Deadlines are fast approaching for drafting and implementing new rules for national security reviews of foreign investments in “critical infrastructure” in the U.S., and investors may be surprised at their extended reach, lawyers said.

Last year’s Foreign Investment Risk Review Modernization Act overhauled the law governing national security reviews by the Committee on Foreign Investment in the United States, which can recommend blocking or modifying transactions. Among other things, the act expanded jurisdiction under critical infrastructure to include non-passive, non-controlling investments in 16 sectors.

“There’s been a lot of surprises in recent years in the kinds of deals they consider national security, and probably more surprises in store,” said Arent Fox national security partner David Hanke in Washington, D.C. He said the law’s reach extends to companies in the health care sector, agriculture and transportation among others—”where people might not typically think of national security.”

“It’s going to open up these kinds of companies to CFIUS reviews as covered transactions potentially, depending on the facts and the regulations,” Hanke said. 

The full package of regulations is set to take effect is next March. But it remains to be seen how U.S. Treasury officials and CFIUS will define key terms, such as “control,” “foreign entity” and “foreign person,” in proposed draft regulations due this fall.

David Hanke David Hanke at Arent Fox. 

The CFIUS panel may have signaled its general thinking recently by ordering the unwinding of a completed deal involving a private equity investment with foreign capital in a U.S. cybersecurity company that helps major U.S. corporations protect themselves from email phishing attacks.  

Many stakeholders want more clarity, judging from comments submitted during the pilot program comment period for critical technology last year, Hanke said. He expects the CFIUS regulators to strive for “bright-line” rules rather than the more flexible ones that existed before the legislative overhaul.

But Damara Chambers, co-leader of the national security practice at Vinson & Elkins in Washington, D.C., said “there has been some effort by members of Congress to suggest to Treasury that they narrow the definition of critical infrastructure to what would be truly dangerous to the security of the United States. Right now it is in the eye of the beholder what is truly critical infrastructure.”

FIRRMA also covers foreign investment in critical technology and sensitive personal data. The act requires mandatory filing for CFIUS review of many more types of deals than in the past, including minority stakes in certain ventures.

Hanke, a former staff member of the U.S. Senate Select Committee on Intelligence, and U.S. Sen. John Cornyn, R-Texas, who sponsored the FIRRMA legislation, warned that dealmakers will have to watch the rulemaking process closely. Hanke was a principal staff architect of the bipartisan bill, which was initiated under the previous administration before the ramping up of current trade conflicts with China. He joined Arent Fox in January.

“You think ports, power grid and transportation. [But] people don’t think about health care and election infrastructure. There is a lot of flexibility to define this in a broad way if they so choose,” Hanke said. 

Under FIRRMA, the CFIUS panel is empowered to review even minority stakes in deals involving foreign investment in industries and companies “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety,” under a presidential directive, according to the U.S. Department of Homeland Security. 

Damara Chambers Damara Chambers of Vinson & Elkins.

Hospitals, for instance, could be swept up in the definition of “systems and assets” in the statute, Hanke said. The agencies represented on the panel also might include companies that play key roles in supplying or supporting military bases and other key national security facilities, he said.

In addition to U.S. defense-related industry, FIRRMA treats dams, manufacturing, information technology, energy, communications, chemicals, government, nuclear facilities, water and wastewater treatment as critical infrastructure. The designation also applies to financial services, health care, food and agriculture and transportation security. Additionally, emergency services, commercial services—including shopping centers and lodging—and transportation are covered.

“Folks may be blindsided by some of this,” Hanke said. For instance, foreign investment in companies that make voting machines could now draw extra scrutiny. “That’s of great concern in Congress,” he said.

Reuters reported July 28 that BlackRock Inc., the multinational investment management firm, was in advanced talks to buy out the 47% share of cybersecurity company Cofense Inc. that was owned by private-equity fund, Pamplona Capital Management, at the CFIUS panel’s demand. The Leesburg, Virginia, software company provides businesses with defenses against email phishing attacks.

The committee didn’t publicly disclose the reason, but reports suggest that the likely cause was that Russian billionaire Mikhail Fridman is a major investor in Pamplona Capital. The Wall Street Journal reported Wednesday that Pamplona had failed to meet a deadline for selling its stake in the company and the panel had informed the companies they could be fined.

CFIUS is concerned about the relationship between foreign investors and their governments if the governments are considered national security concerns, CFIUS lawyers said. A request for comment by the Treasury Department wasn’t returned. Emails to Pamplona Capital and Cofense also weren’t returned by deadline.

“I think it is keeping in the theme of where CFIUS has been going after transactions where data is a significant issue,” said Chambers, who maintained a CFIUS practice at Covington & Burling for 14 years before moving to Vinson & Elkins. ”It doesn’t have to involve a foreign government to be a risk.” 

Read More: