CFIUS and Encryption Software – Resolving Whether a CFIUS Filing Is Mandatory


November.01.2021

Introduction

Every week, scores of U.S. companies are sold to foreign investors or execute equity financing transactions involving foreign investors.  Parties to these transactions must assess whether they are legally required to file with the Committee on Foreign Investment in the United States (CFIUS) regarding the transactions.  In many cases, the assessment boils down to whether there is a CFIUS filing requirement by virtue of the export control status of the U.S. company’s software with encryption functionality.

This article describes how parties can resolve whether a U.S. company’s design, development or testing of encryption software can give rise to a CFIUS filing requirement in the context of foreign investment in or a foreign acquisition of the U.S. company.

Circumstances in Which Critical Technology Renders CFIUS Filing Mandatory

CFIUS is a cabinet-level federal body that assesses whether foreign investment transactions present a national security risk.  It supports the president’s administration of Defense Production Act provisions that authorize the president to block foreign investment transactions or order divestment to address national security concerns.

The president and CFIUS have authority to examine and, to protect U.S. security, disturb certain types of “covered transactions”:

  • transactions that could result in a foreign person gaining control over a U.S. business; and
  • investments that could provide a foreign person certain types of corporate governance rights (“triggering rights”) regarding a U.S. business if the U.S. business is connected in specified ways to a so-called “critical technology” or other types of security-sensitive factors.[1]

Ordinarily, the Defense Production Act does not require parties to covered transactions to submit filings with CFIUS about the transactions.  The statute does, however, generally require parties to file with CFIUS regarding a foreign person’s investment in a U.S. business if:

  • the transaction could result in the foreign person controlling the U.S. business or providing the foreign person “triggering rights” regarding the U.S. business; and
  • the U.S. business produces, designs, tests, manufactures, fabricates or develops one or more “critical technologies” for which a U.S. government authorization would be required for supply of the critical technology to the principal place of business of the foreign person or certain types of its affiliates.[2]

Given this potential CFIUS filing requirement, it is often important to resolve whether a U.S. company that is the subject of an equity financing or other type of investment transaction produces, designs, tests, manufactures, fabricates or develops one or more critical technologies if any investment in the U.S. company will be from a foreign person.  A critical technology is an item—such as a good, service, substance, material, software program or item of technical know-how—that falls into one of the following categories:

  • commodities, software and technology that are on the Export Administration Regulations (EAR) “Commerce Control List” and that are, in general, export controlled for a reason other than merely anti-terrorism considerations;[3]
  • defense articles and defense services on the International Traffic in Arms Regulations (ITAR) “U.S. Munitions List”;
  • specially designed and prepared nuclear equipment, parts and components, materials, software and technology covered by Energy Department regulations regarding assistance to foreign atomic energy activities;
  • nuclear facilities, equipment and material covered by Energy Department regulations regarding exports and imports of nuclear equipment and material; and
  • items that are controlled under the federal “select agents and toxins” program.

It is important, then, for parties to foreign investment transactions to know or learn whether products and other items that the U.S. target designs, develops, produces or tests fall into one of these categories of critical technologies.  Depending on the circumstances, the parties’ critical technology assessment may need to account for more than one of the categories.  Commonly, though, the central, and sometimes only, question is whether one or more items are on the EAR Commerce Control List and fall into an export control classification number that is subject to more than just anti-terrorism controls.

A critical technology can give rise to a CFIUS filing requirement notwithstanding that the U.S. investment target has never exported and has no plans to export the critical technology.  Consequently, the parties need to account for all items that the U.S. investment target designs, develops, produces or tests regardless of whether the investment target exports the items.

Encryption Software that Qualifies as Critical Technology and Gives Rise to CFIUS Filing Requirement

This critical technology assessment can be especially important for the thousands of U.S. companies that develop software—either to sell as products or to deploy in support of their businesses.  A common example is “software as a service” (SaaS) companies.  SaaS companies develop and administer software platforms that ordinarily have encryption functionality but are not exported.

Among software programs that qualify as “critical technology” are those that are classified in EAR export control classification number (ECCN) 5D002.  ECCN 5D002 covers “encryption software,” meaning certain types of software that are capable of encrypting or decrypting information.  ECCN 5D002 often covers programs for which encryption functionality is not the program’s purpose.  Furthermore, ECCN 5D002 can cover programs that do not incorporate encryption algorithms.  ECCN 5D002 programs might be designed to “call” encryption algorithms from open-source internet sites.

There are a variety of bases on which encryption software may not fall into ECCN 5D002.  Encryption software does not fall into ECCN 5D002 and ordinarily is not a critical technology if:

  • it is an open-source program (meaning the software’s source code is available for examination or download from the internet or some other public source without restriction);[4]
  • its primary function or set of functions is other than computing, networking, communication or information security, and the program’s encryption functionality is limited to supporting its primary function or set of functions; or
  • it falls into any of a variety of other exceptions, e.g., banking software.

As indicated above, ECCN 5D002 software programs are a form of critical technology.  And the EAR control exports of 5D002 programs to every country except for Canada.  But, subject to conditions and restrictions, EAR License Exception ENC generally authorizes most exports of 5D002 programs to most parties throughout the world.  And, crucially, CFIUS regulations establish that 5D002 software, although a critical technology, does not give rise to a CFIUS filing requirement if ENC § (b) authorizes its export to the principal place of business of the foreign investor and certain types of its affiliates.

