Regulatory intelligence for US exporters

CFIUS Emphasizing Reviews Involving Sensitive Data Concerns, Officials Say

The Committee on Foreign Investment in the U.S. is placing a significant focus on investments that could present data or cybersecurity risks, said CFIUS head Paul Rosen and FBI official Cynthia Kaiser. Rosen also said CFIUS continues to actively pursue non-notified deals and said the administration is still discussing the idea of an outbound investment review regime.

Start A Trial

Rosen, the Treasury Department’s assistant secretary for investment security, said one of CFIUS’ top current concerns when reviewing investments is whether the transaction risks exposing U.S. sensitive data. He pointed to President Joe Biden’s September executive order that gave direction to how CFIUS should prioritize reviews (see 2209150053 and 2209260076), adding that the order specifically “called out cybersecurity.”

“The data point is really important,” Rosen said during a March 15 event hosted by the Aspen Institute, adding that it "presents a series of national security risks and concerns.”

Rosen, providing more information on a process that has been criticized for lacking transparency (see 2208050028), said CFIUS reviews investments by looking at “how much data is in that U.S. business” and whether “we care about that data.” The committee may prioritize data that includes “sensitive information” on U.S. people or that has “sensitive source code,” Rosen said.

“And the way we think about it also is, if this business is going to be bought, where's the data going to go? And what are the cybersecurity protocols?” Rosen said, adding that the committee checks whether there is a “robust cybersecurity regime to protect that data.” CFIUS also looks at how a “threat actor” could “potentially use that data offensively from an espionage perspective, blackmail perspective, inserting malicious code, whatever it may be. There's a whole set of analysis around data as we think about threat actors.”

Kaiser, deputy assistant director for the FBI’s Cyber Division, said many of those investment risks are coming from China. “It's clear China has a voracious appetite for data in any form,” she said. The FBI uses information from CFIUS’ data reviews to point out to companies involved in a joint venture “what kind of cybersecurity risks they take on.”

China, for example, has required U.S. companies doing business in the country to use certain tax software that it uses to deploy malware on American companies’ systems, Kaiser said. The malware allows “malicious actors” to remotely access the companies’ networks.

“I think we're working hand-in-hand both with CFIUS and [the Office of Foreign Assets Control] over at Treasury to provide information that can lead to enhanced reviews or sanctions on these entities,” Kaiser said. “It’s really important to that overall, whole-of-government effort to try to counter nefarious efforts that are obvious” and “the nefarious efforts that might be looking to go into a side door.”

Aside from personal data, Rosen also said CFIUS is searching for investments involving quantum computing, semiconductors and artificial intelligence. “We're really focused on all sorts of technologies and the risks and concerns that they pose,” he said. Although each case is different, CFIUS generally tries to research the foreign acquirer of a U.S. business to figure out “what do we know about the acquirer, including from the intelligence that we get from previous interactions with the committee, and other source reporting, seen and unseen. And so that's how we think about the evolving sensitive technologies.”

He also said the CFIUS team that tracks non-notified deals -- investments that weren’t notified to the committee but may fall under CFIUS jurisdiction (see 2206090053 and 2211030047) -- continues to be particularly active and “is really crucial to what we do.” That team is “scouring sources of information” to find deals, Rosen said, which sometimes involve years-old investments.

“We will contact those companies and say, ‘hey, we got a lot of questions about this,’” he said. “And we may ultimately tell them they have to come file even if the transaction has long since closed.”

Rosen hopes that work encourages more companies to voluntarily file with the committee, echoing comments he made during his Senate confirmation hearing last year (see 2204060059). CFIUS wants to make “sure we are holding parties accountable to their obligations,” he said. “Because at the end of the day, we firmly believe that we are going to better address the national security risks, both if we can hold parties accountable, but also encourage parties to come in the front door when they're required.”

Rosen also touched briefly on a new outbound investment screening regime being drafted by the administration (see 2303060007, 2303090061 and 2301270034), saying there has been “vigorous debate” both publicly and in Congress. A potential regime would tackle U.S. investments abroad in “cutting-edge technology” that could help “an adversary’s next-generation fighter,” Rosen said, “or whatever it may be.”

Not only would a regime look to block those U.S. investments, but “also the know-how and expertise that flows with those U.S. investment dollars,” he said. “And so that's part of the national security risks that, as a policy matter, is being discussed both in Congress and in the executive branch.”