiltrate networks.
A well-documented example is Huawei.
Although the company is privately owned, China’s National Intelligence Law obligates firms to cooperate with state intelligence services upon request, thereby creating indirect government influence.
This legal exposure led the United States, the United Kingdom, and Australia to restrict Huawei from critical telecommunications infrastructure due to concerns about espionage and sabotage.
Source: CFR
FOCI may also tie you into geopolitical dependencies: if your key raw materials or IT services come from one country, foreign policy changes (sanctions, export controls) can instantly jeopardize your operations.
In short, FOCI is any hidden foreign control that could compromise your security or business continuity.
The goal is to identify any pathway where a foreign interest could compromise your company’s integrity or the security of your data and products.
Who Is Impacted by Them?
While all global companies should assess FOCI, specific sectors face heightened scrutiny and consequences.
Government and defense contractors are the most impacted.
Companies working with federal agencies often hold facility security clearances or handle classified data.
U.S. regulations explicitly prohibit a firm with unresolved FOCI from receiving such clearances.
That means that if a foreign entity controls your company (even indirectly), you cannot obtain or retain clearance for national security projects.
The Defense Counterintelligence and Security Agency (DCSA) administers the National Industrial Security Program (NISP) to mitigate these risks.
Many defense primes and subcontractors must submit detailed ownership disclosures (e.g., SF-328 forms) to demonstrate that no hostile foreign influence exists.
Failure to manage FOCI can force divestiture of foreign shares, resignations of certain directors, or other mitigation under a government agreement—or even end your participation in critical contracts.
Critical infrastructure sectors are another prime target.
This includes energy, telecommunications, finance, and transportation systems.
Adversarial control over a key supplier in these sectors could disrupt national operations.
FOCI here can also affect public safety and defense readiness.
For example, foreign interference in a utility supplier could disrupt the power grid, or espionage through an aerospace subcontractor could compromise defense systems.
Government reports warn that adversaries may use suppliers to insert “back doors” or cut off U.S. access to key materials.
The UK government applied this logic to nuclear energy projects, subjecting foreign investment to heightened scrutiny and later restricting Chinese participation in critical nuclear infrastructure over national security concerns.
Source: BBC
Any company tied into the defense industrial base or critical tech supply chains must guard against foreign control that could undermine resilience or security.
International corporations handling sensitive intellectual property or personal data must also manage FOCI.
This is because businesses operating worldwide with extensive supply networks face complex FOCI exposures.
Also, differing geopolitical pressures and jurisdictional overlaps create compliance challenges.
A 2024 survey by the World Economic Forum found that 80% of organizations reported a significant disruption in their supply chains in the previous 12 months linked to geopolitical issues.
Illustration: Veridion / Data: World Economic Forum
A supplier in one country might have investors or ultimate owners in another, subject to differing laws and political pressures.
For example, a cloud services provider might have international data centers but also foreign ownership, exposing clients’ data to foreign influence.
Even non-defense firms (such as banks, insurers, or large manufacturers) must consider FOCI: a sanctioned individual’s hidden share in a key supplier can taint their operations.
Consequences of Ignoring FOCI Risks
Overlooking FOCI can have devastating multi-layered consequences.
The damage is often sudden, public, and costly.
Consider three key fallout areas:
Reputational Damage
Reputational harm is immediate.
If it comes out that a supplier (or your own company) was under foreign influence, trust can evaporate overnight.
Customers, partners, and investors may feel betrayed or exposed and terminate contracts.
Governments and the public can react harshly to any hint of foreign control in sensitive areas.
For example, officials will probe connections to adversarial nations, and media coverage can amplify the scandal.
Authorities and clients might withdraw contracts or halt collaborations once such ties are revealed.
In 2020, the U.S. government’s “Clean Network” initiative pressured companies to remove untrusted vendors, primarily in the telecommunications sector.
Companies associated with flagged entities faced swift market exclusion and brand damage.
Recovery from such a loss of confidence is slow and expensive.
You may lose market positioning or face boycotts by wary customers for years.
One real-world case showed that a seemingly healthy bank’s undisclosed foreign ownership stake led its clients and regulators to pull back immediately.
In 2022, Amsterdam Trade Bank collapsed within 48 hours when Microsoft and Amazon abruptly terminated critical IT services.
The two giants were spooked by a minority ownership stake held by a sanctioned Russian oligarch and by the bank’s heavy reliance on U.S. technology providers.
Source: Reuters
FOCI risks often nest deep within sub-tier suppliers, so extend due diligence beyond tier 1 to avoid damage.
Your direct vendor may be domestically owned, but a critical subcomponent manufacturer three tiers down could be a wholly-owned subsidiary of a foreign state-owned enterprise.
Your due diligence must map the entire chain.
Josh Bramble, Product Manager at Argus, a supply chain influence software, insists that companies use continuous monitoring to conduct ongoing due diligence on suppliers, customers, investors, and board members.
Illustration: Veridion / Quote: Accrete.ai
Even trusted tier-1 partners may not intend to cause harm, yet foreign governments can still influence them without their knowledge.
Regulatory Consequences
Governments enforce strict rules on foreign influence.
If you ignore FOCI, you risk violating those regulations.
For government contractors, the consequence is often disqualification.
In the U.S., for example, any government contractor must disclose foreign investment and secure approvals.
A single undisclosed foreign investor can invalidate your security clearance and disqualify you from contracts.
In the public sector, non-compliance can trigger investigations and mandatory restructuring.
The Committee on Foreign Investment in the United States (CFIUS) has broad authority to unwind transactions or impose mitigation agreements for past deals it finds pose a national security risk.
In the semiconductor sector, U.S. authorities have repeatedly blocked or unwound acquisitions involving Chinese investors, citing FOCI risks under CFIUS.
In several cases, companies lost deal value and were forced to divest after failing to assess foreign ownership risks early.
Source: Atlantic Council
The financial and operational toll of such interventions is substantial.
Recent rules allow fines up to $5 million per violation for serious breaches of reporting or mitigation agreements.
In practice, a company that fails to report FOCI or misstates facts on a mandatory form could face heavy monetary penalties or be forced to restructure.
In extreme cases, regulators may suspend contracts, require divestment of foreign interests, or even bar your firm from future projects.
Audits and investigations are also likely: once a FOCI issue is suspected, regulators are likely to demand extensive disclosures and enforcement actions.
To ensure you’re not in violation, examine board composition for foreign nationals with conflicting allegiances.
Review the financing to determine whether foreign state-backed banks hold debt.
Scrutinize joint ventures, licensing agreements, and off-take contracts that could grant a foreign party operational control or access to data.
National Security Concerns
The ultimate consequence is a compromise to national security.
Unmanaged FOCI risks can expose critical technologies, infrastructure blueprints, or sensitive data.
The 2023 Annual Threat Assessment from the U.S. Intelligence Community states that adversaries use “economic agreements and foreign investment to gain access to sensitive technologies.”
Foreign governments could exploit supplier connections to spy on sensitive programs or sabotage critical systems.
For instance, adversaries might insert malware via a compromised vendor, steal intellectual property, or exfiltrate classified data.
A report by intelligence agencies highlights that third-party suppliers can be conduits for economic espionage, sabotage, or theft.
In the worst case, FOCI in critical supply chains can undermine military readiness or the resilience of essential services.
When FOCI is ignored at scale, its impact can ripple through the energy, defense, and technology sectors.
A DoD study warns that over-reliance on a single country’s suppliers—mainly if controlled by hostile interests—could allow an adversary to shut off vital supplies or introduce vulnerabilities.
Energy supply chains show how FOCI risks scale nationally.
U.S. government reviews found that dependence on foreign-controlled suppliers of solar components posed long-term energy security risks, including supply disruptions during geopolitical conflict.
Simply put, a single foreign-owned subcontractor might unknowingly compromise the defense supply chain.
For your organization, this means that failing to detect a foreign connection could leave your systems exposed to cyberwarfare or the loss of critical capabilities—threats that go beyond business risk to the nation’s security.
Implement a continuous monitoring program because ownership structures change and companies are acquired.
A supplier that was low-risk last quarter may be purchased by a high-risk entity tomorrow.
Static, point-in-time assessments are inadequate.
You need a system that alerts you to material changes in corporate ownership and structure across your supplier base.
Managing FOCI is not just a compliance task.
It is a direct contribution to corporate and national resilience.
How Veridion Helps Manage FOCI Risks
Tackling FOCI requires deep, accurate data—and that’s Veridion‘s specialty.
Veridion’s intelligence platform aggregates and analyzes global business information to expose foreign ties in your suppliers.
For example, Veridion’s data includes detailed corporate family structures and locations, helping you map each supplier’s ownership chain.
Source: Veridion
This means you can input a vendor’s name and instantly see all its parent companies, subsidiaries, and key shareholders, even those hidden in overseas shell companies.
The platform explicitly flags foreign ownership and influence: Veridion reveals foreign connections that may pose risks to your business operations, letting you identify FOCI issues before they cause trouble.
Veridion maintains profiles for over 123 million businesses worldwide, refreshing data weekly to ensure accuracy.
Source: Veridion
In one click, you learn if any parent company is foreign-state-owned or if a director is on a sanctions list.
This continuous monitoring is crucial: supply chains change often, and Veridion’s AI-driven updates capture new investments or geopolitical events as they happen.
By integrating Veridion data into your vendor-risk workflows, your team can automate due diligence.
For example, you can set alerts for new foreign investment or changes in ownership among key suppliers.
When a potential FOCI risk emerges, you’ll see it immediately, giving you time to implement mitigation, such as adding firewall restrictions or switching to alternate suppliers.
In short, Veridion turns opaque corporate data into actionable intelligence.
Instead of manual research that can miss deep ownership links, you use Veridion’s platform to trace each tier of your supply base quickly.
This ensures compliance with FOCI regulations and protects you from surprises.
Conclusion
Hidden foreign ties can derail even the healthiest supply chain.
But you have the tools to stay ahead.
With vigilant due diligence and accurate data, you’ll catch foreign influences before they cause damage.
Maintaining supply-chain security means treating FOCI as a standard part of your risk management.
When you proactively identify and mitigate these hidden influences, you protect your contracts, your reputation, and ultimately your organization.
Stay alert and proactive, and you’ll keep your supply chain—and national security—safe and strong.
