In the first such Executive Order since the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) was established in 1975, President Biden provided formal direction on the risks that CFIUS should consider when reviewing foreign investments in the United States. Specifically, on September 15, 2022, President Biden signed an Executive Order (the “E.O.” or the “Order”), that both elaborates on existing statutory factors and specifies three new national security factors that CFIUS should take into account when reviewing the national security risks posed by investments. While in many ways, the E.O. simply formalizes considerations that have long been a part of the CFIUS review process, the E.O. now grounds the review process on the Biden administration’s priorities, including supply chain resilience, protecting Americans’ sensitive data, and maintaining America’s technological leadership. In doing so, the Biden administration also sends a clear message to companies and investors about the key national security risks that should be taken into consideration when deciding whether to seek CFIUS approval ahead of an investment.
As discussed in detail below, the five factors that the E.O. identifies for CFIUS to consider are:
- the transaction’s effect on the resilience of critical U.S. supply chains;
- the transaction’s effect on U.S. technological leadership in specified industries;
- investment trends that may have consequences for a given transaction’s impact on national security;
- cybersecurity risks; and
- risks to U.S. persons’ sensitive data.
Importantly, the E.O. does not change the scope of CFIUS jurisdiction or the process and timelines for its review.
- A Continued Focus on Supply Chain Security
CFIUS’s authorizing statute, also known as the “the Exon-Florio statute,”[1] directs the Committee to consider the control of domestic industry “as it affects the capability and capacity of the United States to meet the requirements of national security.”[2] Accordingly, CFIUS has long considered supply chain effects when evaluating a transaction. The E.O. brings this concern to the forefront by specifically instructing the Committee to take a holistic view of the transaction and consider “the covered transaction’s effect on supply chain resilience and security, both within and outside of the defense industrial base, in manufacturing capabilities, services, critical mineral resources, or technologies that are fundamental to national security.” This instruction to look both upstream and downstream from the covered transaction to consider second- and third-order effects expands on the existing factor and highlights the emphasis the Biden administration is putting on supply chain security.
- Expanded Focus on Technological Leadership in Emerging Technologies
The existing statutory framework already includes as a risk factor the potential effects of a transaction on U.S. “technological leadership” in areas affecting U.S. national security. The E.O. elaborates on this existing statutory factor by specifically enumerating a handful of priority emerging and critical technologies – namely, microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, and climate adaptation technologies – as technologies that are “fundamental to United States technological leadership.” The E.O. also instructs the Office of Science and Technology Policy to publish a list of technological sectors that it assesses to be “fundamental to United States technological leadership in areas relevant to national security.”[3] Accordingly, this category too could see additional expansion.
- Broad New National Security Factors
In addition to expanding on existing factors, the E.O. also identifies three new factors that CFIUS should consider: investment trends, cybersecurity risks, and risks to U.S. persons’ sensitive data. Each has the potential to significantly broaden the scope of CFIUS review.
Sensitive Data. Companies that collect or maintain “sensitive personal data” of U.S. citizens are already an area of particular concern for CFIUS.[4] In addition, CFIUS increasingly scrutinizes transactions that involve the acquisition of U.S. businesses that deal with other types of mass data, even when such data does not rise to the level of “sensitive personal data” under the CFIUS regulations.
The new E.O. sharpens this focus. It states that “[d]ata is an increasingly powerful tool for the surveillance, tracing, tracking, and targeting of individuals or groups . . . with potentially adverse impacts on national security.” In that vein, the Order broadens the types of data that the Committee should consider when evaluating national security risks and instructs the Committee to consider covered transactions that implicate “any data that could be identifiable or de‑anonymized” or “data on sub-populations in the United States.” The E.O. notes that “advances in technology, combined with access to large data sets, increasingly enable the re-identification or de-anonymization of what once was unidentifiable data.” Consequently, the new categories of data identified by the E.O. could prove to be broad.
Cybersecurity. The Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) included a “Sense of Congress” provision that identified “exacerbating or creating new cybersecurity vulnerabilities” as a relevant consideration for the Committee.[5] The E.O. formalizes and expands on that focus by instructing the Committee to consider the “cybersecurity posture, practices, capabilities, and access of all parties to the transaction that could allow a foreign person, or their relevant third party ties,” to carry out malicious cyber activity as a relevant consideration for the Committee. Accordingly, while cyber-related diligence is now standard in any deal, it now must be accounted for as part of the CFIUS process as well.
Investment Trends. Similarly, the E.O. instructs the Committee to consider “industry investment trends that may have consequences for an individual covered transaction’s impact on national security.” That is, not only should the Committee consider the terms of the specific transaction before it, but it should consider the state of the sector broadly and consider whether the incremental change represented by the covered transaction represents a national security threat in context. Again, this builds on a factor already elucidated in the “Sense of Congress” provisions in FIRRMA[6]—“the cumulative control of, or pattern of recent transactions involving, any one type of critical infrastructure, energy asset, critical material, or critical technology by a foreign government or foreign person”—broadens its scope, and makes the instruction to the Committee explicit.
*****
The E.O. further cements industrial and national security priorities the Biden administration has focused on since taking office, and has now formalized CFIUS’s role in executing that policy. The five factors identified largely build on considerations that CFIUS practitioners were already accounting for, though the three novel factors in particular have the potential to expand the scope of future CFIUS reviews. Parties contemplating covered transactions should be prepared for scrutiny in these areas.
Beyond simply highlighting and sharpening the factors for the Committee to consider, the new E.O. signals a willingness on the part of the Biden administration to use executive action in the CFIUS and investment regulation space. As the prospects for Congressional action on outbound investment regulation appear to stall, the administration’s use of its own authority in this space is notable. Particularly given the apparent enthusiasm within the administration for an outbound investment regulation mechanism, the E.O. may preview one avenue to achieve that goal.
[1] The Exon-Florio statute, as amended, provides a list of factors that the Committee should consider when reviewing transactions for national security concerns. In addition, the statute permits the Committee to consider “such other factors as the President or the Committee may determine to be appropriate.” See 50 U.S.C. § 4565(f)(11).
[3] It is not apparent from the text of the E.O. whether this list will be separate or different from the list of “Critical and Emerging Technologies” published by the National Science and Technology Council and used as a proxy for the “emerging and foundational technologies” referenced in the “critical technologies” definition.
[4] Sensitive personal data includes identifiable data that is maintained or collected by a U.S. business that (1) targets or tailors products or services to certain branches or agencies of the U.S. government; (2) has maintained or collected identifiable data within one or more of the 10 categories of identifiable data described specifically by CFIUS on greater than one million individuals at any point within the last 12 months; or (3) has a demonstrated business objective to maintain or collect data in one or more of the 10 categories of identifiable data specified by CFIUS on more than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. See 31 C.F.R. § 800.241(a). Sensitive personal data also includes the results of an individual’s genetic tests, including any related genetic sequencing data, whenever such results constitute identifiable data. See 31 C.F.R. § 800.241(b).