19 August 202013 minute read

New national security regulations subject more insurance sector transactions to CFIUS review

The US government continues to take significant steps to address risks to national security posed by foreign geopolitical adversaries. One of the more prominent of these measures is the expansion of national security reviews of inbound acquisitions and investment by the Committee on Foreign Investment in the United States (CFIUS). CFIUS is the US government committee charged with identifying, evaluating, and mitigating national security threats posed by foreign investment.  It may be surprising to learn that the US government considers insurance companies likely to present national security risks, and that transactions in the insurance sector are squarely in the crosshairs of CFIUS jurisdiction. The fact is, as described in this article, insurance sector professionals should be aware of CFIUS risk to their transactions, particularly because of the US government’s demonstrated national security focus on transactions involving any of the following:

  • Sensitive data on US persons
  • Critical technology, including certain software and R&D activities, and
  • Important US infrastructure or real estate.

The US government’s recent increased scrutiny of transactions involving these potential national security risks has significant implications for the insurance industry.  Indeed, several insurance-related transactions have faced CFIUS scrutiny and been forced to accept CFIUS conditions to complete transactions in recent years.[1]  New regulations promulgated under the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) are intended to address these concerns by strengthening the authority of CFIUS to review a wider variety of investments.  Effective February 13, 2020, these new regulations expand CFIUS’s jurisdiction to review certain non-controlling investments in US businesses and a broad range of real estate transactions.  These regulations may also subject the disposition of distressed assets, bankruptcy proceedings, and convertible debt transactions to CFIUS review. 

This article outlines the scope of CFIUS jurisdiction in light of the recent changes to the CFIUS regime, presents some critical CFIUS considerations for the insurance sector, and highlights how certain transactions involving US insurance sector companies – which may be seen more frequently due to the current macroeconomic environment – may trigger CFIUS review.

CFIUS has broad powers to review mergers, acquisitions, and other investments

CFIUS is an interagency committee chaired by the US Department of the Treasury with representatives from several executive branch agencies. CFIUS has jurisdiction over “covered control transactions,” ie, transactions that could result in foreign “control” of a “US business” (each as defined by regulation); non-controlling investments in certain types of US businesses; and certain real estate transactions.  CFIUS has authority to review such transactions, and where an investment may present a threat to US national security, the President − upon CFIUS’s recommendation − can block or impose conditions on the investment to “mitigate” the perceived threat, such as by limiting the foreign investor’s access to technical information or data of the US target business.

Until the launch of the critical technology “pilot program” in November 2018 and the recent, expansive regulations mentioned above, CFIUS had been an entirely voluntary process whereby the parties to a transaction could receive the benefit of a safe harbor from the risk of future CFIUS review and intervention.  CFIUS has authority to review completed transactions that it has not already reviewed, going as far back as 1988 (although to review transactions completed more than three years ago requires chairperson approval).  Indeed, in recent months, CFIUS has sought to review non-notified transactions completed as far back as 2011, and possibly even earlier.  Thus, receiving CFIUS approval upon satisfaction that there are no unresolved national security concerns prior to closing a transaction provides a significant benefit: it eliminates the risk that CFIUS will later review and seek to mitigate the transaction by imposing restrictions on the foreign investor’s access or control rights vis-à-vis the US business, or potentially to require the foreign investor to divest its interest entirely.

There are two limited circumstances where parties are required to file with CFIUS: (1) the US business produces, designs, tests, manufactures, fabricates, or develops a “critical technology” for use in connection with one of 27 industries identified by NAICS code; or (2) certain transactions involving a direct or indirect investment by a foreign government. As we described in our CFIUS Alert, on May 21, 2020, CFIUS introduced a proposed change to the mandatory filing requirement for transactions involving critical technology. The change would replace the requirement that the critical technology is used in or specifically designed for use in specific industries identified by NAICS code with the requirement that the critical technology would require an export license to provide it to any of the foreign persons involved in the transaction.

CFIUS has the extraordinary authority to block a transaction outright – including by issuing a temporary stay while it evaluates a deal – or even to unwind a transaction by forcing the acquiror or investor to divest its interest under CFIUS’s supervision.  Failure to assess and account for this risk in an acquisition agreement also can lead to excessive costs in due diligence, extended interest payments in financing arrangements for the investor, and lost opportunities from other investors for the US business. 

