On September 15, 2022, President Biden signed an Executive Order 14083 (the “Order”), titled “Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United States” (87 Fed. Reg. 57369). The Order does not expand the Committee on Foreign Investment in the United States’ (“CFIUS” or the “Committee”) authority or review abilities, but instead requires the Committee to consider certain criteria when reviewing the national security implications of a covered transactions (i.e., a transaction within its authority), and specifically identifies areas of concern for the Committee’s attention. For investors and U.S. businesses, the Order’s instructions to CFIUS provide important information about activities and areas that will raise heightened CFIUS risk and, for those transactions that fall within the stated areas of concern, parties should anticipate a filing with CFIUS. This alert provides a summary of the Order followed by diligence recommendations that parties should keep in mind in the context of assessing current CFIUS risks for prior or future covered transactions.

1. What the Executive Order Requires

Section 721(f) of the Defense Production Act, as amended, provides 11 enumerated factors that CFIUS “may . . . consider” when reviewing a covered transaction. The Order does three things: (a) it expands the scope of existing Section 721 factors; (b) it requires CFIUS to consider new factors; and (c) it implements a periodic reassessment of review criteria.

a. Expanded scope for existing review factors

Section 2 of the Order targets two existing factors in Section 721(f) and directs CFIUS to consider additional concepts, as appropriate, by “elaborating and expanding on the factors identified.” These additional concepts, and the existing factors elaborated upon, are as follows:

  • Section 721(f)(3) provides that CFIUS may consider the “the control of domestic industries and commercial activity by foreign citizens as it affects the capability and capacity of the United States to meet the requirements of national security.” Section 2(a) of the Order elaborates upon this factor, directing that CFIUS “shall” consider:
    • Supply chain resiliency within and outside of the defense industrial base in areas fundamental to national security, including:
      • advanced clean energy (such as battery storage and hydrogen)
      • artificial intelligence
      • biotechnology and biomanufacturing
      • climate adaptation technologies
      • critical materials (such as lithium and rare earth elements)
      • elements of the agriculture industrial base that have implications for food security
      • microelectronics
      • quantum computing
      • Other sectors identified in Executive Order 14017 (America’s Supply Chain, 86 Fed Reg. 11849), namely the energy sector industrial base, high-capacity batteries (including electric-vehicle batteries), information and communications technology industrial base, pharmaceuticals and active pharmaceutical ingredients, public health and biological preparedness industrial base, semiconductor manufacturing and advanced packaging, and the transportation industrial base.
    • Assess inputs to supply chains that might be (i) critical to U.S. supply chain resiliency; (ii) critical to the foreign person investor who presents a threat to national security; or (iii) critical to other foreign persons or foreign governments “to whom the foreign person has commercial, investment, non-economic, or other ties (relevant third-party ties) that might cause the transaction to pose a threat to national security.”
    • The United States’ current capability, alternative suppliers across the supply chain, and the degree of involvement of the foreign person who is party to the transaction and who presents a risk to national security (e.g., the concentration of ownership or control by the foreign person in a given supply chain).
  • Section 721(f)(5) provides that CFIUS may consider the “the potential effects of the proposed or pending transaction on United States international technological leadership in areas affecting United States national security.” Section 2(b) of the Order expands the scope of CFIUS’ review under this factor, directing that CFIUS “shall” consider the following:
    • The effect on technological leadership in the sectors and technologies listed in section 2(a), and as periodically updated lists of relevant technology sectors published by the White House’s Office of Science and Technology Policy.
    • Whether the foreign person has “third-party ties that might cause the transaction to pose [] a threat.”
    • If the covered transaction “could reasonably result in future advancements and applications in technology that could undermine national security.”

b. New review factors for consideration

In Section 3, the Order enumerates three new factors that CFIUS “shall consider” relating to aggregate industry investment trends, cybersecurity, and sensitive personal data.

