The EO builds on previous government executive orders that raised concerns about Chinese investment and espionage and supply chain vulnerabilities.1, 2 CFIUS is often seen as a “black box” and this EO is designed to provide more clarity to businesses.
The EO instructs the CFIUS to consider five specific groups of factors:
- The impact of a particular transaction on the resilience of critical U.S. supply chains that may have national security implications, including those off-base of the defense industry
- The impact of a particular transaction on U.S. technological leadership in areas affecting U.S. national security, including but not limited to microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, and climate change adaptation technologies
- Industry investment trends that may impact the U.S. national security implications of a particular transaction
- Cybersecurity risks that threaten to compromise national security
- Risks to Sensitive Data of US Persons
The EO promotes the goals of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) to make CFIUS more responsive to emerging national security risks. Following the implementation of FIRRMA, CFIUS reviewed a record number of covered transactions in 2021, including 272 notices, 164 statements and 130 investigations.3 You can find more information about FIRRMA here.
Analysis of the five factors
- Critical US supply chain resilience. The EO states that CFIUS should examine the impact of a transaction on supply chains, including those outside of the defense industry base. The EO identifies concerns about transactions that involve a transfer of ownership, rights or control over critical minerals, production capacity and services.
- Effect on the technology leadership of the USA. Supply chains may be considered “vulnerable” if they are not sufficiently diversified with alternative suppliers, are not located in the US or an ally, or ownership is concentrated. In particular, the EO mentions that CFIUS should consider “non-economic or other ties (relevant ties with third parties)” when considering the risks posed by a transaction.
The EO specifies industries that CFIUS should focus on to underpin US technological leadership in areas affecting national security. It identifies the following industries as technologies critical to national security:
- Artificial intelligence
- biotechnology and biomanufacturing
- quantum computing
- Advanced clean energy (like battery storage and hydrogen)
- Technologies for climate adaptation
- Critical materials (such as lithium and rare earth elements)
- Elements of the industrial base of agriculture that have an impact on food security
- Other technologies are to be identified in the future by the White House Office of Science and Technology Policy
- Industry investment trends and US national security. More technology sectors are expected to be identified in the future. The EO instructs CFIUS to examine trends within a given sector, particularly with regard to technology transfer. Going forward, CFIUS will consider not only the significance of a transaction related to solar exposure, but also the risk associated with “multiple acquisitions or investments” in a sector.
- Cyber Security Risks. The EO also requires a careful assessment of the cybersecurity and privacy risks related to the observed strategy of foreign adversaries to gain access to sensitive data and technology. Transactions involving investments by foreign persons both able and intent to engage in cyber intruders, cyber attacks and other malicious activities require an assessment of whether such foreign persons (or related third parties) may have access, to carry out such activities. In addition, the cybersecurity posture, practices, capabilities and access of all parties to the transaction should also be considered as part of any CFIUS analysis.
- Sensitive Information of US Persons. Similarly, transactions that allow access to large datasets of sensitive US person data will come under scrutiny for privacy risks as foreign adversaries use advanced technologies to de-anonymize formerly unidentifiable personal data. The EO clarifies that such transactions must include an assessment of whether the foreign investor or parties with which the foreign investor has connections have attempted or are able to use such personal information to the detriment of national security, whether through commercial or other purposes. Taken together, these factors should be read in conjunction with the national security factors already established in the CFIUS Statute, bearing in mind that the factors are intended for purposes of illustration and that CFIUS may consider any national security risk arising from a transaction within its statutory jurisdiction .
Transaction parties should consider the following practical steps to address these cybersecurity and privacy concerns:
- Analyze policies and procedures from all parties involved and interview security officials to fully understand and validate how cybersecurity controls work in practice
- Compare and align technical and administrative protections against global cybersecurity standards such as ISO 27001 and/or NIST 800-171/171a
- Conduct a comprehensive review of data assets and identify controlled/regulated data types, such as B. Controlled Unclassified Information (CUI) or International Arms Traffic Regulations (ITAR) data.
- Consider migrating regulated data to a highly secure environment
- Confirm that critical/export controlled technology, intellectual property and trade secrets are adequately protected
- Implement additional monitoring and auditing capabilities for CFIUS-related reporting related to these five factors
1 Executive Order 14034, Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries June 09, 2021: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/06/09/executive-order-on- protect-americans-sensitive-data-from-foreign-adversaries/
2 Executive Order 14017, Executive Order on America’s Supply Chains, February 24, 2021: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/02/24/executive-order-on-americas-supply- chains/
3 CFIUS Public Annual Report to Congress CY 2021: https://home.treasury.gov/system/files/206/CFIUS-Public-AnnualReporttoCongressCY2021.pdf