The License Exception ENC-coverage exception normally establishes that a U.S. investment target’s design, development, production or testing of an ECCN 5D002 encryption software program does not give rise to a CFIUS filing requirement.  License Exception ENC § (b)(1) authorizes most exports of 5D002 encryption software with no need for advance interaction with export control regulators.  For some types of 5D002 encryption software, however—including all 5D002 source code—ENC exporting authorization requires prior submission of a “classification request” to Commerce Department export control regulators. 

If a company develops an encryption software program, it probably develops the program’s source code.  The Commerce Department considers a company to develop encryption source code even if the company does not develop any component of the program’s encryption functionality.  If a company develops software with encryption functionality (e.g., software that calls upon encryption), then the company develops encryption source code for purposes of the EAR.

Companies do not often export source code for software products or business platforms.  Again, however, whether an investment target actually exports the encryption software is irrelevant to the CFIUS filing requirement assessment.  Consequently, that a company develops 5D002 encryption source code ordinarily means that the investment target must submit a classification request to the Commerce Department to establish that ENC authorization is available for the source code such that there is no CFIUS filing requirement.

If a classification request is needed, in general, License Exception ENC authorizes a company to export 5D002 encryption software to non-embargoed locations immediately on the company’s submission of the classification request to the Commerce Department.  Accordingly, parties to a foreign investment transaction are ordinarily free to close the transaction without a CFIUS filing immediately after the target submits a classification request to the Commerce Department.

There are exceptions to this general rule, however.  The ENC authorization would not immediately cover exports of the encryption source code to government end users but, instead, would be available for exports to government end users 30 days following submission of the classification request.  If, then, a foreign investor or covered affiliate is a government end user, the parties to the investment transaction might have to wait 30 days after submission of the classification request to close the transaction to ensure that there is no mandatory CFIUS filing.

Likewise, for other specialized encryption software listed at ENC § (b)(2) and (b)(3), the authorization would not immediately cover exports to end users that are located outside of a list of “favorable treatment” countries at EAR Part 740, Supplement 3.  In general, the authorization would be available for exports of such specialized encryption software to non-favorable treatment countries 30 days following a target company’s submission of a classification request.  If, then, a foreign investor or covered affiliate is in a non-favorable treatment country and the target company works with specialized encryption software covered by ENC § (b)(2) or (b)(3), then the parties to the investment transaction might have to wait 30 days after submission of the classification request to ensure that there is no mandatory CFIUS filing.[5]

Steps to Resolve Whether Encryption Software Gives Rise to a CFIUS Filing Requirement

In sum, then, if a foreign investment transaction involves other criteria that could lead to a CFIUS filing requirement (foreign investor control over or triggering rights regarding the U.S. target company), parties to the transaction should ordinarily take the following steps to resolve whether encryption software in fact gives rise to a CFIUS filing requirement. [6]

  1. Determine whether the U.S. investment target, directly or through a contractor or other party, designs, develops, produces or tests software with encryption functionality.

  2. If so, assess whether the encryption software falls within EAR ECCN 5D002.

  3. If so, the investment target will ordinarily need to submit (or have submitted) a classification request regarding the 5D002 source code and technology to Commerce Department export control regulators.

    1. Provided the encryption software is not a cryptanalytic item and no foreign investor or covered affiliate is a government end user or based in a non-favorable treatment country, as soon as the investment target submits the classification request, there is no CFIUS filing requirement due to the 5D002 software.

    2. If a foreign investor or covered affiliate is a government end user and the encryption software is not a cryptanalytic item, the parties can be confident that there is no CFIUS filing requirement due to the 5D002 software only when 30 days have elapsed following submission of the classification request.

    3. If a foreign investor or covered affiliate is based in a non-favorable treatment country and the encryption software is not among the tightly controlled ENC § (b)(2) items, then the parties can be confident that there is no CFIUS filing requirement due to the 5D002 software only when 30 days have elapsed following submission of the classification request.

    4. If a foreign investor or covered affiliate is based in a non-favorable treatment country and the encryption software is a tightly controlled ENC § (b)(2) item, then a CFIUS filing may unavoidably be required for the transaction.


[1] CFIUS also has jurisdiction over some types of foreign investment in U.S. real estate.

[2] CFIUS filings are also generally required for a transaction involving a foreign person’s acquisition of 25% or more of a U.S. business’s voting interests if 49% or more of the foreign person’s voting interests are held by one or more governments of a foreign nation if the U.S. business has critical technology or is connected to certain other types of security-sensitive factors.  By the same token, certain types of investments by “excepted investors” associated with Australia, Canada or the United Kingdom never give rise to a CFIUS filing requirement.

[3] In addition, the regulations specify that critical technologies include “emerging and foundational technologies controlled under section 1758 of the Export Control Reform Act of 2018.”  Any such items would also be expected to qualify as critical technologies by virtue of their inclusion on the Commerce Control List.

[4] To ensure that encryption software is not classified in ECCN 5D002, it may be necessary to email the U.S. government a copy of or link to its source code.

[5] For a small subset of encryption software covered by ENC § (b)(2), ENC does not provide authorization even after 30 days for exports to non-favorable treatment countries.  If a target company designs, develops or produces such software and the foreign investor is from a non-favorable treatment country, then a CFIUS filing requirement may unavoidably apply to the transaction.  

[6] This analysis assumes that no foreign investor acquiring a 25% or greater voting interest is 49% or more owned by a foreign government (circumstances that can, in certain cases, give rise to a CFIUS filing requirement even without a critical technology) and that the foreign investment transaction is not an Australia, Canada or U.K.-related excepted investment.