On September 15, President Biden issued Executive Order 14083, using his authority under Section 721(f)(11) of the Defense Production Act of 1950 (the DPA) to identify additional national security factors that the Committee on Foreign Investment in the United States (CFIUS) should consider when evaluating foreign investments in U.S. businesses. The factors, also summarized in a White House fact sheet, include the following:

  • Effects on U.S. supply chains outside the defense industrial base (the DPA’s historic area of concern). Examples include manufacturing capabilities, services, critical minerals, or technologies relating to microelectronics, artificial intelligence, biotechnology, quantum computing, advanced clean energy, climate adaptation technologies, and—as a seeming concession to the annual Congressional efforts to make the U.S. Department of Agriculture a permanent member of CFIUS—agricultural industry elements relating to food security (Executive Order Section 2(a))

  • Effects on U.S. leadership in the technology areas identified above (Section 2(b))

  • Industry investment trends arising from multiple transactions in a particular sector. (Section 3(a))

  • Cybersecurity risks (Section 3(b))

  • Risk to the sensitive data of U.S. persons (Section 3(c)).

Arguably, the Executive Order simply expands or reiterates factors that are either already listed in DPA Section 721(f) or are already applied by CFIUS in practice under its discretionary authority under DPA Section 721(f)(11). Both the statutory risk factors and examples of additional factors already considered by CFIUS can be found on pages 40-42 of CFIUS’s Annual Report to Congress for 2021.

The Executive Order also directs CFIUS, when considering these factors, to consider not only the actual foreign investor, but third-party ties that may be used to exploit the foreign investment. Again, the Executive Order is merely creating a written foundation for the “guilt-by-association” analysis that is already part of many CFIUS cases.

Section 3(a) of the Executive Order, however, may create unwanted ripple effects by placing greater emphasis on the use of aggregate analysis. Under DPA Section 721(b)(1)(A), upon receipt of a filing, CFIUS:

  1. shall review the covered transaction to determine the effects of the transaction on the national security of the United States; and

  2. shall consider the factors specified in [DPA Section 721(f)] for such purpose, as appropriate. [emphasis added]

Subsection (i) establishes CFIUS’s longstanding (and oft-stated) practice of considering each transaction on its own merits. Subsection (ii) gives CFIUS discretion as to how it applies the DPA Section 721(f) risk factors.

Before the issuance of the Executive Order, CFIUS’s national security analysis focused on three elements:

  • Vulnerabilities: The nexus to U.S. national security of the U.S. business.

  • Threat: The capability and intent of the foreign investor, or someone capable of acting through the foreign investor, to exploit the vulnerabilities to the detriment of U.S. national security.

  • Consequences: The extent of the harm to U.S. national security if the vulnerabilities were to be exploited.

Under the discretionary risk factors provision of DPA Section 721(f)(11), CFIUS’s assessment of these elements has sometimes included the cumulative effects of individual transactions on industries. One example of the application of this approach is akin to the “boiling frog” metaphor; previous transactions may have reduced U.S.-based capabilities in a particular sector to such an extent that a transaction presently subject to CFIUS review would—if unconditionally cleared—eliminate the remaining U.S. capability in the area.

Aggregate analysis, previously used selectively by CFIUS, may be used more regularly in light of its inclusion in the Executive Order.

Logistically, this may make it even more difficult for CFIUS to conclude its assessments of short-form declarations and its reviews and investigations of full notices in a timely manner, especially if CFIUS has to call on the U.S. Department of Commerce to produce a sector analysis under Section 3(a)(iii).

Perhaps more importantly, Section 3(a) creates new issues of transparency that in turn will make it more difficult for parties to assess and allocate CFIUS-related transaction risks. Before entering into transactions, parties can conduct due diligence on each other and themselves and try (with some limitations) to assess the vulnerabilities and threats they bring to the table and to anticipate how CFIUS may view their transaction. This analysis may inform a transaction’s structure, pricing, or even its viability.  

What parties cannot reliably do, however, is identify the universe of other completed or pending transactions in the sector (or “related” sectors to be considered by CFIUS), whether CFIUS has reviewed or will review those transactions, or the outcomes of those CFIUS reviews. There are some exceptions; public companies, for example, may be required to disclose both their transactions and the status of CFIUS reviews, but even then, parties rarely disclose the nature of any CFIUS mitigation conditions that might be relevant to parties in a parallel transaction.

In addition to these “front-end” challenges created by Section 3(a), there may be occasional “back-end” issues as well.  For example, CFIUS sometimes sends the parties a warning that CFIUS has identified national security concerns arising from the foreign investment, is unable to identify acceptable mitigation conditions, and is prepared to make an adverse recommendation to the President. This “Ralls letter” (named for the 2014 decision requiring CFIUS to provide greater due process protections to the parties) is supposed to include the unclassified evidence supporting CFIUS’s conclusion.

But what is CFIUS to do when its decision is based on the cumulative effect of multiple transactions? CFIUS is subject to a strict confidentiality requirement, generally prohibiting the release of information provided by the parties to CFIUS. This requirement has been interpreted broadly by CFIUS to include a prohibition of disclosures that parties have even submitted a filing to CFIUS.  

Under this interpretation, can a Ralls letter identify the other CFIUS cases that contributed to CFIUS’s decision? The Ralls decision protects from disclosure only the classified information used by CFIUS—not unclassified information such as the existence of CFIUS filings—so arguably, the Ralls letter should identify the other transactions CFIUS took into consideration, whether they were filed with CFIUS or not.

To address these front-end and back-end concerns, CFIUS may need to rethink its interpretation of the confidentiality rule.  The general rule, found in DPA Section 721(c)(1), is that

[A]ny information or documentary material filed . . . pursuant to this section shall be exempt from disclosure under [the Freedom of Information Act], and no such information or documentary material may be made public.

Given the implications of Section 3(a) of the Executive Order described above, CFIUS may need to decide that (i) the identities of CFIUS filers do not fall within the scope of the confidentiality rule, even if the filings and other supplemental material provided to CFIUS do; and (ii) the outcomes of CFIUS cases do not qualify as information filed with CFIUS, and are therefore open to disclosure. Moreover, these disclosures should not wait for CFIUS’s annual report to Congress. Transactions within given sectors often occur in bunches, so to address the front-end concern in a timely manner, CFIUS filers and outcomes should be disclosed at the conclusion of each case.

Most transactions reviewed by CFIUS are not in the public domain, so this proposal would be a significant change, and could adversely affect the number of voluntary filings submitted to CFIUS.  This impact may be limited, however, in light of the advent of mandatory pre-closing CFIUS filings and CFIUS’s expanding use of its right to call in transactions for review even after closing. 

Though the new Executive Order was ostensibly intended to expand (or at least memorialize) the substantive scope of CFIUS reviews, it may have serious unintended consequences.  To implement Section 3(a) of the Executive Order in a manner that affords parties greater transparency so they can more accurately predict CFIUS risk in their dealmaking, CFIUS should also revisit its longstanding interpretation of the DPA confidentiality rule.