CFIUS Filing Considerations in Light of E.O. 14083 and CFIUS's 2021 Annual Report
Heading into 2023, U.S. companies in search of foreign investors and foreign parties considering investments in U.S. enterprises have new tools available to assist in their deliberations whether the Committee on Foreign Investment in the United States ("CFIUS" or "the Committee") will take an interest in reviewing or investigating their transactions. CFIUS released its 2021 Annual Report to Congress ("Annual Report") in August 2022, providing the first full-year snapshot of filings submitted after final implementation of the changes brought on by the Foreign Investment Risk Review Modernization Act of 2018 ("FIRRMA"). A few weeks later, on September 15, 2022, the President signed an Executive Order providing formal direction to guide the Committee's review of covered foreign investment transactions, E.O. 14083. While neither document is particularly groundbreaking, when taken in conjunction they will be helpful in scenarios where parties are considering the advisability of submitting a voluntary notification to CFIUS and how the Committee might respond to a given set of facts.
CFIUS Annual Report: Noteworthy Numbers
- In 2021, CFIUS received 164 Declarations and 272 Notices, with 47 Declarations involving stipulations that they were mandatory.
- CFIUS also identified 135 non-notified transactions, of which eight resulted in a Committee request for a filing.
- Between the Declarations and Notices, 184 transactions involved acquisitions of U.S. critical technology companies.
- Only one Declaration and six Notices involved real estate transactions.
- Over half of the Notices involved the Finance, Information, and Services Sector, which includes publishing industries (30 Notices), telecommunications (12 Notices), data processing, hosting, and related (13 Notices), insurance carriers and related (8 Notices), and professional, scientific, and technical services (57 Notices).
- Investors from Canada and Japan account for two of the top three countries for both Declarations and Notices over the last three years, with the United Kingdom rounding out the top three countries for Declarations and China leading the way for Notices in 2021 with 44.
CFIUS Annual Report: Dispositions of Filings
- CFIUS averaged 30 days to complete its review of a Declaration, 46 days to complete its review of a Notice that did not involve an investigation, and 65 days to complete its review of a Notice that did involve an investigation.
- Of the Declarations, CFIUS concluded all action on 120 submissions without imposing mitigation or requesting refiling, another 30 were required to re-submit as Notices, 12 had the option to re-file as a Notice, and only two submissions were rejected.
- Meanwhile, CFIUS investigated 130 of the Notices, leading transaction parties to voluntarily withdraw and resubmit Notices in about half of those instances. CFIUS eventually required mitigation for 26 transactions for which it concluded action, required residual mitigation for two transactions that were voluntarily withdrawn and abandoned, imposed conditions on yet two additional withdrawn and abandoned transactions, and required interim mitigation for one Notice.
- Parties abandoned nine transactions after CFIUS informed them that it could not identify mitigation measures that would resolve the Committee's national security concerns, or the Parties chose not to accept the proposed mitigation.
Stepping back from the number-crunching, these figures reflect that a significant majority of transactions involve no CFIUS-imposed mitigation whatsoever, that the Committee's decision to investigate a transaction does not automatically lead to a mitigation requirement, and that only a handful of transactions are deemed so problematic from a national security standpoint that they cannot proceed. The numbers also indicate that parties who choose not to file voluntarily generally appear to be conducting well-informed risk assessments of the Committee's likely interest in their transactions.
National Security Considerations
In reviewing covered transactions, CFIUS determines whether the transactions pose a risk to national security. In making these assessments, CFIUS is guided by statutory text (including FIRRMA, Pub. L. 115-232, § 1702(c)), its 2008 Guidance, and input from participating agencies, particularly the intelligence community. Moving forward, the Committee's analysis will include E.O. 14083 which elaborates on the existing statutory factors and changes many of them from permissive to mandatory while also adding to the Committee's list of considerations.
Under these authorities, CFIUS considers factors including:
- Whether the foreign investor is from a country of special concern, with a strategic goal of acquiring the critical technology or critical infrastructure at issue in a way that would affect U.S. leadership in areas related to national security;
- How the transaction might affect the resilience of critical supply chains that have national security implications, including outside of the defense industrial base, in areas such as microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, climate adaptation technologies, critical materials, and agriculture (particularly with impacts on food security);
- The degree of involvement and concentration of ownership or control the foreign investor already has in a given supply chain, who could take actions directly, or who has relevant third-party ties that might cause the transaction to pose a threat to national security;
- The possibility that a covered transaction might reasonably result in future advancements and applications of a technology that could undermine national security;
- The aggregate effect of incremental investments or a series of transactions that might not present a threat to national security when viewed in isolation;
- The effect of the transaction on U.S. cybersecurity; and
- The types and quantities of sensitive data involved, how the data could be exploited, the risk that sensitive data could be identified or de-anonymized, or that it could lead to targeting individuals or groups in a manner that threatens national security.
