Tracking Trends in CFIUS Review Process Based on Recently Released 2015 Annual Report
Last month, the Committee on Foreign Investment in the United States (“CFIUS”) released its annual report to Congress for 2015 (the “2015 Annual Report”) and its cumulative table summarizing foreign investment activity from 2014 through 2016 (the “Cumulative Summary Table”). These documents reflect a substantial increase in the number of CFIUS filings in recent years and an increase in the percentage of CFIUS Notices that have been subject to an investigation process. The Report also reflects a new focus at CFIUS on the national security risks associated with data breaches affecting U.S. citizens’ personal information.
CFIUS is an interagency committee authorized by statute to review investments that could result in foreign control of a U.S. business that impacts U.S. national security. Parties to a transaction potentially subject to CFIUS review generally file a voluntary Notice. CFIUS takes 30 days to review the Notice, then conducts an additional 45-day investigation if necessary. The parties to the transaction must cooperate with CFIUS to conclude the investigation and institute any mitigation measures necessary to protect U.S. national security. If the parties and CFIUS cannot agree or adequate mitigation measures cannot be instituted, the Notice may be withdrawn and the transaction reworked or abandoned, or CFIUS may recommend to the President that the transaction be blocked. Only four transactions have been blocked or unwound by Presidential fiat in the history of CFIUS – two of those within the last year by Presidents Obama and Trump.
CFIUS By the Numbers
According to the 2015 Annual Report, there has been a general upward trend in the number of Notices filed since 2009, although the industries and foreign-investor countries most frequently represented have remained fairly consistent. In 2015, 143 Notices were filed. Consistent with past years, roughly 75% of those Notices involved the manufacturing or finance, information, and services sectors, with computer/electronics manufacturing and professional/technical services being the most frequently represented subsectors. Investment from China has been more heavily represented than investment from any other country since at least 2013. In 2015, over 51% of the filed Notices (74 out of 143) involved Chinese investment.
There was an uptick in the percentage of Notices subject to an investigation period between 2014 and 2015 (from 35% to 46%), although the number of Notices withdrawn during the investigation period stayed about the same.
The Cumulative Summary Table, which includes data from 2016, reveals that the total number of filed Notices increased dramatically over the last year, from 143 in 2015 to 172 in 2016. The number of investigations also increased (from 66 to 79), as did the number of Notices that were withdrawn and refiled – an action often requested by CFIUS when it needs additional time to investigate a transaction. The number of Notices withdrawn or rejected for any reason also increased between 2015 and 2016, and one transaction in 2016 was blocked by President Obama – the acquisition of semiconductor company Aixtron SE by Chinese investor Fujian Grand Chip Investment Fund LP. We note that another transaction has been blocked since this data was compiled. On September 13, 2017, President Trump blocked the acquisition of Lattice Semiconductor Corporation by Canyon Bridge Capital Partners.
Notably, in the 2015 Annual Report CFIUS also added a factor to its list of considerations when reviewing a transaction for potential national security risks. CFIUS now looks for foreign acquisition of U.S. businesses that “hold substantial pools of potentially sensitive data about U.S. persons and businesses.” In other words, CFIUS is now viewing the potential for data breaches impacting U.S. citizens and businesses as a national security risk. Consistent with this change in formal policy, CFIUS has recently been issuing questions to parties during the review and investigation periods concerning the U.S. target business’s access to customer data and the acquiring business’s cybersecurity plan.
Observers of the CFIUS process can glean several lessons from the 2015 Annual Report and Cumulative Summary Table.
CFIUS is extremely busy. The Report and Table indicate that the number of transactions notified to CFIUS continues to increase, as does the number of investigation periods – meaning that more of the notified transactions require further time and more labor-intensive analysis to resolve. CFIUS is also taking new data-security factors into account in its reviews, which means more information for CFIUS staff to process and analyze. Parties to a transaction put before CFIUS can expect the process to take longer than it has in the past, and should plan the closing date of their transaction accordingly.
Transactions are subject to increased scrutiny. The greater percentage of transactions sent into an investigation period may simply be a function of CFIUS being busy, as discussed above, and therefore unable to process many transactions during their initial 30-day review periods. However, anecdotal evidence and recent experience suggest that CFIUS is in fact engaging in more in-depth investigation of transactions, at least in certain industries or involving certain foreign countries. In particular, transactions in technology-heavy sectors and transactions involving investment by China seem to be receiving increased scrutiny. (It is notable that the two transactions rejected by Presidential Order in the last year – one by President Obama and one by President Trump – both involved Chinese investment in the semiconductor industry). Parties to a transaction involving manufacture of potentially sensitive technologies, provision of potentially sensitive technology-related services, or Chinese investment should plan for more questions than CFIUS may have posed in the past and a longer investigation period.
Data security is now a national security issue. As discussed above, CFIUS has formally enshrined the security of U.S. citizens’ and businesses’ data, including personal identifier information (“PII”), as a national security concern to be weighed in any CFIUS analysis. Parties to a transaction involving a U.S. target that holds substantial amounts of sensitive customer data, including targets in the health care, insurance, or financial sectors, should plan for a more extensive investigation than CFIUS would likely have conducted in the past.
 See Section 721 of the Defense Production Act of 1950, as amended by the Foreign Investment and National Security Act of 2007, 50 U.S.C. § 4565.