Navigating National Security M&A Deal Risk in U.S. FDI – CFIUS Considerations

How the Committee on Foreign Investment decides the destiny of potential international investors in the U.S.


17 June 2019

Intralinks CFIUS M&A Deal Risk

The Committee on Foreign Investment in the United States (CFIUS) is an interagency body, chaired by the Department of Treasury, that has the authority to review foreign direct investment (FDI) in the U.S. to evaluate the impact such investments could have on national security. Although CFIUS has broad jurisdiction to review transactions whereby foreign persons acquire control (or, in some cases, certain types of non-control) rights over a U.S. business, as a practical matter, CFIUS is only interested in transactions within its jurisdiction that pose a risk to U.S. national security. When CFIUS takes an interest in a transaction, it assesses the threat presented by the foreign investor, the vulnerability presented by the target company, and the overall potential consequence of the investment activity to U.S. national security.

Passed in 2018, the Foreign Investment Risk Review Modernization Act (FIRRMA) is a bipartisan effort to address the evolving threat environments under CFIUS jurisdiction – including cybersecurity vulnerabilities, protected data/information, dual-use technologies with civil/military fusion, intelligent (information) warfare, real estate and global supply chain considerations – and to broaden the jurisdiction of CFIUS to include, among other things, certain types of non-controlling investments. This reform measure represented the most comprehensive revision of the foreign investment review process since the Foreign Investment and National Security Act (FINSA) in 2007.

Blocked, abandoned or divested

The CFIUS process is highly confidential and protected from public disclosure; however, certain deals have been made public by the parties through press releases and/or public filings. In addition, there are transactions which had closed without a review by CFIUS that presented national security risks and subsequently divested due to CFIUS concerns. Select deals that have been blocked, were abandoned, or divested due to CFIUS are as follows:

  • April 2019: Divestiture of minority interest in Cofense by Pamplona Capital Management
  • April 2019: Divestiture of PatientsLikeMe by China’s iCarbonX on data privacy concerns in healthcare
  • March 2019: Divestiture of Grindr LLC by Beijing Kunlun Tech Co Ltd on data exploitation concerns
  • March 2018: Broadcom’s proposed acquisition of Qualcomm
  • January 2018: Ant Financial Services Group’s proposed acquisition of MoneyGram
  • November 2017: Zhongwang USA’s proposed acquisition of Aleris
  • September 2017: NavInfo’s proposed investment in HERE
  • September 2017: Canyon Bridge’s proposed investment in Lattice Semiconductor
  • July 2017: HNA Group’s proposed investment in Global Eagle Entertainment
  • February 2017: Infineon Technologies proposed investment in Cree
  • October 2016: Anbang Insurance Group Co. Ltd.’s proposed investment in Hotel del Coronado (as part of hotel portfolio)

The potential impact on inbound U.S. M&A deals

The U.S. remains one of the world’s premier destinations for international investment with innovative advances in technology, biotech, engineering and software development. With these high-value investment opportunities comes an increased risk specific to U.S. national security.

There are many potential impacts on inbound U.S. deals to consider, including:

  1. Longer timelines for deal closure to account for the CFIUS filing and review
  2. Increased cost to close if potential risks are identified and require mitigation solutions
  3. Execution deal risk in the transaction; potentially accounted for in the deal value premiums, break fees, and reverse break fees or through the inability of the foreign investor to obtain the value that caused it to pursue the transaction if CFIUS seeks to impose mitigation measures
  4. More comprehensive diligence assessment specific to intellectual property, customer base, data capture, and/or existing relationships with the U.S. government
  5. Expanded diligence into the acquiring companies ultimate and beneficial ownership structure, as well as potential third-party relationships with foreign governments or countries

Regardless of which factors may impact a specific deal, U.S. companies must be cognizant of how to appropriately navigate the CFIUS process. A deal may impact the reliability, availability and integrity of physical or logical assets, access to or control of production activity and intellectual property, as well as any direct or indirect impacts on critical infrastructure.

Appropriate dealmaking strategies must proactively consider and address potential national security risks so as to reduce or mitigate the national security risk of the transaction, which will subsequently help to address execution deal risk.

Additionally, companies need to be acutely aware of whether the transaction falls into the FIRRMA-authorized Pilot Program. Under the newly implemented Pilot Program (October 2018), CFIUS jurisdiction has been expanded to include non-controlling foreign investments in critical technology companies – requiring mandatory declarations in deals which afford the foreign investor access to specified information or governance rights. The Pilot Program lists 27 identified industries based on their five-digit North American Industry Classification system (NAICS) code. Companies with transactions which fall under the Pilot Program and fail to file their transaction with CFIUS may face civil penalties up to the value of the transaction.

Specific investments or purchases at risk

The assessment of CFIUS-related execution deal risk is highly specific to the particular details of the investment, which include but are not limited to, at the time of investment: foreign acquiring party, foreign acquiring party country, foreign acquiring parties’ ties to other foreign countries/SOE, named JV partners (foreign and domestic U.S.), U.S. target company/investment, U.S. business assets (physical and virtual), U.S. business subsidiaries and/or existing JV partnerships, U.S. business customers, U.S. business value chain segments, location of the U.S. facilities – including geographic colocation to U.S. military/government installations.

In addition to confirming whether a foreign investment triggers a mandatory CFIUS notification (which involves evaluating, among other things, the nature and extent of rights that the foreign investor will obtain with respect to the U.S. target company) and understanding and acknowledging country risk and typical CFIUS factors (e.g., whether the target has business with the U.S. government or sensitive export controlled products or technology), I recommend evaluating the transaction holistically, including to account for whether the foreign investment will provide the investor with access to sensitive personal information relating to U.S. citizens, which has been an area of focus for CFIUS. Investors should be clear about what the overall goal of the investment activity means to the organization and how those goals may present risk in the deal.

Foreign companies and the CFIUS process

The CFIUS process is an objective and methodical national security review, with key pillars founded on transparency, communication and collaboration. In my experience, the organizations which have the most success in navigating the process are those that recognize the critical importance of balancing U.S. national security with the benefits of an open investment policy; acknowledging that there are real and tangible risks that may be inherent in their enterprise – whether in access or control of their code base, data collected on customers/users, the civil/military fusion potential pervasive in their technology, or the proximity of real estate assets to military installations.

Working methodically through the risk identification, submission and review process with CFIUS presents proactive opportunities to address any known/potential threats and vulnerabilities inherent within the transactional parties or deal structure. This will permit the deal parties to make better and more informed decisions as they work through the transaction, as well as proposing potential mitigation solutions to address any known risks.

Some simple steps to address the CFIUS process:

  1. Manage the process proactively; don’t be reactive or try to create an overly complex narrative
  2. Engage with CFIUS early during the CFIUS process
  3. Consider how CFIUS impacts execution risk in conjunction with traditional financial diligence
  4. Perform comprehensive risk assessment, including operational security impact
  5. Evaluate economic and geopolitical considerations
  6. Manage expectations of stakeholders and shareholders

Prediction: How CFIUS will impact M&A in the next 12 months

As the marketplace continues to globalize, trade tensions and regulatory policy are further complicating an already complex economic ecosystem. While the U.S. is the target of significant foreign direct investment (FDI), the open investment policy and the protection of U.S. national security interests have created a regulatory paradigm. The high-value targets within the U.S., particularly in critical infrastructure sectors – such as energy and natural resources, data rich industries and critical technologies, have created an environment where dynamic compliance strategies are imperative in deal considerations. Companies must evaluate and mitigate the risks of global trade, with a focus on maximizing opportunity value.

Appropriately navigating the CFIUS process in a transaction includes a clear and transparent effort to address traditional deal considerations, while also addressing the direct, as well as second and third order, consequences that arise due to potential national security threats and vulnerabilities. These component parts are often addressed individually through the deal cycle, but to properly account for CFIUS the mosaic should address these risks in parallel – concurrent with the more traditional deal diligence aspects.

Companies that are most successful in structuring deals and navigating the CFIUS process are those that aptly balance free and open markets with the national security considerations – finding harmony in the collaborative efforts rather than focusing on potential conflicting priorities. In many cases, these deals are high stress and fast-moving – often with millions or billions of dollars in play – and the process can appear difficult and confusing; however, clear and pragmatic solutions drive successful deal closures. I often liken the concept to that of Occam’s Razor when navigating the regulatory landscape and defend the concept of reductionism – parties shouldn’t make the process more complicated than necessary, shouldn’t make the structure more complex than necessary, and should work to be clear and transparent in all phases of CFIUS review. There is elegance to simplicity.

Most importantly, optimism should drive the dealmaking community – deals are successfully closing from every country, investment opportunities pervade the global economy – particularly with U.S.-driven innovation in critical technologies, and where the CFIUS process can be appropriately and pragmatically navigated.

Talk to one of our experts to learn more about Intralinks' M&A solutions.



John Lash, Control Risks

John Lash

John Lash is a Principal within Control Risks’ Compliance, Forensics and Intelligence practice in the Americas region. He is the leader of the Committee on Foreign Investment in the United States (CFIUS) group for the Americas region and is based in Washington, D.C. John has significant experience advising domestic and international clients in national security reviews before CFIUS and assisting clients with related regulations including the mitigation of foreign ownership, control or influence (FOCI).