Heightened national security concerns over collection of data on US persons, access to critical technology and non-controlling investments

Although perhaps not intuitively thought of as involving national security concerns, the insurance industry touches several CFIUS flash-points – chief among them, access to sensitive personal data on US persons and critical technologies.  The recent expansion of CFIUS’s jurisdiction has specifically targeted these areas, making it more likely that investments involving US insurance sector companies will be subject to CFIUS review.  Indeed, CFIUS has actively sought to review transactions and required significant mitigation measures – including forced divestitures – for transactions involving personally identifiable information and personal health information on US persons.[2]  

FIRRMA and its implementing regulations direct CFIUS to focus on industries and sectors that had not previously been considered to pose national security risks in the context of cross-border transactions.  Among the types of US businesses identified for heightened CFIUS scrutiny – known as “TID US businesses”[3] – are US businesses that collect or maintain certain types of sensitive personal data on US persons.  Explicitly included in the definition of “sensitive personal data” are:

  • insurance application information
  • health information of individuals
  • financial information that could be used to determine financial distress or hardship
  • data from a consumer report, subject to certain exceptions
  • non-public electronic communications such as email or text messaging
  • biometric enrollment data
  • information about US government security clearances and applications for such clearances
  • genetic information, such as genetic test results, and
  • geolocation data, regardless of the method of collection (eg, mobile app, vehicle GPS, wearable).

A US business is considered a “TID US business” if it “has a demonstrated business objective” to maintain or collect identifiable data within one of the categories above on greater than one million US persons, including customers and policyholders (but generally excluding the US business’ own employees), or it has done so at any point in the preceding 12 months.  It is important to note that a US business will be considered a “TID US business” if it collects or maintains any amount of genetic information or data from products targeted or tailored for US national security agencies or their personnel and contractors (ie, the one million individuals threshold does not apply).  Note that publicly available information is generally not considered to be “sensitive personal data.”

As the insurance industry increasingly leverages technology in its business operations and targets technology companies as part of its investment strategy, the likelihood of triggering CFIUS jurisdiction because of “critical technologies” is more likely.  Another type of “TID US business” is one that produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies, defined to include a wide array of technology and software.  Access to these technologies by foreign adversaries is thought to threaten US technological advancement and superiority in certain areas.  As part of a broader effort to control technology transfer – one of the leading national security concerns of the US government – CFIUS is intended to prevent foreign access to US-developed technology through investment in or acquisition of US businesses.

In addition to increased scrutiny and potentially more restrictive mitigation measures, transactions involving a TID US business are now subject to expanded CFIUS jurisdiction to review.  Historically, a transaction had to result in a foreign person gaining “control” of a US business for CFIUS to have jurisdiction.  For TID US businesses, however, FIRRMA expanded CFIUS’s jurisdiction to include review of noncontrolling investments if the investor also obtains certain rights vis-à-vis the US business.  Specifically, CFIUS may review a noncontrolling, minority investment in a TID US business completed or subject to a definitive agreement on or after February 13, 2020 that affords a foreign person access to material non-public information, board or board observer rights, or substantive decision-making power with respect to certain aspects of the US business’s operations.  These rule changes therefore make it more likely that investments in US insurance sector companies will fall within CFIUS’s jurisdiction.

CFIUS may review real estate investments

CFIUS also now has expanded jurisdiction to review real estate transactions.  As of February 2020, CFIUS has authority to review transactions involving the purchase or lease by, or concession to, a foreign person – including real estate investment trusts (REITs) – of certain real estate in the United States.  Before the new regulations, CFIUS would have reviewed real estate involved in the investment in or acquisition of a US business for proximity to sensitive locations.  For example, CFIUS has caused parties to abandon transactions involving the acquisition of an office building that housed sensitive tenants and the acquisition of a hotel because it was near a US Navy training site.  These same concerns led to the recent expansion of authority to review real estate transactions that do not involve investment in a US business, or so-called greenfield investments.  Insurance companies should be aware of these changes, including if they own real estate within their investment portfolios or for their own occupancy. 

