President Biden Issues Executive Order Directing CFIUS to Consider Specific Areas of Risk in Reviewing Transactions

President Biden Issues Executive Order Directing CFIUS to Consider Specific Areas of Risk in Reviewing Transactions

September 15, 2022, Covington Alert

On September 15, 2022, President Biden signed the “Executive Order on Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United States” (the “CFIUS EO”). As explained in the fact sheet issued by the White House to accompany the CFIUS EO, the CFIUS EO “does not change CFIUS processes or legal jurisdiction.” In other words, the CFIUS EO has no direct legal or regulatory effect. Rather, the CFIUS EO highlights to a broader public audience the specific areas on which the Biden Administration and CFIUS are currently focused, which, we note, CFIUS itself already has been assessing as a regular part of its reviews for a number of years.

More generally, foreign direct investment has become an issue of the moment, particularly with respect to China, and the Biden Administration—like several of its predecessor administrations—is seeking to affirm both the U.S. open investment policy and the Committee’s significance and relevance, but without changing the scope or nature of the CFIUS review process itself.

As indicated, the new CFIUS EO calls out several specific areas of risk, though many of those areas were expressly identified in 2018’s landmark CFIUS legislation—the Foreign Investment Risk Review Modernization Act (“FIRRMA”)—including in Section 1702(c), “Sense of Congress on Consideration of Covered Transactions,” and thus the Committee has been incorporating assessment of such issues into its reviews for at least the past several years following that Congressional direction. The CFIUS EO, therefore, is likely most helpful as an aid to businesses that may not have filed with CFIUS recently and who are looking for formal guidance as to the types of transactions that would currently attract the Committee’s attention and the sorts of issues such transactions could present in the course of a CFIUS review. These areas of risk include:

• U.S. Supply Chain Resilience. The Biden Administration has made supply chain resilience a priority from its start, in large part due to critical shortages of medical supplies during the Covid-19 pandemic, and later due to supply chain disruptions affecting other goods and services, including high technology components like semiconductors. The CFIUS EO reinforces the importance of that prioritization, emphasizing that CFIUS should consider the effects of a particular transaction on supply chain resilience and security, both within and outside of the defense industrial base, including specifically with regard to microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, climate adaptation technologies, critical materials (such as lithium and rare earth elements), and elements of the agriculture industrial base that have implications for food security. In that respect, it is important to note that the focus on supply chain resilience covers not only the integrity of goods manufactured through the supply chain, but also the availability of goods and services. CFIUS is also directed to consider (i) the degree of diversification through alternative suppliers across the supply chain, including suppliers located in allied or partner economies; (ii) whether the United States business that is party to the covered transaction supplies, directly or indirectly, the United States Government, the energy sector industrial base, or the defense industrial base; and (iii) the concentration of ownership or control by the foreign person in a given supply chain.
• U.S. Technological Leadership. U.S. technological leadership has been the crux of the United States’ strategic competition with China, and has been the focus of other recent legislation and regulation, most notably the CHIPS and Science Act. The CFIUS EO highlights certain specific sectors that are fundamental to U.S. technological leadership in areas relevant to national security, including many of the same areas noted under supply chain resilience, e.g., microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, and climate adaptation technologies. The CFIUS EO also directs CFIUS to consider whether a covered transaction could result in future advancements and applications in technology that could undermine national security. Further, the CFIUS EO empowers the Office of Science and Technology Policy to periodically publish a list of technology sectors, including those mentioned in the CFIUS EO, that it assesses are fundamental to U.S. technological leadership in areas relevant to national security. Parties should expect that CFIUS will continue to be particularly interested in reviewing transactions involving these technologies with the reaffirmation provided by the EO.
• Multiple Acquisitions or Investments Within a Single Sector or Related Sectors. The CFIUS EO directs CFIUS to assess U.S. national security risk beyond the four corners of a given transaction—i.e., within the context of multiple transactions by a single company or companies from a single country. While CFIUS is obligated to conduct a transaction-specific analysis, it has typically sought to understand the industry dynamics and topology surrounding each transaction it reviews, including other M&A activity in that and related sectors (by the foreign investor and otherwise), as the broader context for the transaction and the risks it may present. This concept is especially important for companies that may have multiple transactions subject to CFIUS review at once, or within a short period of time. The CFIUS EO makes clear that CFIUS will connect the dots between different transactions as part of its review, in particular if they are in the same or related sectors or involve related manufacturing capabilities, services, critical mineral resources, or technologies, and will assess whether the transactions collectively present a risk to U.S. national security—for example, by facilitating harmful technology transfer—that is greater than the sum of the individual risk presented by each deal. As part of its assessment, the CFIUS EO directs that CFIUS may request from the Department of Commerce’s International Trade Administration an analysis of the industry or industries in which the U.S. business operates, and the cumulative control of, or pattern of recent transactions by, a foreign person, including, directly or indirectly, a foreign government, in that sector or industry.
• Cybersecurity Risk. Cybersecurity risk has long been a focus area for CFIUS, including with respect to cybersecurity risk as it plays out across the supply chain. CFIUS is highly attuned to whether a transaction will provide a foreign person with access to a target company’s network infrastructure, other U.S. IT systems or networks, connected devices (e.g., the Internet of Things), or software in a manner that would allow a threat actor, as a result of the transaction, to exploit vulnerabilities in such systems and assets. As reiterated in the CFIUS EO, CFIUS regularly assesses the relative sophistication and practices of the buyer and target regarding cybersecurity issues as part of its reviews, and transaction parties should carefully diligence these issues prior to filing with CFIUS. The CFIUS EO also highlights certain specific cyber threats for CFIUS to consider, including activity designed to undermine the protection or integrity of data in storage or databases or systems housing sensitive data; activity designed to interfere with U.S. elections, U.S. critical infrastructure, the defense industrial base, or other cybersecurity national security priorities; and the sabotage of critical energy infrastructure, including smart grids.
• Sensitive Personal Data. Sensitive personal data of U.S. persons has been an area that has received intense attention from CFIUS over the last several years. Beyond simply providing a jurisdictional hook for certain non-passive but non-controlling investments (as provided by FIRRMA and its associated regulations), CFIUS views the presence of sensitive personal data with a target company as a substantive national security issue. Depending on the nature and volume of data collected or held by the target U.S. business, CFIUS has shown that it may seek to prohibit a transaction or require mitigation measures to address such risks. The CFIUS EO also highlights the Committee’s skepticism regarding the mitigative value of anonymization or de-identification of personal data. As the CFIUS EO states, “advances in technology, combined with access to large data sets, increasingly enable the re‑identification or de-anonymization of what once was unidentifiable data.” In other words, in the world of CFIUS, there is no such thing as anonymized or de-identified data. The CFIUS EO further directs CFIUS to consider whether a covered transaction involves a U.S. business that “has access to data on sub-populations in the United States that could be used by a foreign person to target individuals or groups of individuals in the United States.”

In describing these risks, the CFIUS EO consistently refers to “relevant third-party ties that might cause the transaction to pose such a threat.” This emphasis on third-party ties demonstrates the Committee’s focus not just on the foreign person that is a party to the transaction and its affiliates, but also on individuals or entities that may exert influence or leverage over the foreign person, or that otherwise might be able to exploit the U.S. business through the transaction parties, e.g., through access to technology or sensitive personal data in the possession of the U.S. business. This is consistent with the Committee’s recent analyses, in which it has increasingly incorporated assessments of third-party risks (which can include nation states) that could be exacerbated by a transaction under review. Such considerations are integral to the Committee’s national security risk assessment with respect to a transaction, and transaction parties therefore should address such issues proactively before filing with CFIUS.

As indicated, sophisticated parties are no doubt aware that CFIUS has been taking the risk areas highlighted in the EO into account in its analyses for several years now. The CFIUS EO thus serves to more widely underscore the importance of these risks in the Committee’s deliberations, but should not have a significant substantive or procedural effect on the CFIUS process itself or any individual review. That said, these areas of interest—in particular the explicit call-out of microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, and climate adaptation technologies—may be the focus of further future action by the Biden Administration or Congress, such as with respect to an executive order or legislation implementing outbound investment screening. We will continue to monitor this space closely and report out on any such developments.

If you have any questions concerning the material discussed in this client alert, please contact the members of our CFIUS practice: