Executive Order Directs CFIUS to Conduct Broad National Security Analysis

On September 15, 2022, President Biden signed Executive Order 14083 (EO 14083), which provides guidance on how the Committee on Foreign Investment in the United States (CFIUS) and transaction parties should examine national security risks associated with any given transaction. EO 14083 does not change the scope of CFIUS jurisdiction, impose new or different mandatory filing requirements, or break new ground on how CFIUS can or should conduct its examinations. EO 14083 is instead significant in highlighting particular points of emphasis. The general theme of EO 14083 is that CFIUS should not examine transactions in isolation but should instead consider individual transactions in the context of broader trends; broader policy concerns regarding the protections of supply chains, technology, and data; and the interrelationships of the foreign investor with foreign third parties.

The EO 14083 background press call is linked here, a White House fact sheet summarizing EO 14083 is linked here, and Treasury Secretary Janet Yellen’s statement is linked here. Below, we highlight the primary takeaways and a key takeaway from EO 14083:

• The Importance of the U.S. Business to U.S. Supply Chains Will Be a Critical Consideration for CFIUS: The U.S. Government is intensely focused on protecting the health and resiliency of its supply chains and domestic manufacturing capacity, including but not limited to, supply chains that are part of the defense industrial base, which consists of more than 100,000 defense companies and their subcontractors. EO 14083 emphasizes the importance of U.S. supply chains that are fundamental to national security, including those relating to sensitive technologies, critical minerals, food, and energy. While these areas of sensitivity are not new, EO 14083 sends a clear message to parties that CFIUS will consider investments in these areas to be potential vulnerabilities that it will want to review.
• The List of Sensitive Technologies Will Continue to Grow: Existing CFIUS regulations emphasize the sensitivity of “critical technologies,” which essentially are technologies that are subject to export control restrictions under the Export Administration Regulations, the International Traffic in Arms Regulations, and other regulatory regimes dealing with, e.g., select agents and toxins, or nuclear-related equipment and materials. Those technologies will remain sensitive, and the new EO does not modify the definition of critical technologies or the scope of mandatory CFIUS filing requirements in connections with investments in business that develop or manufacture such technologies. However, EO 14083 identifies the following sectors as “fundamental to national security”: microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy (such as battery storage and hydrogen), climate adaptation technologies, critical materials (such as lithium and rare earth elements), and “elements of the agriculture industrial base that have implications for food security.” EO 14083 directs the Office of Science and Technology Policy to periodically publish a list of sensitive technology sectors. When foreign investors invest in U.S. companies that develop or manufacture such technologies, they should expect that CFIUS will take a particular interest in the transaction.
• Economic Context Is Important: EO 14083 directs CFIUS to consider transactions in the context of broader investment trends. CFIUS will consider whether the foreign investor may be making incremental acquisitions that in the aggregate could provide the foreign investor access to important technologies. CFIUS will also consider, for example, the foreign investor’s aggregate presence in U.S. supply chains or in sensitive sectors. In furtherance of this policy, CFIUS may request that the Department of Commerce’s International Trade Administration analyze investment trends in a given sector or industry.¹   As a result, when submitting CFIUS filings, it would be prudent for parties to explain how their transaction fits within the context of broader industry trends.
• Cybersecurity Risks Remain a Priority: EO 14083 directs CFIUS to focus on cybersecurity risks, and whether the U.S. business that is the target of an investment presents vulnerabilities that could be exploited, for example, to affect the outcome of elections, disrupt critical infrastructure or the health and resiliency of the defense industrial base, or compromise communications.
• Parties Should Understand When and How Anonymized Personal Data Can Be De-Anonymized: Current CFIUS regulations identify several categories of “identifiable” personal data that are deemed to be particularly sensitive. If a U.S. business collects or maintains such data, then (depending on the nature and quantity of such data) foreign investments in such businesses may result in expanded CFIUS jurisdiction, and, in some cases involving foreign government-invested entities, mandatory filings. The regulations treat data as identifiable data “if any party to the transaction has, or as a result of the transaction will have, the ability to disaggregate or de-anonymize the data, or if the data is otherwise capable of being used to distinguish or trace an individual's identity.” EO 14083 emphasizes that “advances in technology, combined with access to large data sets, increasingly enable the re‑identification or de‑anonymization of what once was unidentifiable data.” Parties should therefore expect that CFIUS will consider whether access to data sets that might appear anonymized can, in fact, be de-anonymized when combined with other information or technologies that might be available to the foreign investor.
• Be Cognizant of Third-Party Ties: EO 14083 emphasizes the importance of considering a transaction party’s “relevant third-party ties,” i.e., ties to a “foreign persons, including foreign governments, to whom the foreign person has commercial, investment, non-economic, or other ties (relevant third-party ties) that might cause the transaction to pose an elevated threat to national security.” CFIUS is directed to examine risks that might arise from, e.g., transferring manufacturing capabilities to such third parties, sharing technology or personal data with such parties, the involvement of such third parties in supply chains, incremental or multiple investments by such third parties in technologies or supply chains, or access of such third parties to databases or systems that present cybersecurity threats to databases of personal information.

The Key Takeaway

Much of the guidance in EO 14083 is not new. The general concepts are familiar and unsurprising. However, EO 14083 provides helpful insight into how CFIUS will conduct its examination of individual transactions and how parties should frame their arguments to CFIUS. That analysis should not focus on the transaction in isolation but should instead place the transaction in the context of broader industry, economic, and policy trends.

For years, CFIUS has required parties to address certain standard questions related to, for example, the commercial rationale for a transaction, the target’s market share, the target’s cybersecurity policy, and the like. Oftentimes, parties have provided brief, summary responses to such questions. In light of EO 14083, those questions may assume greater importance and may require greater attention and focus when preparing future CFIUS filings.

¹ Note that, while EO 14083 does not discuss the BE-13 Survey of New Foreign Direct Investment in the United States that the Department of Commerce, Bureau of Economic Analysis conducts, it is possible that there will be an increased focus on reaching out to U.S. companies to comply with requirements to submit Form BE-13 filings in connection with new foreign investments. That information may be helpful in assessing overall investment trends.