New Executive Order Formalizes Expanded CFIUS Purview

On September 15, 2022, President Biden issued an Executive Order titled “Executive Order on Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United States” (the “Executive Order”). The Executive Order formalizes the recent, expansive interpretation by the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) of its national security remit.

The Executive Order is best read as an implicit, presidential ratification of the Committee’s current modus operandi. Importantly, the Executive Order “does not change CFIUS processes or legal jurisdiction,” nor does it seek to impose any guardrails around the Committee’s judgment as to what constitutes a national security threat (“CFIUS may consider any national security risk arising out of a transaction over which it has jurisdiction”).¹ However, the Executive Order foreseeably will cement the Committee’s recent approach to national security assessments in the near term, and potentially provide latitude for further, gradual expansion of CFIUS’s domain on a longer-term basis.

Background

CFIUS is an interagency committee of the U.S. government with authority to review certain foreign investments in the United States. CFIUS received authority to review foreign transactions following passage of the Exon-Florio Amendment, which amended Section 721 of the Defense Production Act of 1950 (“DPA”) and granted the president authority to block foreign investments in the United States when “the transaction threatens to impair … national security.”²

The Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) dramatically expanded the scope of CFIUS’s jurisdiction to include non-passive, non-controlling investments in “TID U.S. businesses” (i.e., a U.S. business that deals in critical technology, services critical infrastructure, or collects or maintains sensitive personal data, each as defined in the CFIUS regulations).³ In addition, FIRRMA introduced, for the first time, a mandatory filing requirement, applicable to certain investments (1) in critical technology companies; or (2) that result in acquisition of a substantial interest in a TID U.S. business by a foreign government-affiliated investor.

The Executive Order

The Executive Order directs CFIUS to consider five categories of risk in connection with transactions, as summarized below. Importantly, the Executive Order is non-exhaustive; it is intended to underscore the U.S. government’s interest in particular national security risks, without impinging upon CFIUS’s authority to construe U.S. national security interests broadly.

1. A transaction’s effect on the resilience of critical U.S. supply chains that may have national security implications. The Executive Order observes that foreign investment that shifts ownership, rights, or control to a foreign person over certain manufacturing capabilities, services, critical mineral resources, or technologies may render the United States vulnerable to future supply disruptions. Currently, in connection with a CFIUS review, parties customarily are required to supply information about the U.S. business’s market share, key customers, and competitors. The Executive Order foreseeably may cause CFIUS staff to focus greater attention on potential supply chain risks during the usual Q&A process, in the form of additional or more detailed questions addressed to the U.S. business.

2. A transaction’s effect on U.S. technological leadership in areas affecting U.S. national security, including but not limited to microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, and climate adaptation technologies. The Executive Order states that these categories of technology—which largely overlap with anticipated categories of “emerging technology” identified by the U.S. Department of Commerce in 2018—may present particular risk, and the Executive Order directs CFIUS to assess whether (1) a transaction may result in advancements or applications that could undermine U.S. national security; and (2) a foreign person has ties to third parties that pose a threat to U.S. national security.

   We anticipate that the Executive Order’s mandate may formalize CFIUS’s current practice of assessing risks beyond access to a U.S. business’s technology as it currently exists, including (for example):

   • Whether the technology could be leveraged to accelerate development of an unrelated technology of potential concern; and
   • Whether an apparently innocuous technology, in the possession of an otherwise non-threatening foreign party, may present risk due to the foreign party’s relationships with countries or parties of concern.

   Of note, the Executive Order observes that companies outside of government contractors, semiconductor companies, and other traditionally high-risk industries may warrant enhanced CFIUS scrutiny, which is consistent with recent experience. For example, on September 9, 2022, Snapdragon Chemistry, a drug services firm specializing in flow chemistry technology, announced that its previously announced acquisition by Asymchem, a Chinese pharmaceutical research and manufacturing company, would not proceed due to the parties’ inability to reach agreement on mitigation terms with CFIUS.⁴ In response to the abandonment of the Snapdragon-Asymchem acquisition, one source observed that “the [C]ommittee is particularly interested in vetting deals involving technology and intellectual property that emerge from US universities, a primary source of pharmaceutical innovation.”⁵ Going forward, CFIUS scrutiny of foreign investment in U.S. businesses in the industries identified in the Executive Order is likely to increase.

3. Industry investment trends that may have consequences for a given transaction’s impact on national security. The Executive Order states that investments that appear innocuous may be part of a broader plan or scheme to facilitate the transfer of sensitive technology. For example, although a single investment by a China-affiliated investor may present limited national security risk in isolation, the same investment may present meaningful risk if the transaction is part of a broader trend or plan to consolidate ownership or control in a particular industry by China-affiliated investors. Recent media reports have documented the continued flow of Chinese investment into certain U.S. industries. In this regard, the Executive Order potentially provides CFIUS grounds to consider and seek to address national security risks that do not specifically arise as a result of the transaction before the Committee, although it remains to be seen how broadly the Committee might seek to expand its mandate in practice.
4. Cybersecurity risks that threaten to impair national security. The Executive Order directs CFIUS to assess whether the foreign person, or their relevant third-party ties, may obtain the ability to harm U.S. cybersecurity as a result of a covered transaction. Cybersecurity already is an area of intense focus by the Committee, and that trend was primed to continue even in the absence of the Executive Order.
5. Risks to U.S. persons’ sensitive data. The Executive Order underscores that access to sensitive personal data is a key and evolving national security risk. As such, the Executive Order directs CFIUS to assess whether a U.S. business has access to sensitive personal data, and whether the foreign person or its third-party ties will seek or have the ability to exploit such data to the detriment of national security. CFIUS already has been—consistent with FIRRMA, and the definition of TID U.S. business, which includes companies that collect or maintain sensitive personal data—treating data access as a key risk factor, and the inclusion of a data-focused directive in the Executive Order suggests that CFIUS will continue to scrutinize transactions involving sensitive personal data.

In its discussion of each of the above categories, the Executive Order refers to the risks presented by the foreign person or its “relevant third-party ties.” This language underscores that CFIUS may look beyond the identity and nationality of the foreign person in the transaction under review. In particular, we expect that CFIUS will continue to focus on connections to foreign governments with which the foreign person has commercial, investment, or other ties.

Conclusion

While the Executive Order does not alter the scope of CFIUS’s authority, the Executive Order appears intended to signal tacit approval of the Committee’s recent approach. Parties to covered transactions should expect continued, detailed scrutiny of investments in U.S. businesses, whether or not notified to the Committee. In addition, the Executive Order may lead to further incremental expansions of CFIUS’s mandate, including to address perceived risks that do not arise directly from the transaction then under review by the Committee.