[co-author: Nicole Giles, Law Clerk]
-
MoneyGram and Ant Financial mutually terminate $1.2 billion proposed merger
-
CFIUS’s concerns focused on cyber and information security
-
Scrutiny of buyers’ information security processes is likely to increase
On January 2, 2018, U.S.-based MoneyGram International announced that its proposed acquisition by Ant Financial, a Chinese company owned by Alibaba, was being blocked by the U.S. Committee on Foreign Investment in the United States (CFIUS). CFIUS is the U.S. government’s inter-agency committee tasked with reviewing foreign entities’ purchases of and investments in U.S. companies when the transaction could pose a threat to U.S. national security.
According to press reports, CFIUS notified MoneyGram and Ant Financial that it intended to recommend to the president that he block the transaction. At that point, the parties decided to terminate the proposed deal.
Companies Had Previously Secured CFIUS Clearance, Worked with CFIUS to Address Concerns
This decision by CFIUS is perhaps surprising. For one thing, both Alibaba and Ant Financial reportedly secured CFIUS clearance in past transactions. In addition, MoneyGram might not be considered to be particularly sensitive from a national security perspective, at least in the traditional sense, given that the company does not operate in the defense sector nor deal in critical infrastructure. Moreover, Ant Financial and MoneyGram apparently offered multiple proposals to mitigate CFIUS’s concerns.
CFIUS Blocks Transaction Because of Concerns about Cyber and Information Security
However, those concerns – pertaining to a Chinese company possessing reams of U.S. consumers’ data – apparently superseded the two companies’ pledges to protect that data. And in that respect, CFIUS’s decision in this matter seems to be consistent with other CFIUS decisions aimed at protecting the security of U.S. information and technology.
For example, as we recently reported, in September 2017, CFIUS blocked a China-backed buyout fund from acquiring a U.S. semiconductor manufacturer. In addition, CFIUS is reportedly taking a long time to review and opine on other proposed transactions by which U.S. financial services firms – and their customers’ data – would be acquired by Chinese buyers. (Just to be clear, as we have commented previously, Chinese deals in all sectors typically get close scrutiny.)
Even in the context of transactions involving buyers from the U.S.’s closest allies, it is increasingly common for CFIUS to require substantial information from the buyer about its ability to control U.S. information and technology. Emphasis is placed on whether the buyer can implement and maintain a robust cyber security plan and abide by standards imposed under the National Industrial Security Program and other such federal initiatives.
Expect CFIUS Focus on Cyber Security, Information Integrity to Continue and Expand
We do not see this changing. In fact, we expect that future CFIUS reviews may involve even more intrusive questions and requests about acquiring parties’ ability to maintain data securely. A number of politicians have reportedly urged that CFIUS look particularly closely at any transaction that would lead to a non-U.S. party having greater access to the personal information of U.S. persons. We would not be surprised to see such closer scrutiny of information security specifically enshrined in new CFIUS legislation, as several proposed bills are currently working their way through the legislative process.
We think buyers and sellers contemplating the CFIUS process need to be proactive and anticipate the sort of measures that will ease CFIUS concerns about data security when notified of a transaction. Buyers, in particular, should spend the time and resources necessary to develop strong protections for data, both that of individuals and of the company itself – especially with respect to sensitive intellectual property, that could cause concern for CFIUS. Anything less may make it much harder to get CFIUS approval.
