This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

A Fresh Take

Insights on M&A, litigation, and corporate governance in the US.

| 6 minutes read

New CFIUS Executive Order Reflects Evolved CFIUS National Security Risk Analysis

On 15 September 2022, President Biden signed Executive Order 14083 (Executive Order on Ensuring Robust Consideration of Evolving National Security Risks by CFIUS) directing CFIUS to take certain national security risk factors into consideration when analyzing transactions subject to its jurisdiction (the “EO”).

The EO provides greater transparency into key policy considerations that drive CFIUS reviews, provides more definitive direction to CFIUS agencies to align the review process around Administration priorities, and places the Administration’s stamp on the CFIUS process. While the EO more reflects current trends than establishes a new direction for CFIUS, it is still notable as confirmation that an increasingly broader range of U.S. targets and foreign investors will face CFIUS scrutiny. 

The following summarizes the key points and takeaways from the EO. Clients are welcome to contact Aimen Mir for our memorandum providing an in-depth analysis of each of these key points.

  • The EO reflects a formalization in the CFIUS context of a broader U.S. national security policy focus on economic security as a key driver of national security.

The national security environment has evolved to increasingly focus on the national security effects of economic competition, meaning the ability to maintain an edge in the development of new technologies, ensure the economic health of critical industries, and control supply chains for critical goods and services. As a result, CFIUS’s national security review also has evolved to consider an increasing number of non-traditional, economic factors. The EO is largely a reflection of this expansion of CFIUS focus. Importantly, though the concept of national security now has an accepted, significant economic dimension, the EO does not establish, and CFIUS does not implement, an economic benefit test.

Key takeaway: The view that “economic security is national security” is likely here to stay. As CFIUS expands its consideration of economic security factors, it will capture an increasing number of transactions where the national security implications may not be obvious or may be more attenuated.    

  • China still is a key driver of national security concerns, and the EO makes clear that not only Chinese investors, but also non-Chinese investor ties to China, will draw scrutiny. 

The EO does not specifically mention China (consistent with CFIUS holding itself out as focused exclusively on national security regardless of investor country), and CFIUS clearly has deep concerns with Russia, but China is undoubtedly the underlying target of the EO. The EO further makes clear that, even where the investor is not from a country of concern, CFIUS should consider the investor’s ties to third parties of concern (with the principal third parties of concern being China and Chinese entities).

Key takeaway: Investors and sellers should carefully consider any potential investor ties to China—including Chinese shareholding, R&D activities in China, joint ventures with Chinese entities, supplier and customer relationships, cybersecurity vulnerabilities, overall importance of China as a market, and relationship of the investor’s home country with China—and whether CFIUS may view these ties as increasing risk of technology transfer or changes in U.S. supply chains. In deciding on your China business strategy, recognize that geopolitical interests are continuing to diverge, and CFIUS will increasingly scrutinize the investor’s China footprint in evaluating potential investment risk.

  • The EO makes clear that transactions are reviewed in context of broader investment trends, not in isolation.

The EO directs CFIUS to consider “[r]isks arising from [a] covered transaction in the context of multiple acquisitions or investments in a single sector or in related manufacturing capabilities, services, critical mineral resources, or technologies.” Inclusion of this approach of considering cumulative risk in the EO emphasizes the long-time horizon for CFIUS’s analysis. 

Key takeaway: Parties should anticipate that CFIUS may have interest in transactions even where the transaction in isolation does not appear to be industry-shifting. Parties’ CFIUS risk analysis should incorporate consideration of market dynamics, with a focus on foreign ownership in a given industry, sector, or technology.  

  • The EO makes clear that CFIUS has a role not only in addressing supply chain risks to the defense industrial base, but also to areas important to economic security.

Supply chain considerations have long been the subject of CFIUS attention and mitigation. The EO makes clear that this focus has extended to meet broader notions of national security in the post-pandemic world. This includes, but is not limited to, supply chains related to microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, climate adaptation technologies, critical materials, and food security (“critical areas”).

Key takeaway: When evaluating CFIUS risk, it is essential to understand the role the U.S. target plays in broader supply chains for critical goods and services in the United States, and not just those related to the defense industrial base. The sensitivity of the U.S. business often drives the Committee’s supply chain risk analysis in such cases, making the analysis somewhat more agnostic to the home country of the investor.

  • Technological leadership considerations will impact outcomes for a broad range of transactions, even where the U.S. business does not have and is not targeting U.S. government or military customers.

The EO directs the committee to consider risks to U.S. technological leadership, including with respect to the critical areas noted above. In practice, CFIUS has shown that its concern is future-looking and anticipatory, meaning that it may see risk even in connection with purely commercially focused innovations, where the national security applications may not be intended by the parties or immediately obvious. The sensitivity of the investor will be a key driver, though the EO again points to ties with third parties of concern as a key factor in assessing this sensitivity.

Key takeaway: Investors and targets should assume that the technologies of the future will likely draw CFIUS interest, regardless of their current known or intended military applications, and that even investors from friendly countries may be closely scrutinized, especially to the extent of any potential China ties.

  • The EO confirms continuing CFIUS focus on cybersecurity risk, including third-party risk.

The EO provides some examples of cybersecurity risks, but it largely reflects a well-established aspect of CFIUS reviews. The EO again highlights third-party ties as a source of cybersecurity risk, but also implies that vulnerability of the U.S. business alone could drive CFIUS concerns.

Key takeaway: Acquirer cyber vulnerabilities will be a material factor in any transaction involving technology, data, or infrastructure sensitivity. Even absent such vulnerabilities, CFIUS may seek to use a reviewable transaction as an opportunity to harden the U.S. target.

  • The EO also makes clear that CFIUS will continue to scrutinize transactions that involve U.S. businesses that hold sensitive data.

The EO notes that data can allow surveillance, tracing, tracking, and targeting of individuals and groups and that advances in technology, combined with large data sets, increasingly enables reidentification of what was once unidentifiable data. The EO directs CFIUS to consider whether the U.S. business has access to sensitive data (including health, digital identity, biological, and other data that can be exploited to distinguish or trace an individual’s identity).  

Key takeaway: Parties should consider whether the U.S. business has access to data that could be exploited by a foreign intelligence service, which may include categories of data that are broader than the narrower “Sensitive Personal Data” categories that can trigger CFIUS jurisdiction in non-control transactions. To assess the potential sensitivity of personal data, parties should consider the type, subject, and quantity of the data.

  • To the extent that CFIUS has already been considering the foregoing factors, why did the Administration deem it necessary to issue an EO?

The EO provides public transparency into the factors that have become important considerations since CFIUS last formally published guidance in 2008. Issuing guidance in the form of an EO provides more definitive direction to CFIUS agencies to align the process around key Administration priorities. Issuing the guidance in the form of an EO also raises the profile of the guidance and places the Administration’s stamp on the CFIUS process.

Key takeaway: Although the EO does not effect a significant change in CFIUS’s national security analysis, it may lead CFIUS agencies to reach out on transactions that they previously may not have believed warranted inquiry, and it may make CFIUS incrementally more likely to seek mitigation on transactions in the areas mentioned in the EO.