Shaking up Terra FIRRMA: Implications of CFIUS Reform for Tech and Life Sciences Companies

The shadow cast over the technology industry by the Committee on Foreign Investment in the U.S. has been growing in recent years, resulting in the blocking of various high-profile technology deals—including Broadcom’s proposed acquisition of Qualcomm and China Venture Capital Fund Limited’s proposed acquisition of Lattice Semiconductor. It is perhaps not surprising then that one of the clear priorities of the newly-enacted Foreign Investment Risk Review Modernization Act—known as FIRRMA— is the protection of critical technologies and specifically cybersecurity technology, personally identifiable information, genetic information, and other sensitive technology and data that has been targeted for development or may be exploited by certain foreign governments in a manner that threatens national security. For many companies in the technology and life sciences sectors, the process of identifying and selecting strategic partners and planning for a transaction will be altered in a meaningful way, with CFIUS analysis and considerations taking on a more central role. The following is a summary of what technology and life sciences companies should anticipate and account for in this new state-of-play under the revised law.

Expanded Jurisdiction Will Cover More Types of Transactions

FIRRMA became law on August 13, 2018, and while its most impactful provisions will not go into effect until implementing regulations are established, the legislation significantly expands CFIUS jurisdiction both in the types of transactions covered and the areas of potential concern for review. CFIUS—the inter-agency committee responsible for reviewing acquisitions by foreign persons of U.S. businesses for possible national security concerns—has jurisdiction to review mergers, acquisitions, and takeovers by or with any foreign person which could result in foreign control of any U.S. business.

Under the revised law, in addition to these types of acquisitions, CFIUS’s jurisdiction will expand to cover certain other non-control investments in sensitive U.S. businesses, as well as acquisitions of real estate involving or near sensitive U.S. facilities. The addition of the “other investments” category codifies and further expands the recent CFIUS practice of deeming within its jurisdiction transactions that provide the foreign investor access to sensitive information or the right to be involved in the decision-making of the U.S. business, even if the voting interest being acquired is very small. Moreover, the specific inclusion of observer rights will require many companies and investors to reassess their approach to investor involvement at the board level. Also, while the business models of most technology and life companies do not involve the sale or lease of real estate and therefore the impact of the inclusion of these transactions within CFIUS’s jurisdiction is likely minimal for them, CFIUS may be a factor when, for example, subleasing office space or selling assets that include real estate.

“Other Investments”– Following the implementation of new regulations, CFIUS jurisdiction will apply to direct or indirect minority investments by a foreign person in any U.S. business that owns, operates, manufactures, supplies or services critical infrastructure; produces, designs, tests, manufactures, fabricates or develops one or more critical technologies; or maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security, if the investment results in the foreign person having:

  1. Access to any “material nonpublic technical information”1 of the U.S. business
  2. The right to nominate or appoint a member of the board of directors or equivalent governing body of the U.S. business or observer rights to the same, or
  3. Any involvement, other than through voting of shares, in substantive decision-making of the U.S. business regarding the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens, the use, development acquisition, or release of critical technologies, or the management, operation, manufacture, or supply of critical infrastructure

Of particular significance to technology and life sciences companies, the definition of “critical technologies”—which has historically referred to defense articles, items controlled for national security purposes, nuclear equipment and certain agents and toxins—has been expanded in the new law to include certain “emerging and foundational technologies” that are to be defined pursuant to procedures established under the new Export Control Reform Act also enacted on August 13.

Exception for Certain Investment Funds– Exempted from the definition of “other investments” are investments by investment funds having a limited partner who is a foreign person and who participates on the fund’s advisory board or committee, provided the fund is managed exclusively by a general partner who is not a foreign person and:

  1. Neither the advisory board nor the foreign limited partner controls investment decisions or controls decisions regarding portfolio companies
  2. The foreign limited partner does not control the dismissal, selection or compensation of the general partner, and
  3. The foreign limited partner does not have access to material nonpublic technical information in such capacity

Real Estate Transactions– With the exception of a “single housing unit” and real estate transactions in urbanized areas, the purchase or lease by, or a concession to, a foreign person of private or public real estate that is located in the U.S. and satisfies one or more of the following criteria will be subject to CFIUS jurisdiction:

  1. It is, is located in, or is part of an air or maritime port
  2. It is in close proximity to a U.S. military installation or another sensitive U.S. Government facility or property
  3. It could reasonably provide the foreign person the ability to collect intelligence on activities being conducted at such an installation, facility, or property
  4. Or it could otherwise expose national security activities at such an installation, facility, or property to the risk of foreign surveillance

Not all Investors and/or Countries Covered– The revised law requires CFIUS to develop regulations that further define “foreign person” for the purposes of these two additional types of transactions to limit their applicability to only certain foreign persons. Such regulations must take into account “how a foreign person is connected to a foreign country or foreign government, and whether the connection may affect the national security of the United States,” and so these additional categories may ultimately only be applicable to foreign persons connected to certain foreign governments. Unfortunately for companies in most technology industries, though, transactions involving most China-based investors will almost certainly be covered.

