We explore below how certain U.S. insurance sector transactions—which may be seen more frequently due to the current macroeconomic environment—may trigger CFIUS review.

CFIUS's Authority

CFIUS, an interagency committee chaired by the U.S. Department of the Treasury with representatives from several executive branch agencies, has jurisdiction over "covered control transactions." That includes transactions that could result in foreign "control" of a "U.S. business" (each as defined by regulation); non-controlling investments in certain types of U.S. businesses; and certain real estate transactions. Where an investment may present a threat to U.S. national security, the President—upon CFIUS's recommendation—can block or impose conditions on the investment to "mitigate" the perceived threat, such as by limiting the foreign party's control over or access to data of the U.S. business.

CFIUS had been a voluntary process whereby the parties to a transaction could receive a safe harbor from the risk of future CFIUS review and intervention. CFIUS has authority to review completed transactions indefinitely and has recently sought to review non-notified transactions completed as far back as 2011, and possibly even earlier. Receiving the safe harbor of CFIUS approval eliminates the risk that CFIUS will later review and impose restrictions on foreign investors' access or control rights vis-à-vis the U.S. business, or potentially require the foreign investor to divest its interest.

In two scenarios, parties must file with CFIUS: (1) the U.S. business produces, designs, tests, manufactures, fabricates, or develops a "critical technology" that would require an export license or authorization to provide it to any of the foreign parties involved in the transaction; or (2) certain transactions involving a direct or indirect investment by a foreign government. As discussed in our CFIUS Alert, on October 15, 2020, CFIUS revised the mandatory filing requirement for transactions involving critical technology by removing the limitation that the critical technology must have been designed for or used in certain industries. As expected, this change expanded the scope of transactions subject to mandatory filing with CFIUS. Failure to file with CFIUS when mandatory may result in penalties up to the value of the transaction.

Concerns Over Data Collection

Chief among the CFIUS issues for insurance sector companies is access to sensitive personal data on U.S. persons and critical technologies. Recent expansion of CFIUS's jurisdiction has targeted these areas, making it more likely that investments involving U.S. insurance sector companies will be subject to review. CFIUS has actively sought to review transactions and required significant mitigation measures—including forced divestitures—for transactions involving personally identifiable information and personal health information on U.S. persons.

FIRRMA's new regulations direct CFIUS to focus on industries and sectors not previously considered to pose national security risks in the context of cross-border transactions, including U.S. businesses that have a demonstrated business objective to maintain or collect identifiable "sensitive personal data" within one of the categories below on greater than one million U.S. persons. The categories of sensitive personal data include:

• insurance application information
• health information of individuals
• financial information that could be used to determine financial distress or hardship
• data from a consumer report, subject to certain exceptions
• non-public electronic communications such as email or text messaging
• biometric enrollment data
• information about U.S. government security clearances and applications for such clearances
• genetic information or test results, and
• geolocation data, regardless of the method of collection (e.g., mobile app, GPS, wearable).

Any amount of genetic information or data from products targeted or tailored for U.S. national security agencies or their personnel and contractors may trigger CFIUS review (i.e., the million-person threshold does not apply).

Insurance sector transactions are increasingly likely to trigger CFIUS jurisdiction because of "critical technologies" as the insurance industry leverages technology for business operations and targets technology companies within its investment strategy. Access to critical technologies by foreign adversaries is thought to threaten U.S. technological advancement and superiority in certain areas.

As part of a broader U.S. effort to control technology transfer, CFIUS review is intended to prevent foreign access to U.S.-developed technology through investment in or acquisition of U.S. businesses. Insurance transactions that involve a U.S. business that produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies, defined to include a wide array of technology and software, may be subject to CFIUS review and possibly a mandatory filing.

Now, in addition to increased scrutiny and potentially more restrictive mitigation measures, transactions involving "sensitive personal data" or "critical technologies" may be subject to expanded CFIUS jurisdiction. Historically, a transaction had to result in a foreign person gaining "control" of a U.S. business for CFIUS to have jurisdiction, but if a U.S. business has sensitive personal data or critical technologies, CFIUS also can review small, noncontrolling investments by a foreign party, if the investor obtains certain rights relative to the U.S. business (e.g., board rights). These rule changes increase the likelihood that investments in U.S. insurance sector companies will fall within CFIUS's jurisdiction.

Real Estate Investments

Beginning February 2020, CFIUS can review transactions involving the purchase or lease by, or concession to, a foreign person—including a REIT—of certain U.S. real estate. Before the new regulations, CFIUS would have reviewed real estate involved in the investment in or acquisition of a U.S. business for proximity to sensitive locations. Foreign investments in real estate that otherwise seem innocuous may trigger CFIUS review if, for example, the real estate is within close proximity of certain sensitive locations or within an airport or maritime port. CFIUS, for example, has led parties to abandon transactions involving the acquisition of an office building that housed sensitive tenants and the acquisition of a hotel because it was near a U.S. Navy training site. These concerns resulted in the recent expansion of authority to review real estate transactions that do not involve investment in a U.S. business, or so-called greenfield investments. Insurance companies involved in a real estate transaction, including the acquisition of distressed assets, should evaluate whether CFIUS might be an issue.

Convertible Debt and Bankruptcy

Although lending transactions are generally not within the scope of CFIUS jurisdiction, certain types of indebtedness, such as convertible debt and other forms of contingent equity that may be attractive or more prevalent given the current macroeconomic environment may trigger CFIUS review. At the outset of a transaction, CFIUS may disregard contingent equity depending on (i) the imminence of conversion or satisfaction of contingent conditions; (ii) whether conversion or satisfaction of contingent conditions depends on factors within the control of the acquiring party; and (iii) whether the amount of interest and the rights that would be acquired upon conversion or satisfaction of contingent conditions can be reasonably determined at the time of acquisition.

Parties involved in debt financing or that have other forms of contingent equity should be mindful that CFIUS may have jurisdiction to review the transaction when conversion becomes imminent due to default or other satisfying conditions. A CFIUS filing may be required at least 30 days prior to conversion of debt or exercise of rights in certain circumstances.

Transactions arising from a bankruptcy case (in the insurance company context, typically a state court rehabilitation or liquidation proceeding) may also be subject to CFIUS review if they involve foreign control of or, in some cases, the acquisition of a noncontrolling interest in, a U.S. business, or the purchase or lease of real estate. Foreign buyers of U.S. distressed assets are likely to find their proposed acquisition scrutinized. Debtor companies and foreign buyers (including creditors receiving equity in exchange for debt) should review the target assets to confirm they do not inadvertently acquire assets without addressing CFIUS risk.

Key Takeaway

Given the high stakes of failure to account for CFIUS risks in transaction planning, CFIUS's increased efforts to identify non-notified transactions, and touchpoints for the insurance sector, it is more important than ever for companies to conduct early due diligence to identify, understand and manage CFIUS exposure and navigate the CFIUS process successfully.

Nicholas Klein and Gabriel Gershowitz are of counsel at DLA Piper. Prakash Paran is a partner at the firm.