  • Incremental investments. Section 3(a) directs CFIUS to examine a covered transaction’s effect on national security in light of aggregate industry investment trends rather than looking at the transaction in isolation. In this regard, the Order directs CFIUS to consider whether multiple foreign acquisitions or “incremental investments” over time have been made in a single or related sectors to assess the “cumulative effect” of the investments, noting that this context may reveal national security risks that are not otherwise apparent.
  • Cybersecurity risks. Section 3(b) requires CFIUS to review a covered transaction’s cybersecurity risks. CFIUS will consider whether a transaction will provide a foreign person with direct or indirect access to capabilities or information databases and systems on which a threat actor could engage in malicious cyber-enabled activities. These activities include undermining the protection or integrity of sensitive data; interfering with U.S. elections, critical infrastructure, the defense industrial base or other national security priorities; and sabotaging critical energy infrastructure.
  • U.S. persons’ sensitive data. Section 3(c) direct CFIUS to consider the national security concerns surrounding access to U.S. persons’ sensitive data. Sensitive data includes health, digital identity, other biological, identifiable, or de-anonymized data that could be exploited to distinguish or trace an individual’s identity in a manner that threatens national security. The Order specifically flags large data sets that advances in technology can permit a foreign person to de-anonymize what once was unidentifiable data. CFIUS is also directed to consider whether the business has access to data on U.S. sub-populations that a foreign person could use to target individuals or groups in manners that threatens national security.

c. Periodic reassessment of considerations

Lastly, Section 4 of the Order requires CFIUS to regularly review its processes, practices, and regulations to implement updates needed to respond to evolving national security risks. Periodically CFIUS will provide to the Assistant to the President for National Security Affairs a review of these results and any resulting policy recommendations.

2. Enhanced CFIUS Assessments

As noted above, the Order does not expand CFIUS’s authority. Under Section 721(f), CFIUS was already empowered to evaluate any “other factors . . . [it] may determine to be appropriate” in the context of a review. Instead, the Order directs CFIUS to consider specific general concerns, highlighting specific areas that should immediately receive attention. These areas should be used by parties to enhance their CFIUS diligence, either to assess or re-assess the CFIUS risks associated with prior or future covered transaction. As stated in the Order, these areas are as follows:

  • Advanced clean energy (such as battery storage and hydrogen)
  • Access to personal data, including big data businesses, data on persons’ health, digital identity, or other biological data
  • Artificial intelligence
  • Biotechnology and biomanufacturing
  • Climate adaptation technologies
  • Critical materials (such as lithium and rare earth elements)
  • Elements of the agriculture industrial base that have implications for food security
  • Energy industrial base
  • High-capacity batteries (including electric-vehicle batteries)
  • Information and communications technology industrial base (including integrity of data in storage or databases or systems housing sensitive data)
  • Microelectronics
  • Pharmaceuticals and active pharmaceutical ingredients
  • Public health and biological preparedness industrial base
  • Quantum computing
  • Semiconductor manufacturing and advanced packaging
  • Transportation industrial base

The Order highlights that diligence cannot be limited to just a transaction but must take into account broader market conditions (e.g., market concentrations, U.S. supply options, foreign person relationships) and market trends (e.g., recent acquisitions by other participants, changes in ownership). These considerations highlight the dynamic nature of CFIUS’s review. That is, a transaction that might have presented minimal issues at the time of closing could, today, present serious concerns as a result of aggregate industry investment trends.

Clearly, future transactions in these areas involving foreign persons should incorporate a CFIUS assessment at an early stage in the deal timeline and, if a mandatory filing is not triggered, strongly consider a voluntary filing. Given the national security sensitivities in these areas, the risks of not filing with CFIUS will be substantial.

However, diligence should not be limited to prospective deals. CFIUS has authority over any covered transaction, even after closing. Its authority remains until the covered transaction is reviewed by and subsequently cleared by CFIUS (what is commonly referred to as the CFIUS safe harbor). Only a minority of covered transactions are subject to mandatory filing requirements, while the majority of covered transactions have the option to voluntarily notify CFIUS. Thus, any foreign person investor or U.S. business that has completed transactions in these areas of concern, and did not already clear the transactions with CFIUS, should reassess their CFIUS risks today and consider a post-closing voluntary filing to CFIUS.

As a result of recent legislation, CFIUS and its member agencies have the resources to monitor “unnotified” transactions (i.e., those covered transactions that did not voluntarily file with CFIUS) and parties in these areas may be contacted by CFIUS, if they have not already.