The regulations contain numerous limitations and long lists of sensitive US government or military sites.  Foreign investments in real estate that otherwise seem innocuous may trigger CFIUS review if, for example, the real estate is within close proximity of certain sensitive locations or within an airport or maritime port.  Parties to a transaction involving real estate, including the acquisition of distressed assets, should evaluate whether CFIUS might be an issue.

Special CFIUS considerations for convertible debt and bankruptcy

Although lending transactions themselves are generally not within the scope of CFIUS jurisdiction, certain types of indebtedness, such as convertible debt and other forms of contingent equity that may be relatively attractive or more prevalent given the current macroeconomic environment may trigger CFIUS review, particularly when conversion becomes imminent as a result of default or other satisfying conditions.  At the outset of a lending transaction, CFIUS may disregard contingent equity depending on (i) the imminence of conversion or satisfaction of contingent conditions; (ii) whether conversion or satisfaction of contingent conditions depends on factors within the control of the acquiring party; and (iii) whether the amount of interest and the rights that would be acquired upon conversion or satisfaction of contingent conditions can be reasonably determined at the time of acquisition.

Parties involved in debt financing or that have other forms of contingent equity should be mindful that even if CFIUS does not have jurisdiction to review the transaction upfront, it may have jurisdiction to review the transaction – and filings may be required in certain circumstances – prior to conversion of the debt or exercise of rights that would trigger control of a US business by a foreign party. 

Transactions arising from a bankruptcy case may be subject to CFIUS review if the transaction otherwise satisfies CFIUS’s jurisdictional triggers, including foreign control of a US business, the purchase or lease of some types of sensitive real estate, and non-controlling transactions in a TID US business.  Foreign buyers of US distressed assets are likely to find their proposed acquisition scrutinized. Debtor companies and foreign buyers (including creditors receiving equity in exchange for debt) should cautiously review the assets being acquired to confirm that they do not inadvertently acquire assets without addressing the risk of a CFIUS action.

Conclusion

The insurance sector touches several national security flash-points that are likely to raise CFIUS concerns, particularly in the current macroeconomic and nationalistic political environment.  Given the high stakes of failure to account for CFIUS risks in transaction planning, and CFIUS’s increased efforts to identify non-notified transactions, it is more important than ever for companies to conduct early due diligence to identify and understand their CFIUS exposure and to navigate the CFIUS process successfully.

Please contact the authors if you have any questions on CFIUS and its impact to the insurance sector, including its implications for real estate investments or convertible debt and bankruptcy. 

DLA Piper’s Global Insurance and Reinsurance practice represents major insurance, reinsurance and financial services companies across the globe in various corporate, technology and litigation matters. Our core strategic focus and work is providing some of the world’s leading insurance firms on strategic, specific, high-value and complex legal needs around the world. Please feel free to contact any of our Insurance and Reinsurance attorneys, including the following individuals, should you have any questions:

 

Michael Murphy

Prakash (PK) Paran

David D. Luce

Gabriel Gershowitz

Tim Baumgartner

Melanie James

DLA Piper maintains a robust, cross-disciplinary CFIUS practice consisting of corporate, regulatory, and government affairs professionals. Please contact any of our CFIUS attorneys to learn more:

Ignacio E. Sanchez

Richard Newcomb

Christine Daya

Nicholas Klein

Thomas M. deButts

Danish Hamid

Sarah E. Kahn

Lawrence E. Levinson

Dana Zelman

Anebi X. Adoga, Jr.


[1] For example, in the China Oceanwide Holdings Group Co., Ltd, acquisition of Genworth Financial, Inc., CFIUS required that the parties arrange for a US-based, third-party service provider to manage and protect the personal data of Genworth's US policyholders to receive approval for the deal.

[2] For example, CFIUS recently ordered the divestiture of Grindr (a software company that collects personal data including HIV status) and digital health company PatientsLikeMe.

[3] A “TID US business” is named for the three categories of US businesses included in its definition subject to several parameters: critical technology, critical infrastructure, and personal data on US persons.

Print