Client Alert

Proposed CFIUS Overhaul Focuses on Cybersecurity and High-Tech Sectors

14 Nov 2017

Recently proposed legislation would substantially overhaul current law governing the Committee on Foreign Investment in the United States (CFIUS) by dramatically expanding CFIUS’ authorities and calling for CFIUS to take cybersecurity and information security into account when authorizing foreign investments in U.S. businesses.

Cybersecurity Concerns

The proposed legislation would substantially broaden CFIUS’ focus and strengthen its enforcement capabilities.  In particular, the legislation would place a heavy emphasis on cybersecurity and information security concerns:

  • CFIUS would be required to evaluate whether any covered transaction is likely to create or exacerbate any cybersecurity vulnerabilities in the United States. 
  • CFIUS would also have to consider whether a transaction could expose personally identifiable information or other sensitive data of U.S. persons to a foreign government or foreign person in a manner that could threaten national security. 
  • Given the vast extent to which both emerging and established U.S. businesses’ technologies (whether in ecommerce, data analytics, personal health care, gaming/entertainment, finance, or other sectors) currently involve the access to and use or analysis of such data of U.S. persons, the impact of this requirement on proposed investments and acquisitions is likely to be profound.
  • CFIUS would have to assess whether the transaction could allow a foreign government to gain new capabilities to engage in malicious cyber-enabled activities against the United States, “including such activities designed to affect the outcome of any election for Federal office.”

Expansion of CFIUS Jurisdiction

The legislation would also expand CFIUS’ jurisdiction in other high-tech sectors.  In particular: 

  • CFIUS would have authority to review certain transactions involving “critical technologies”—a term that would be updated to include “emerging technologies” that could be essential for the United States to maintain or gain a technical advantage against rival “countries of special concern.”  As a result, any foreign investment in a company that develops “critical technologies” would presumptively be covered by CFIUS, unless the investment is passive. 
  • In a significant new development, CFIUS would further have the authority to review any contribution by a U.S. “critical technology company” of its intellectual property (along with associated support) to a foreign company, including through an arrangement such as a joint venture.
  • Similar rules would apply in “critical infrastructure” industries, a term defined to include various systems and assets that are vital to national security.  The Department of Homeland Security has designated 16 different critical infrastructure sectors, ranging from manufacturing to electrical grids to the financial services sector.  Accordingly, any foreign investment in a critical infrastructure company would presumptively be covered by CFIUS, unless the investment is passive.
  • For an investment to be considered “passive,” it cannot give the foreign person any membership—or (notably) even observer rights—on the target company’s board or any involvement (other than through voting of shares) in substantive decision-making. 
  • A “passive” foreign investor also cannot be permitted to access any “non-public technical information” belonging to the U.S. business, or any other information that is not available to all investors in the U.S. business.


Other measures would strengthen CFIUS’s overall enforcement authorities:

  • The new enforcement mechanisms would be funded by CFIUS’s ability to charge companies fees for processing transactions.  The law would give wide latitude to set those fees, at a maximum of 1% of the total transaction value or $300,000, whichever is lesser.  The various agencies that comprise CFIUS would also be given special hiring authority.
  • CFIUS review would be required in certain circumstances if the foreign investor is partially owned by a foreign government.  Specifically, notice would be required if the transaction involves (1) a foreign person’s acquisition of a 25% or greater voting interest in a U.S. business, and (2) the foreign acquirer is at least 25% owned by a foreign government.
  • CFIUS would also be empowered to write regulations requiring that other types of covered transactions be submitted for review.
  • CFIUS could suspend a proposed or pending covered transaction that poses a risk to national security for the duration of the investigation process, in which case the parties would not be able to close the transaction while CFIUS’ review is pending.
  • Notably, CFIUS could designate a country as a “country of special concern” if it “poses a significant threat to the national security interests of the United States.”  In evaluating covered transactions, CFIUS would have to consider (among other factors) whether the transaction could give an industrial or technological advantage to a country of special concern, and whether the transaction involves a country of special concern that has a strategic goal of “acquiring a type of critical technology” possessed by the target company.
  • The law would empower the president not only to suspend or prohibit a transaction, but to “take any additional action the President considers appropriate” to address the national security risk identified during the review of the transaction.
  • The law sets out detailed requirements for mitigation plans, including that they must specify enforcement mechanisms.  If the parties have agreed to use any kind of third-party monitor, the monitor cannot owe a fiduciary duty to any party to the transaction.

Process Revisions

The legislation substantially revises the CFIUS filing and review process.  Some of these revisions could potentially benefit businesses:

  • Most significantly, parties could submit a declaration with only “basic information” for certain types of transactions.
  •  CFIUS could “white-list” certain countries so that any transactions where the foreign party is a person or business in that country does not need to be approved by CFIUS. 
  • A party to a transaction can initiate judicial review proceedings based on constitutional claims.  But only constitutional claims could be heard, leaving it unclear whether parties could contend that CFIUS or the president have acted outside of the statute’s scope. 
  • The U.S. Court of Appeals for the D.C. Circuit would have exclusive jurisdiction to hear such claims.  However, the court’s only options would be to affirm any actions taken by CFIUS or the president, or to remand the case to CFIUS for further consideration.  The U.S. government would be allowed to submit ex parte, in camera materials to the court, including any classified information. 

It is premature at this stage to predict what the bill’s prospects are for becoming law and when.  But given the lineup of bipartisan co-sponsors and statements by several Trump administration officials, including Treasury Secretary Steven Mnuchin, that the CFIUS process needs to be strengthened, this legislation will certainly be worth monitoring carefully as the 2017 legislative session begins to draw to a close.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.