The Committee on Foreign Investment in the United States (CFIUS) has recently shown its expanded oversight and commitment to enforcement with the reveal of its first monetary penalty for breach of a negotiated mitigation agreement. In a one-sentence statement, CFIUS disclosed that it had imposed a $1 million fine in 2018 against an unnamed entity for failing to adhere to the terms of a 2016 mitigation agreement, including “failure to establish requisite security policies and failure to provide adequate reports to CFUIS.” The penalty is the first of its kind to be disclosed by CFIUS and is thought to be the first civil penalty assessed by CFIUS for breach of a mitigation agreement.

The disclosure is a clear message from CFIUS that it is serious about holding acquirors to the terms of negotiated mitigation agreements. In fact, CFIUS now has a specific office responsible for overseeing and monitoring mitigation agreements, a task previously left to whichever staff member had that particular case.

While the news of the penalty is historic in its own right, other recent developments reveal that CFIUS is also aggressively conducting investigations of transactions not submitted to CFIUS for review by a voluntary notice. In the past month,

  • Virginia-headquartered cybersecurity firm Cofense announced that its minority investor Pamplona Capital Management is selling its interest in Cofense after a nearly year-long national security review into Cofense’s $400 million takeover by a group of private equity buyers. After announcing the deal in February 2018, CFIUS, on its own accord, initiated a review of the transaction. Pamplona’s funds were partly backed by a Russian billionaire. The sale of Pamplona’s stake in Cofense is being overseen by a CFIUS-approved trustee who is working with bankers to sell Pamplona’s equity to a CFIUS-approved buyer.
  • CFIUS reportedly ordered China’s Beijing Kunlin Tech Co. Ltd. to sell the majority stake it acquired in the dating app Grindr in 2016 due to concerns about the Chinese government’s potential access and exploitation of sensitive users’ data.
  • CFIUS required Chinese investor and digital healthcare company iCarbonX to sell its majority stake in the U.S. company PatientsLikeMe, an on-line service that links individuals suffering the same health issues to improve disease detection and treatment. Again, the concern reportedly motivating CFIUS is Chinese access to the personal data of Americans and the national security risk that could pose.

For the first time in recent years, CFIUS has the resources necessary to monitor both transactions not submitted for voluntary review and negotiated mitigation agreements. CFIUS has dedicated additional resources to identifying and investigating non-notified transactions that it believes pose national security risks. With the announcement of the post-closing forced divestitures, the risks of not notifying CFIUS of a transaction become clearer.

Foreign investors should also be mindful that CFIUS is stepping up its efforts to ensure that acquirers are adhering to terms of mitigation agreements. Foreign investors must take heed that signing a mitigation agreement is not a means to an end of getting a deal cleared but a long-lasting obligation that must be complied with after the deal has closed.