The Executive Order defining additional national security factors for CFIUS to consider when evaluating transactions has been published. Important stuff, but it’s not yet clear to me why its contents weren’t better suited for promulgation by the Committee as formal guidance or regulatory revisions, or by the Treasury Secretary as the chair of the Committee.
A few quick/hot takes (the E.O. needs further study, so my comments below are subject to revision):
– Much of it feels like an essay about national security risks from FDI–nothing groundbreaking. Some of it states the patently obvious (e.g., “it is important for the United States to ensure that foreign investment in United States businesses does not erode United States cybersecurity,” or “what may otherwise appear to be an economic transaction undertaken for commercial purposes may actually present an unacceptable risk”). Other parts are simply tautologies (“it is important to national security that the Committee continues to assess the effect of foreign investment on domestic capacity to meet national security requirements”).
– An unsurprising emphasis on supply chains, given the last few years. (CFIUS has been responding to supply chain integrity and resilience risks for *many* years.) Mentions the term roughly 20 times throughout, and explicitly ties the earlier supply chain E.O. 14017 into CFIUS. (Something many observers had already taken as an implicit tie-in.)
– National security risks relating to sensitive data are called out almost immediately, early in Sec. 1. (Sensitive data is not a novel national security risk; it was an important focus of FIRRMA and the implementing regs. And, CFIUS has been tackling data risks for quite some time, increasingly so over the past five years… see, e.g., TikTok, Grindr, StayNTouch …)
– An unsurprising emphasis on cybersecurity and the growing national security threat in the FDI context. (Nor is it novel to the Committee’s risk analyses.)
– An unsurprising discussion of “third-party” risk. (Again, consideration of a foreign investor’s other relationships/suppliers/customers/etc. has been baked into CFIUS for some time.)
– In “elaborating” on the contextual factors for consideration, the E.O. uses the word “shall” throughout. Contrast that with the statutory list of factors in subsection 721(f), which are preceded by “may.” Am curious how CFIUS will put these “shall’s” into practice in its work product/risk-based analyses.
– Last one, raises a little concern on a first read: the E.O. uses “might,” “could,” and “may”—all verbs of possibility—altogether more than 100 times to elaborate on the contextual factors and risks. I get what the President’s saying, but is there a danger that the layering of all these might’s and could’s creates a yardstick where, rather than meeting the statutory standard of “credible evidence,” the government believes it need only articulate a hypothetical in order to have the authority to act?