CFIUS Executive Order pushes to screen supply chain risk and other factors in foreign investments

The Biden Administration’s new Executive Order (E.O) signed on September 15, 2022, is an initiative directed at the Committee on Foreign Investments in the United States (CFIUS) to better protect the nation’s critical industries from unwarranted security risks. In its establishment, the order aims to direct U.S. businesses and investors to cover and minimize risks that have been proven to be recent and evolving concerns to U.S. national security. The order formulates five key risk factors that the CFIUS needs to consider when reviewing foreign investments or acquisitions.

The five risks considered are as follows:

1)    Impact on Critical Supply Chains
Transactions have various effects on the resiliency of U.S. supply chains that may have national security implications. Therefore, considerations to foreign transactions include:

1. How diverse alternative suppliers across the supply chain are considered, including suppliers based in partner countries
2. What the supply relationships of parties involved are with the U.S. government
3. How much control foreign persons or foreign investors have within the supply chain

2)    Resilient Technological Leadership
Specific sectors that the E.O. covers include those that are vital to U.S. technological leadership, such as:

1. Microelectronics
2. Artificial Intelligence (AI)
3. Biotechnology and biomanufacturing
4. Quantum computing
5. Advanced clean energy
6. Climate adaptation technologies
7. Agricultural industries

· Pursuant to the E.O., CFIUS is required to understand if the foreign transactions could reasonably result in future advancements or adaptations that could weaken U.S. national security.

· Additionally, further consideration is required on whether the foreign investors are tied to third parties that pose a threat to U.S. national security.
a. To inform the Committee’s decision-making on these considerations, the E.O. requires the White House Office of Science and Technology to publish periodicals assessing the technology sectors that are vital and relevant to U.S. national security.

3)    Investment Trends
The E.O. understands that single investments can pose limited to no threats to U.S. national security. However, incremental investment, when considered in aggregate and within the context of previous investments, can pose a cumulative risk to U.S. security. Therefore, the E.O. now requires CFIUS to analyze foreign investments in the context of multiple investments.

4)    Cybersecurity Risks
The E.O. requires CFIUS to consider whether a transaction could result in a foreign person or affiliated third-party having access or the ability to conduct malicious cyber interference. In addition, this section recommends evaluating the cybersecurity practices, capabilities and posture of all parties to the transaction that could run the risk of foreign persons or affiliated third parties conducting malicious cyber-enabled activities. 

5)    Protecting Sensitive Data
The E.O. directs CFIUS to consider whether covered transactions by U.S. businesses have:

1.     “…access to U.S. persons sensitive data, including U.S. person’s health, digital and other biometrics, and any other data that could identify and/or exploit an individual’s identity in a matter that threatens national security; or

2.     “…access to data on sub-populations in the U.S. that could be used by a foreign person to target individuals or groups of individuals in the U.S. in a manner that threatens national security.” Executive Order No. 14083, 2022

Why this Executive Order is necessary
The risk factors that CFIUS must consider pursuant to this E.O. are relevant to the range of industries and technologies that have been under increasing scrutiny by the Committee in recent years. The E.O. reflects the Administration’s growing concerns that certain foreign countries and persons are using foreign investments to access sensitive data and technologies to undermine U.S. national security. Thus, in its establishment, the E.O. aims to protect foreign transactions by making sure that foreign investors cannot take advantage of or overtake industries.

Accordingly, the E.O. directs that CFIUS regularly reviews its processes, practices and regulations to ensure that the directed framework is responsive and adaptable to evolving national security threats, and implements any updates as necessary.

Baker Tilly is here to help
Information and Communications Technology (ICT) supply chains are complex dynamic ecosystems representing a critical threat vector – requiring focused risk management. By amplifying foreign investment screening completed by CFIUS, the Administration hopes to improve the risk hygiene of supply chains critical to U.S. national and economic security. The directive signals heightened scrutiny of foreign investment which may require Supply Chain Security & Continuity mitigation plans for CFIUS to approve an M&A transaction and/or investment. Baker Tilly stands ready to support your organization in this area to facilitate regulatory-compliant deal-making. At Baker Tilly, we regularly assist organizations with Supply Chain Risk Management (SCRM) program development to avoid complications that may arise with federal review and evaluation. 

For more information on this and SCRM, or to learn how Baker Tilly specialists can help – please contact us: