Tag: federal agencies

BIOSECURE Act: Anticipated Movement, Key Provisions, and Likely Impact

Last night, the House of Representatives passed the BIOSECURE Act (BIOSECURE or the Act) by a bipartisan vote of 306 to 81.

The BIOSECURE Act prohibits federal agencies from procuring or obtaining any biotechnology equipment or service produced or provided by a biotechnology company of concern. Subject to some exceptions, it also prohibits federal agencies from contracting with a company that uses equipment or services produced or provided by a biotechnology company of concern. Further, the Act prohibits recipients of a loan or grant from a federal agency from using federal funds to purchase equipment or services from a biotechnology company of concern.

The Senate version of BIOSECURE, sponsored by Sens. Gary Peters (D-MI) and Bill Hagerty (R-TN), was voted out of the Senate Committee on Homeland Security and Governmental affairs with bipartisan support in March 2024. Given its passage in the House last night, the BIOSECURE Act is likely to be signed into law by the end of the year. The House version of BIOSECURE is likely to be the version that becomes law. President Biden is unlikely to veto the Act given its bipartisan support, his previous executive actions to support domestic biotechnology development, and his Administration’s approach towards competition with China.

The Act defines “biotechnology company of concern” as any entity that:

  • is subject to the jurisdiction, direction, control, or operates on behalf of the government of a foreign adversary (defined as China, Cuba, Iran, North Korea, and Russia);
  • is involved in the manufacturing, distribution, provision, or procurement of a biotechnology equipment or service; and
  • poses a risk to U.S. national security based on:
    • engaging in joint research with, being supported by, or being affiliated with a foreign adversary’s military, internal security forces, or intelligence agencies;
    • providing multiomic data obtained via biotechnology equipment or services to the government of a foreign adversary; or
    • obtaining human multiomic data via the biotechnology equipment or services without express and informed consent.

Somewhat unusually, the Act names specific Chinese companies as automatically qualifying as “biotechnology companies of concern”:

  • BGI (formerly known as the Beijing Genomics Institute);
  • MGI;
  • Complete Genomics;
  • WuXi AppTec; and
  • WuXi Biologics.

Both categories include any subsidiary, parent, affiliate, or successor entities of biotechnology companies of concern.

The Act also has very broad definitions of “biotechnology equipment or service.” The definition of equipment encompasses any machine, device, or subcomponent, including software that is “designed for use in the research, development, production, or analysis of biological materials.” The definition of services is similarly broad.

The BIOSECURE Act also requires the Office of Management and Budget (OMB) to publish a list of additional biotechnology companies of concern. The list is prepared by the Secretary of Defense in coordination with the Secretaries of the Departments of Health and Human Services, Justice, Commerce, Homeland Security, and State, as well as the Director of National Intelligence and National Cyber Director. This list of companies must be published by OMB within one year of BIOSECURE’s enactment and reviewed annually by OMB in consultation with the other Departments.

Guidance and Regulatory Authorities

OMB is also tasked with developing guidance and has 120 days from enactment of the statute to do so for the named companies. For the list of biotechnology companies of concern, OMB’s guidance must be established within 180 days after the development of the list.

Beyond OMB, the Act requires the Federal Acquisition Regulatory Council to revise the Federal Acquisition Regulation (FAR) to incorporate its prohibitions. The FAR regulations must be issued within one year of when OMB establishes its guidance.

For named companies the Act’s prohibitions are effective 60 days after the issuance of the FAR regulations. For companies placed on the biotechnology company of concern list, the effective date for the Act’s prohibitions is 80 days after the issuance of FAR regulations.

Impact on Existing Business Relationships

In response to stakeholder concerns about disrupting existing commercial relationships and triggering delays in drug development, the House version of the BIOSECURE Act provides a five-year unwinding period for contracts and agreements entered into before the Act’s effective dates. Contracts entered into after the Act’s effective dates do not qualify for the five year unwinding period.

Process for Designating Companies

BIOSECURE specifies the process for designating a biotechnology company of concern. Critically, the Act does not require OMB to notify a company prior to the Department of Defense making the designation. Rather, a company will receive notice that it is being designated and placed on the biotechnology company of concern list. Moreover, the criteria for listing will only be provided “to the extent consistent with national security and law enforcement interests.” Thus, companies may face a circumstance where they are not provided the evidence supporting their designation.