New Process Improvements, New Burdens and New Costs

FIRRMA establishes a number of changes to the CFIUS process aimed at encouraging more filings while potentially reducing the burdens and delays associated with the current process, albeit coupled with a new filing fee requirement. These changes will need to be factored into parties’ analyses of whether and how to file, as well as the estimated cost and time associated with each filing.

Voluntary Declarations– The parties to a transaction within CFIUS’s jurisdiction will soon have the option to submit a short-form “declaration” in lieu of the traditional full notice. The specific contents of the declaration are yet to be determined, but it will be no longer than five pages. CFIUS will have 30 days to respond to a filed declaration by:

  1. Closing the review
  2. Initiating a unilateral review
  3. Requesting that the parties file a full notice or
  4. Informing the parties that it is not able to complete its review on the basis of the declaration and that the parties may file a full notice to seek written notification that CFIUS has completed its review

For covered transactions that are not likely to raise any national security issues, the declaration process may provide a quicker and lower-cost path for parties to resolve potential CFIUS-related risks.

Mandatory Declarations– For some transactions, though, the new declaration process transforms what is currently a voluntary filing regime into a mandatory one. Specifically, a declaratory filing will be required for transactions that result in the acquisition of a “substantial interest” in certain U.S. businesses—those described in the “other investment” provision—by a foreign person in which a foreign government has, directly or indirectly, a substantial interest. What will constitute a “substantial interest” is yet to be defined, but it will exclude interests that do not meet the “other investment” criteria or that result in holdings of less than a 10 percent voting interest, or that fall within the investment fund exception mentioned above. CFIUS may in the future, however, expand the mandatory declaration requirement to other types of transactions that involve critical technologies. While CFIUS may waive the mandatory declaration for a foreign person that demonstrates its investments are not directed by a foreign government and that has a history of cooperation with CFIUS, it is not clear whether the waiver process will benefit any investors other than frequent filers.

Changes to Review Process Timeline– For the standard full notice that is filed instead of or after the new declaration-style notice, the revised law provides the following:

  • Once a draft notice is submitted, CFIUS must provide comments within 10 business days, provided that the parties stipulate that CFIUS has jurisdiction. Previously, there was no such limitation.
  • CFIUS has an initial 45-day period to conduct a review of a covered transaction; this is up from 30 days under the previous law.
  • If CFIUS decides to commence an investigation, the investigation must be completed before the end of the 45-day period beginning on the date the investigation commences.
  • CFIUS also has the authority to extend an investigation for one additional 15-day period in “extraordinary circumstances,” which term will be defined in regulations.

The introduction of a time limit for CFIUS’s response to the draft notice is an important change for companies (but only those willing to accept CFIUS jurisdiction over their transaction), as there was previously no limitation to the duration of this period, and in practice it could be months before the parties received a response; however, CFIUS has increased the cumulative length of the review/investigation period “after the clock starts” and provided for an additional extension in extraordinary circumstances, so companies should anticipate a three- to five-month process for preparation of the filing, review and possible investigation.

Introduction of Filing Fee– Finally, the revised law authorizes CFIUS to impose a filing fee for notified transactions, not to exceed the lesser of one percent of the value of the transaction and $300,000; the applicability and amounts of such fees are yet to be determined.

Effective Date

The revised timeline for CFIUS review and investigation described above is effective immediately, but many of the most significant changes, including the expansion of CFIUS’s jurisdiction to “other investments” and real estate transactions, and the voluntary and mandatory declaration filing process, will not go into effect until 30 days after publication of the related regulations in the Federal Register (but not later than February 2020). While the drafting and the implementation of the necessary regulations are expected to take some time, the revised law authorizes CFIUS to establish pilot programs to implement portions of the law on 30 days’ advance notice of the contents and requirements of such programs.


The CFIUS review process, and the analysis conducted and the strategies adopted related thereto, have been rendered both more critical to the successful completion of a transaction subject to CFIUS jurisdiction and more complex for the parties involved as a result of the enactment of FIRRMA, particularly for technology and life sciences companies. Although certain key defined terms were briefly described above, much of the analysis will turn on the application of these and other defined terms to the facts and circumstances of specific transactions and the parties thereto, and many of the details of the law remain to be spelled out in regulations. Please contact a member of your Fenwick team, or Fenwick lawyers Mark Ostrau or Ashley Walter, to discuss the applicability and implications of FIRRMA for particular transactions or if you have questions regarding FIRRMA not addressed in the brief summary above. Fenwick will also provide additional updates as pilot programs or regulations are proposed.

1 “Material nonpublic technical information” means information that provides knowledge, know-how, or understanding, not available in the public domain, of the design, location, or operation of critical infrastructure; or is not available in the public domain, and is necessary to design, fabricate, develop, test, produce, or manufacture critical technologies, including processes, techniques, or methods. It does not, however, include financial information regarding a company’s performance.