TikTok's Not Alone: US Security Reviews of Foreign Investments in Tech
The US government is expanding its security reviews of foreign investments in the United States—and technology is a major focus. Here's the data.
The US government is expanding its national security reviews of foreign investments in the United States, drawing on recent legal and policy changes that emphasize the importance of investment flows, technological competitiveness, cybersecurity threats, and data risks. While TikTok is at the center of this debate currently — since its Chinese parent ByteDance purchased US firm Musical.ly in 2017, and integrated it into TikTok — it does not stand alone. We analyze some data on US security reviews of foreign investments in the United States, including in the tech sector. Brought to you by Global Cyber Strategies, a Washington, DC-based research and advisory firm.
The One-Liner
The US government is increasingly weighing technology and data issues in its security reviews of foreign investments — and any US business taking a foreign investment that has security-critical technologies or US persons’ “personally identifiable information” or other sensitive data is potentially subject to this process.
US Investment Reviews Focus on Tech and Data
The Committee on Foreign Investment in the United States (CFIUS) is an interagency, executive branch committee that screens foreign investments in the US for national security risks. It was created by President Ford in 1975 and statutorily authorized in 2007, with many other important steps along the way.
In 2018, Congress passed the Foreign Investment Risk Review Modernization Act (FIRRMA), which substantially expanded CFIUS’ authorities and review scope to, among other things, have a greater focus on technology. For example, it introduced the term “critical technologies” and required that CFIUS prescribe regulations for parties in a covered transaction to declare whether the transaction could result in the release of “critical technologies” from a US business to a foreign entity.
FIRRMA also expanded CFIUS’ consideration of covered transactions to include:
Data — the extent to which a covered transaction could expose US citizens’ “personally identifiable information, genetic information, or other sensitive data”
Cybersecurity — the extent to which a covered transaction could exacerbate or create new cybersecurity vulnerabilities in the US, or could result in a foreign government obtaining new cyber capabilities that could be used against the US
Executive Order 14083, issued by President Biden in September 2022, provided further direction to CFIUS on issues to consider, including the risk of incremental investments over time gradually ceding control of a technology; the risk that a transaction creates cybersecurity threats to the US; and the risk that a transaction provides access to US persons’ sensitive data, including health and biological data.
All told, many foreign investments in any US business that has a “critical technology” or holds US persons’ “personally identifiable information,” genetic data, health data, and more are potentially subject to this security review process.
Investment Reviews from 2012-2021
Over the last decade, CFIUS has received more notices from US companies of covered transactions with foreign entities. CFIUS has also launched a shifting number of investigations into foreign transactions with US businesses. This data comes from CFIUS’ public, annual reporting. Data for 2022 is not yet available.
In 2012, CFIUS received 114 notices of covered transactions and launched 45 investigations. A few years later, in 2016, it received 172 notices of covered transactions (about a 33.7% increase over the four years) and launched 79 investigations (about a 43% increase over the four years). In 2017, CFIUS received 237 notices of covered transactions (about a 37.8% increase from 2016) and launched 172 investigations (about a 54.1% increase from 2016). Those numbers both decreased slightly in 2018, had some variance in 2019, and decreased again in 2020.
In 2021, CFIUS received 272 notices of covered transactions (about a 45.5% increase from 2020) and launched 130 investigations (about a 47.7% increase from 2020). This was the greatest number of notices that CFIUS received in one year during the 2012-2021 time period, although it was not the greatest number of investigations launched during one year in the time period. The Committee rightly cautions, in its most recent report, about drawing too many broad conclusions about these year-to-year trends:
A variety of economic factors affects the data in this Report, which may make it difficult to extrapolate CFIUS trends year-over-year. CFIUS considers each transaction on a case-by-case basis, and the disposition of any particular case — be it withdrawal, closing in review or investigations, or presidential decision — depends on the particular facts and circumstances of that case.
In 2012, CFIUS launched investigations into approximately 39% of the transactions on which it received notices. That proportion increased in 2013 to approximately 51%, decreased in 2014 to approximately 35%, and then has remained at roughly 47-49% ever since. The exception is 2017 and 2018, when CFIUS launched investigations into approximately 73% (2017) and approximately 69% (2018) of covered transaction notices.
CFIUS completed some notable technology-related security reviews during this period, such as when Chinese company Beijing Kunlun Tech initiated plans in 2019 to sell dating app Grindr back to a US owner, after a CFIUS review and concerns about the risk of the Chinese government obtaining the app’s user data. (Beijing Kunlun Tech completed its sale of Grindr to a collection of US investors in 2020.)
Zooming In: Finance, Information, and Services
What CFIUS defines as the Finance, Information, and Services Sector has been one of the most active for covered transaction notices in recent years. It received 108 covered notices from the sector in 2017 (about a 58.8% increase from 2016), 86 notices in 2018 (about a 20.4% decrease from 2017), 89 notices in 2019 (about a 3.5% increase from 2018), and 80 notices in 2020 (about a 10.1% decrease from 2019).
In 2021, CFIUS received 147 covered transaction notices from the finance, information, and services sector (about an 83.8% increase from 2020), which account for approximately 54% of the total notices it received that year.
Within the finance, information, and services sector in 2021, CFIUS received the most notices from companies classified as Professional, Scientific, and Technical Services (57), followed by companies classified as Publishing Industries (30), Data Processing, Hosting, and Related Services (13), and Telecommunications (12).
What Now?
While CFIUS will not release its annual report covering 2022 for a few more months, the data will provide important insights into these reviews — including their focus on technology. Looking forward:
Security reviews of foreign investments in the US are here to stay. CFIUS has been around for nearly five decades, and its authorities have recently expanded to modernize the US government’s approach to technology- and data-related risks.
Foreign investments in the US tech sector will remain of interest to policymakers and civil servants tasked with identifying national security risks.
Simultaneously, CFIUS’ interest in technology does not stop at foreign investments in the US tech sector. Many businesses have technology assets, and most businesses have data of some kind pertaining to US persons. Transactions in those areas could potentially fall under the scope of national security reviews, too.
Subscribe for more public insights, and reach out on Global Cyber Strategies’ website for a range of custom-tailored research and advisory services.
—
© 2023 Global Cyber Strategies LLC.