Once a company receives the notice, it will have 90 days to submit information and arguments opposing the listing. The Act does not require a hearing or any formal administrative process. If practicable, the notice may also include steps the company could take to avoid being listed, but it is not required.

Safe Harbor, Waivers and Exceptions

The Act only has one safe harbor for biotechnology equipment or services that were formerly but no longer provided or produced by a biotechnology company of concern. This safe harbor seems intended to allow a biotechnology company of concern to sell their ownership of a product or service to another company without prohibitions applying to the new owner.

Agency heads may waive the Act’s prohibitions on a case-by-case basis, but only with the approval of OMB acting “in coordination with the Secretary of Defense.” Waivers must be reported to Congress within 30 days of being granted. The waiver may last for up to a year with an additional “one time” extension of 180 days allowed if an agency head determines it is “in the national security interests of the United States.” The 180-day extension must be approved by OMB and the agency head must notify and submit a justification to Congress within 10 days of the waiver being granted.

The Act has only two exceptions. First, its prohibitions do not apply to intelligence activities. Second, the prohibitions do not apply to health care services provided to federal employees, members of the armed services, and government contractors who are stationed in a foreign country or on official foreign travel.

Impact and Considerations for Clients

1. Increased Risk of Partnerships with Chinese Companies and Researchers:

Pharmaceutical and biotechnology companies that receive federal funding or contract with federal agencies should be prepared to wind down business ties to biotechnology companies in China. Impacted companies need to begin evaluating the risk to their supply chains, manufacturing capacity, and R&D pipelines in the event a business partner is listed.

Universities in the United States and other research institutes that receive federal funding will also need to undertake a similar assessment of their research partners and collaborators based in China.

2. Loss of CDMO capacity:

Wuxi App Tec is a large, global provider of contract development and manufacturing (CDMO) services to the life sciences industry. According to the New York Times “[b]y one estimate Wuxi has been involved in developing one-fourth of the drugs used in the United States.” BIOSECURE would effectively ban Wuxi from conducting business in the United States, and if passed, risks causing delays, shortages, and cost increases as companies seek to transition to other CDMOs. It will likely take years for competitors to replace the lost CDMO capacity.

3. Fate of Wuxi U.S. Facilities:

Wuxi has a large presence in the United States. It operates 12 facilities and employs almost 2,000 people. Normally, Wuxi would be expected to sell its U.S.-based facilities. However, based on Tiktok’s experience, it is unclear if the Government of China will permit Wuxi to sell its facilities as opposed to dismantling and/or relocating facilities outside of the United States.

4. OMB’s Management of Biotechnology Companies of Concern List

OMB does not typically manage processes like the one envisioned by BIOSECURE. How OMB interprets the broad criteria for listing companies will be critical. Which Departments, beyond the Department of Defense, will have the greatest influence on OMB’s decision making and how open OMB is to evidence from companies seeking to avoid listing will also need to be watched closely. Until OMB starts preparing its guidance and the FAR regulations are proposed, it is hard to anticipate the rate at which new companies will be added to the list. How the process established by BIOSECURE will interact with or leverage existing entity lists will be another development to closely monitor.

5. Retaliation by China

BIOSECURE’s passage is likely to trigger a response from the Government of China. Responses could range from imposing its own export controls to using the country’s sweeping national security laws to harass United States businesses and their employees. Companies doing business in China, particularly those in the pharmaceutical or biotech industries need to be prepared.

© 2024 Foley & Lardner LLP
For more on Biotechnology, visit the NLR Biotech Food Drug section

Third Time’s a Charm? SEC & CFTC Finalize Amendments to Form PF

On February 8, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) jointly adopted amendments to Form PF, the confidential reporting form for certain registered investment advisers to private funds. Form PF’s dual purpose is to assist the SEC’s and CFTC’s regulatory oversight of private fund advisers (who may be both SEC-registered investment advisers and also registered with the CFTC as commodity pool operators or commodity trading advisers) and investor protection efforts, as well as help the Financial Stability Oversight Council monitor systemic risk. In addition, the SEC entered into a memorandum of understanding with the CFTC to facilitate data sharing between the two agencies regarding information submitted on Form PF.

Continued Spotlight on Private Funds

The continued focus on private funds and private fund advisers is a recurring theme. The SEC recently adopted controversial and sweeping new rules governing many activities of private funds and private fund advisers. The SEC’s Division of Examinations also continues to highlight private funds in its annual examination priorities. Form PF is similarly no stranger to recent revisions and expansions in its scope. First, in May 2023, the SEC adopted requirements for certain advisers to hedge funds and private equity funds to provide current reporting of key events (within 72 hours). Second, in July 2023, the SEC finalized amendments to Form PF for large liquidity fund advisers to align their reporting requirements with those of money market funds. And last week, this third set of amendments to Form PF, briefly discussed below.

SEC Commissioner Peirce, in dissent:

“Boundless curiosity is wonderful in a small child; it is a less attractive trait in regulatory agencies…. Systemic risk involves the forest — trying to monitor the state of every individual tree at every given moment in time is a distraction and trades off the mistaken belief that we have the capacity to draw meaning from limitless amounts of discrete and often disparate information. Unbridled curiosity seems to be driving this decision rather than demonstrated need.”

Additional Reporting by Large Hedge Fund Advisers on Qualifying Hedge Funds

These amendments will, among other things, expand the reporting requirements for large hedge fund advisers with regard to “qualifying hedge funds” (i.e., hedge funds with a net asset value of at least $500 million). The amendments will require additional disclosures in the following categories:

  • Investment exposures, borrowing and counterparty exposures, currency exposures, country and industry exposures;
  • Market factor effects;
  • Central clearing counterparty reporting;
  • Risk metrics;
  • Investment performance by strategy;
  • Portfolio, financing, and investor liquidity; and
  • Turnover.

While the final amendments increase the amount of fund-level information the Commission will receive with regard to individual qualifying hedge funds, at the same time, the Commission has eliminated the aggregate reporting requirements in Section 2a of Form PF (noting, in its view, that such aggregate information can be misleading).

Enhanced Reporting by All Hedge Funds

The amendments will require more detailed reporting on Form PF regarding:

  • Hedge fund investment strategies (while digital assets are now an available strategy to select from, the SEC opted not to adopt its proposed definition of digital assets, instead noting that if a strategy can be classified as both a digital asset strategy and another strategy, the adviser should report the strategy as the non-digital asset strategy);
  • Counterparty exposures (including borrowing and financing arrangements); and
  • Trading and clearing mechanisms.

Other Amendments That Apply to All Form PF Filers

  • General Instructions. Form PF filers will be required to report separately each component fund of a master-feeder arrangement and parallel fund structure (rather than in the aggregate as permitted under the existing Form PF), other than a disregarded feeder fund (e.g., where a feeder fund invests all its assets in a single master fund, US treasury bills, and/or “cash and cash equivalents”). In addition, the amendments revise how filers will report private fund investments in other private funds, “trading vehicles” (a newly defined term), and other funds that are not private funds. For example, Form PF will now require an adviser to include the value of a reporting fund’s investments in other private funds when responding to questions on Form PF, including determining filing obligations and reporting thresholds (unless otherwise directed by the Form).
  • All Private Funds. Form PF filers reporting information about their private funds will report additional and/or new information regarding, for example: type of private fund; identifying information about master-feeder arrangements, internal and external private funds, and parallel fund structures; withdrawal/redemption rights; reporting of gross and net asset values; inflows/outflows; base currency; borrowings and types of creditors; fair value hierarchy; beneficial ownership; and fund performance.

Final Thoughts

With the recent and significant regulatory spotlight on investment advisers to private funds and private funds themselves, we encourage advisers to consider the interrelationships between new data reporting requirements on Form PF and the myriad of new regulations and disclosure obligations being imposed on investment advisers more generally (including private fund advisers).

The effective date and compliance date for new final amendments to Form PF is 12 months following the date of publication in the Federal Register.

Robert Bourret also contributed to this article.

©2024 Katten Muchin Rosenman LLP

by: Adam Bolter of Katten 

For more SEC and CFTC news, visit the NLR Securities & SEC section.

How a Zero-Day Flaw in MOVEit Led to a Global Ransomware Attack

In an era where our lives are ever more intertwined with technology, the security of digital platforms is a matter of national concern. A recent large-scale cyberattack affecting several U.S. federal agencies and numerous other commercial organizations emphasizes the criticality of robust cybersecurity measures.

The Intrusion

On June 7, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) identified an exploit by “Threat Actor 505” (TA505), namely, a previously unidentified (zero-day) vulnerability in a data transfer software called MOVEit. MOVEit is a file transfer software used by a broad range of companies to securely transfer files between organizations. Darin Bielby, the managing director at Cypfer, explained that the number of affected companies could be in the thousands: “The Cl0p ransomware group has become adept at compromising file transfer tools. The latest being MOVEit on the heels of past incidents at GoAnywhere. Upwards of 3000 companies could be affected. Cypfer has already been engaged by many companies to assist with threat actor negotiations and recovery.”

CISA, along with the FBI, advised that “[d]ue to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks.”

Although CISA did not comment on the perpetrator behind the attack, there are suspicions about a Russian-speaking ransomware group known as Cl0p. Much like in the SolarWinds case, they ingeniously exploited vulnerabilities in widely utilized software, managing to infiltrate an array of networks.

Wider Implications

The Department of Energy was among the many federal agencies compromised, with records from two of its entities being affected. A spokesperson for the department confirmed they “took immediate steps” to alleviate the impact and notified Congress, law enforcement, CISA, and the affected entities.

This attack has ramifications beyond federal agencies. Johns Hopkins University’s health system reported a possible breach of sensitive personal and financial information, including health billing records. Georgia’s statewide university system is investigating the scope and severity of the hack affecting them.

Internationally, the likes of BBC, British Airways, and Shell have also been victims of this hacking campaign. This highlights the global nature of cyber threats and the necessity of international collaboration in cybersecurity.

The group claimed credit for some of the hacks in a hacking campaign that began two weeks ago. Interestingly, Cl0p took an unusual step, stating that they erased the data from government entities and have “no interest in exposing such information.” Instead, their primary focus remains extorting victims for financial gains.

Still, although every file transfer service based on MOVEit could have been affected, that does not mean that every file transfer service based on MOVEit was affected. Threat actors exploiting the vulnerability would likely have had to independently target each file transfer service that employs the MOVEit platform. Thus, companies should determine whether their secure file transfer services rely on the MOVEit platform and whether any indicators exist that a threat actor exploited the vulnerability.

A Flaw Too Many

The attackers exploited a zero-day vulnerability that likely exposed the data that companies uploaded to MOVEit servers for seemingly secure transfers. This highlights how a single software vulnerability can have far-reaching consequences if manipulated by adept criminals. Progress, the U.S. firm that owns MOVEit, has urged users to update their software and issued security advice.

Notification Requirements

This exploitation likely creates notification requirements for the myriad affected companies under the various state data breach notification laws and some industry-specific regulations. Companies that own consumer data and share that data with service providers are not absolved of notification requirements merely because the breach occurred in the service provider’s environment. Organizations should engage counsel to determine whether their notification requirements are triggered.

A Call to Action

This cyberattack serves as a reminder of the sophistication and evolution of cyber threats. Organizations using the MOVEit software should analyze whether this vulnerability has affected any of their or their vendors’ operations.

With the increasing dependency on digital platforms, cybersecurity is no longer an option but a necessity in a world where the next cyberattack is not a matter of “if” but “when;” it’s time for a proactive approach to securing our digital realms. Organizations across sectors must prioritize cybersecurity. This involves staying updated with the latest security patches and ensuring adequate protective measures and response plans are in place.

© 2023 Bradley Arant Boult Cummings LLP

For cybersecurity legal news, click here to visit the National Law Review.

Federal Agencies Announce Investments and Resources to Advance National Biotechnology and Biomanufacturing Initiative

As reported in our September 13, 2022, blog item, on September 12, 2022, President Joseph Biden signed an Executive Order (EO) creating a National Biotechnology and Biomanufacturing Initiative “that will ensure we can make in the United States all that we invent in the United States.” The White House hosted a Summit on Biotechnology and Biomanufacturing on September 14, 2022. According to the White House fact sheet on the summit, federal departments and agencies, with funding of more than $2 billion, will take the following actions:

  • Leverage biotechnology for strengthened supply chains: The Department of Health and Human Services (DHHS) will invest $40 million to expand the role of biomanufacturing for active pharmaceutical ingredients (API), antibiotics, and the key starting materials needed to produce essential medications and respond to pandemics. The Department of Defense (DOD) is launching the Tri-Service Biotechnology for a Resilient Supply Chain program with a more than $270 million investment over five years to turn research into products more quickly and to support the advanced development of biobased materials for defense supply chains, such as fuels, fire-resistant composites, polymers and resins, and protective materials. Through the Sustainable Aviation Fuel Grand Challenge, the Department of Energy (DOE) will work with the Department of Transportation and the U.S. Department of Agriculture (USDA) to leverage the estimated one billion tons of sustainable biomass and waste resources in the United States to provide domestic supply chains for fuels, chemicals, and materials.
  • Expand domestic biomanufacturing: DOD will invest $1 billion in bioindustrial domestic manufacturing infrastructure over five years to catalyze the establishment of the domestic bioindustrial manufacturing base that is accessible to U.S. innovators. According to the fact sheet, this support will provide incentives for private- and public-sector partners to expand manufacturing capacity for products important to both commercial and defense supply chains, such as critical chemicals.
  • Foster innovation across the United States: The National Science Foundation (NSF) recently announced a competition to fund Regional Innovation Engines that will support key areas of national interest and economic promise, including biotechnology and biomanufacturing topics such as manufacturing life-saving medicines, reducing waste, and mitigating climate change. In May 2022, USDA announced $32 million for wood innovation and community wood grants, leveraging an additional $93 million in partner funds to develop new wood products and enable effective use of U.S. forest resources. DOE also plans to announce new awards of approximately $178 million to advance innovative research efforts in biotechnology, bioproducts, and biomaterials. In addition, the U.S. Economic Development Administration’s $1 billion Build Back Better Regional Challenge will invest more than $200 million to strengthen America’s bioeconomy by advancing regional biotechnology and biomanufacturing programs.
  • Bring bioproducts to market: DOE will provide up to $100 million for research and development (R&D) for conversion of biomass to fuels and chemicals, including R&D for improved production and recycling of biobased plastics. DOE will also double efforts, adding an additional $60 million, to de-risk the scale-up of biotechnology and biomanufacturing that will lead to commercialization of biorefineries that produce renewable chemicals and fuels that significantly reduce greenhouse gas emissions from transportation, industry, and agriculture. The new $10 million Bioproduct Pilot Program will support scale-up activities and studies on the benefits of biobased products. Manufacturing USA institutes BioFabUSA and BioMADE (launched by DOD) and the National Institute for Innovation in Manufacturing Biopharmaceuticals (NIIMBL) (launched by the Department of Commerce (DOC)) will expand their industry partnerships to enable commercialization across regenerative medicine, industrial biomanufacturing, and biopharmaceuticals.
  • Train the next generation of biotechnologists: The National Institutes of Health (NIH) is expanding the Innovation Corps (I-Corps™), a biotech entrepreneurship bootcamp. NIIMBL will continue to offer a summer immersion program, the NIIMBL eXperience, in partnership with the National Society for Black Engineers, which connects underrepresented students with biopharmaceutical companies, and support pathways to careers in biotechnology. In March 2022, USDA announced $68 million through the Agriculture and Food Research Initiative to train the next generation of research and education professionals.
  • Drive regulatory innovation to increase access to products of biotechnology: The Food and Drug Administration (FDA) is spearheading efforts to support advanced manufacturing through regulatory science, technical guidance, and increased engagement with industry seeking to leverage these emerging technologies. For agricultural biotechnologies, USDA is building new regulatory processes to promote safe innovation in agriculture and alternative foods, allowing USDA to review more diverse products.
  • Advance measurements and standards for the bioeconomy: DOC plans to invest an additional $14 million next year at the National Institute of Standards and Technology for biotechnology research programs to develop measurement technologies, standards, and data for the U.S. bioeconomy.
  • Reduce risk through investing in biosecurity innovations: DOE’s National Nuclear Security Administration plans to initiate a new $20 million bioassurance program that will advance U.S. capabilities to anticipate, assess, detect, and mitigate biotechnology and biomanufacturing risks, and will integrate biosecurity into biotechnology development.
  • Facilitate data sharing to advance the bioeconomy: Through the Cancer Moonshot, NIH is expanding the Cancer Research Data Ecosystem, a national data infrastructure that encourages data sharing to support cancer care for individual patients and enables discovery of new treatments. USDA is working with NIH to ensure that data on persistent poverty can be integrated with cancer surveillance. NSF recently announced a competition for a new $20 million biosciences data center to increase our understanding of living systems at small scales, which will produce new biotechnology designs to make products in agriculture, medicine and health, and materials.

A recording of the White House summit is available online.

Article By Lynn L. Bergeson and Carla N. Hutton of Bergeson & Campbell, P.C.

For more environmental, energy, and resources legal news, click here to visit the National Law Review.

©2022 Bergeson & Campbell, P.C.