Mitigation
In order to impose mitigation on a transaction, CFIUS participating agency(ies) must first justify in writing a finding of a national security risk and the measures reasonably necessary to mitigate the risk, and then CFIUS as a whole must agree that risk mitigation and the proposed measures are appropriate. CFIUS can impose mitigation measures only if provisions of law outside of the foreign investment statutes (50 U.S.C. § 4565, as amended) do not adequately address the risk. In some scenarios, for instance, export controls imposed by the International Traffic in Arms Regulations ("ITAR") or the Export Administration Regulations ("EAR") could adequately protect against the risk posed by a transaction. See 73 FR 74568 (Dec. 8, 2008).
Eleven percent of the Notices filed in 2021 involved mitigation measures, meaning that CFIUS determined other legal provisions were inadequate to address the risks presented by those transactions. The Annual Report does not detail why CFIUS deemed a particular sort of mitigation necessary (in some cases, the reason is classified) or how many times it imposed a given type of mitigation. But the measures described in the Annual Report taken in conjunction with the national security considerations outlined above give prospective parties hints regarding what might trigger a given measure, such as sensitive data concerns that are beyond the scope of export controls but which CFIUS might deem subject to exploitation in the absence of additional constraints.
- Many of the requirements are tied to safeguarding information, including prohibiting sharing intellectual property, trade secrets, and technical information, limiting access to authorized persons and limiting operations to within the United States, appointment of government-approved security personnel, requiring prior approval for visits by foreign nationals, and mandating independent audits.
- Other measures were imposed on government contractors, including requirements specific to handling existing and future contracts, assuring continuity of supply, limiting vendor options, and requiring prior notification before making certain business decisions or changing investor rights or ownership percentages.
- Some measures directly altered the substance of the transaction by excluding certain assets or requiring the foreign investor to divest all or part of a U.S. business being acquired.
CFIUS supervises and enforces mitigation through one or more monitoring agencies that assign designated personnel to conduct on-site compliance reviews, approve appointment of security or other personnel required by the mitigation measures, review and approve policies and procedures (such as visitor and data policies), and review reports from independent auditors.
Considerations for Future Transactions
Parties contemplating receiving or making a foreign investment can turn to the same authorities as and run similar analysis to CFIUS using those means to assess the Committee's likely response to a transaction. For instance, where a U.S. business holds sensitive personal data, it might consider how that data could be exploited, determine whether the data is the primary point of interest for a prospective investor or whether its collection is ancillary to the business's technology or infrastructure, then review and strengthen internal controls on access to and use of the data, and mutually agree with the prospective investor regarding the situations, if any, in which the investor might be permitted access to some or all of that data. Upon review, CFIUS might agree with the self-imposed limitations or request or require additional measures; whatever the Committee's reaction, the parties will be better situated to respond if they anticipated the aspects of the transaction on which CFIUS might focus.
In addition, parties who have not previously made any submissions to the Committee should review their history of transactions and plans for future investments, considering whether there is any transaction that might appear to pose a greater national security risk when regarded in the aggregate, or that would be more difficult to modify after the fact, using considerations like those as deciding factors for making voluntary filings.
Where parties to a covered transaction do not file and receive CFIUS approval, the Committee has the power to review the transaction long after it has been completed. This means, for instance, that CFIUS could review a non-notified transaction that closed in 2020 in light of E.O. 14083. It can be advantageous for parties to submit a proposed transaction for review by CFIUS at the time of the transaction rather than taking a chance on having to undergo CFIUS review at a later time when the regulations in force may be more demanding, or political situations (e.g., Russia and Ukraine) may increase the likelihood of mitigation or requirements to unwind a deal. In the event the parties choose not to file after consideration of all relevant information, careful analysis in light of known CFIUS trends and E.O. 14083, and documentation of that review could prove invaluable should CFIUS later inquire about the transaction.