The event featured speakers from across the US Government who provided insights on CFIUS authorities, priorities, processes and recommended best practices. US Government officials also emphasized the United States’ commitment to encouraging foreign investment while balancing national security concerns in a manner that does not unduly burden businesses.
On June 16, the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) hosted its 2022 Inaugural CFIUS Conference. The conference was led by the US Department of the Treasury, which chairs CFIUS. Speakers included representatives from the Departments of Treasury, Defense, Health and Human Services, Homeland Security, Justice, Commerce and State, as well as the Offices of the Director of National Intelligence, US Trade Representative and Science and Technology Policy, and a member of the Delegation of the European Union to the United States.
Speakers discussed various issues facing CFIUS, provided insight into CFIUS processes, and opined on best practices businesses can adopt to avoid unnecessary complications. Specifically, panels discussed best practices for undergoing CFIUS review, the evolving national security landscape (with a dedicated panel focusing on data-related national security concerns) and CFIUS’s engagement with international counterparts. Individual speakers from key CFIUS offices also shed light on CFIUS compliance and enforcement, the pandemic’s effects on national security and the expansion of CFIUS’s internal resources and processes over the last several years since the enactment of the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”). Below is our summary of the main themes and takeaways from the conference.
CFIUS’s View of the Evolving Risk Landscape
Much of the event focused on the government’s perceived national security risks. Each of the nine agencies that serve on the Committee—and other participants as warranted—have unique concerns that guide their risk analysis and ultimate conclusion regarding a given transaction. For example, the Department of Defense focuses primarily on protecting the Defense Industrial Base by securing its supply chain, protecting technologies, and ensuring that the integrity of the products it uses is not compromised. By contrast, the Department of Homeland Security focuses its efforts on cybersecurity and protecting critical infrastructure (such as communications and supply chain-related infrastructure), and Health and Human Services (which is not a CFIUS member agency but can be appointed on a case-by-case basis for reviews when appropriate) focuses on protecting Americans’ health information. The speakers consistently pointed out, however, that perceived risks rarely fall into specific silos despite the general equities of individual member agencies. CFIUS officials noted that the Committee takes a holistic approach in assessing national security risks, including considering how that risk might evolve over time—especially since CFIUS generally has only one opportunity to assess a transaction.
Consistent with FIRRMA’s emphasis on sensitive personal data as an area of heightened CFIUS authority, one of the four panel sessions was dedicated to discussing key concerns with respect to sensitive data—underscoring its growing significance as a national security consideration. CFIUS officials explained there are many novel and unique ways US adversaries can exploit data to threaten US national security. Government representatives specifically provided the example of video game data, which can be used to predict behavioral trends in a population and is already being used by game developers to tailor new products, in its discussion of sensitive data. The government panelists warned that video game data could also be used by ill-intentioned state actors to influence the population, such as during an election. Genomic and medical data were also given as examples of data that create specific vulnerabilities that could allow US adversaries to target an attack on specific individuals. We expect the Committee to continue to heavily scrutinize transactions involving sensitive data in the foreseeable future, both in its review of transactions notified to it, and in its heightened focus on identifying non-notified transactions (see our discussion of CFIUS’s ramped-up efforts at calling in non-notified transactions here).
Mitigation and Enforcement
A common theme of the conference was CFIUS's focus on the enforcement of mitigation agreements and the likelihood of an increase in the amount of site visits in the future, especially as the COVID-19 pandemic appears to subside. Although CFIUS's primary goal is to prevent breaches from occurring, the Committee recognizes that violations may occur—often unintentionally. Speakers highlighted the importance of self-reporting such breaches, so that companies can work with CFIUS to quickly remediate the breach and mitigate any effects. In determining whether to take an enforcement action against a breaching party, the Committee considers, among other things, whether the violation was self-reported, the expediency of the notice to the Committee, whether any remedial actions were taken and whether the violation is part of a systemic corporate culture of poor compliance. So far, CFIUS has not taken many enforcement actions for violations of mitigation agreements or conditions—for example, to date, CFIUS has announced two penalty actions, one in 2018 and one in 2019—though enforcement is generally expected to increase in the coming years.
Strategy and Best Practices Recommendations
Since FIRRMA introduced the short-form declaration filing option (as we discussed here when FIRRMA was implemented in 2020), selecting the form of CFIUS filing is now a strategic decision parties must consider. Declarations, which also have a shorter assessment period than a traditional notice, quickly became popular as an efficient and more cost-effective filing approach for certain transactions that appear low risk. During the conference, CFIUS previewed its upcoming annual report covering 2021 data (which is expected to be released in the near term) by noting that declarations increased again last year and 73% of declarations were cleared, indicating that both CFIUS and transaction parties are improving in their effective use of the declaration process. Conference speakers shared their views on how best to navigate this decision process, which—consistent with the typical CFIUS risk analysis approach—focused on being mindful of the particular risks that may be posed by the investor (taking into account, for example, its country of origin) and potential sensitivities relating to the US business (e.g., sensitive technologies).
An overarching theme from CFIUS officials at the conference was the importance of parties working with, rather than against, the Committee. CFIUS officials stated that the Committee views parties as empowered participants in the process that can assist the Committee in resolving national security concerns, including when needed with measures that adequately address identified risks without unnecessarily impeding the parties' businesses.
Considerations Going Forward
While not the topic of any major session, we identified several underlying themes to help transacting parties predict what lies ahead for CFIUS. Notably, CFIUS dynamics are continuing to evolve and can cause uncertainty around transactions. This includes CFIUS continuing to try to adapt based on the changing risk landscape—including as national security issues may arise in new areas or change. At least one speaker described the Committee's intention to amend its regulations more frequently to ensure they are working appropriately over time. It was also clear—not surprisingly—that CFIUS will continue to actively look for non-notified transactions of interest, which CFIUS officials said is a necessary check on the process since most CFIUS reviews are voluntary.
The Committee also intends to continue expanding its international partnerships. Despite FIRRMA allowing government-to-government sharing of information, CFIUS officials clarified that it is rare that CFIUS will share information on individual transactions—in part due to strict confidentiality rules. CFIUS does, however, coordinate more generally with other countries on foreign investment review matters, including training allies on screening risks and sharing information on general trends. As more nations implement foreign direct investment ("FDI") screening mechanisms, we expect CFIUS will be a major player in these developments and many will look to CFIUS as a model.
Finally, government officials emphasized throughout the conference that CFIUS remains committed to making the United States a top destination for foreign investment. They also said the Committee intends to become more efficient as it learns over time. The Committee recognizes the importance of globalizing the US economy and, especially as we emerge from a deadly pandemic, the need to develop medicines and other critical technology that allow the US to recover from a position of strength. Notwithstanding the fact that US policy encourages foreign direct investment (which was unchanged with FIRRMA), it is clear that CFIUS takes its national security mission very seriously and will not hesitate to act where it has concerns. Given the evolving CFIUS landscape—including increased aggressiveness from CFIUS in recent years—parties should work closely with counsel to identify and anticipate potential CFIUS risks and most effectively manage CFIUS considerations for their deals.
Brittany Henderson (Associate, White & Case LLP, Washington, DC) and Michael Crowley (Law Clerk, White & Case LLP, Washington, DC) co-authored this publication
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2022 White & Case LLP