In December 2019, the Division of Corporation Finance (Staff) of the U.S. Securities and Exchange Commission (SEC) published new "CF Disclosure Guidance: Topic No. 8" (Guidance) regarding disclosure obligations companies should consider regarding intellectual property and technology risks associated with international operations.1 The Guidance largely focuses on business operations conducted in countries that lack levels of protection for corporate proprietary information and assets, including intellectual property, trademarks, trade secrets, know-how, and customer information and records.
Companies should consider the Guidance in (i) assessing the materiality of intellectual property and technology risks and (ii) preparing disclosures related to these risks in the MD&A, business description, legal proceedings, disclosure control and procedures, and/or financial statement portions of their periodic reports.
Sources of Risk. The Guidance explains that companies face risks associated with theft of technology, data, and intellectual property from a variety of direct and indirect sources, including private parties, foreign actors, and joint venture partners. Examples include intrusions into company computer systems or reverse engineering of company products or components. The Guidance reminds companies that investors may need to be informed when companies are required to compromise protections or yield rights to their technology, data, or intellectual property in order to conduct business or access markets in foreign jurisdictions. This may occur through formal written agreements or due to legal or regulatory requirements in such jurisdictions, including, for example:
- Patent license agreements that provide foreign licensees rights to improvements in technology;
- Foreign ownership restrictions that may result in the compromise of a company’s control of its technology and proprietary information;
- Use of unusual or idiosyncratic terms favoring foreign persons in technology license agreements; and
- Regulatory requirements that restrict the ability of companies to conduct business unless the company agrees to store data locally, to use local services or technology, or to comply with local requirements that involve the sharing of intellectual property.
Assessing and Disclosing the Risks. In the Guidance, the Staff encourages companies to assess the risks related to the potential theft or compromise of their technology, data, and intellectual property associated with international operations and how the realization of these risks may impact their business. The Staff also reminds companies that they should “provide disclosure that allows investors to evaluate these risks through the eyes of management” when “tailored to a company’s unique facts and circumstances.”
The Guidance informs companies that the Staff expects companies to continue monitoring the evolving risks in this area and to continue evaluating the materiality of such risks on an ongoing basis. According to the Guidance, questions to consider with respect to present and future operating plans may include the following:
- Is there a heightened risk to your technology or intellectual property because you have or expect to maintain significant assets or earn a material amount of revenue abroad?
- Do you operate in an industry or foreign jurisdiction that has caused, or may cause, you to be particularly susceptible to the theft of technology or intellectual property or the forced transfer of technology? Do you believe that your products have been, or may be, subject to counterfeit and sale, including through e-commerce?
- Have you directly or indirectly transferred or licensed technology or intellectual property to a foreign entity or government, such as through the creation of a joint venture with a foreign entity?
- Do you store technology or intellectual property locally in a foreign jurisdiction? Are you required to use equipment and services provided by a state actor, including equipment or services that could result in a reduction in protections?
- Have you entered into a patent or technology license agreement with a foreign entity or government that provides such entity with rights to improvements on the underlying technology and/or rights to continued use of the technology following the licensing term, including in connection with a joint venture?
- Have you been required to yield rights to technology or intellectual property as a condition to conducting business in or accessing markets located in a foreign jurisdiction?
- Are you operating in foreign jurisdictions where the ability to enforce rights over intellectual property is limited as a statutory or practical matter?
- Do you have controls and procedures in place to adequately protect technology and intellectual property from potential compromise or theft?
The bottom line is that companies should consider their disclosure obligations regarding risks related to the potential theft or compromise of data, technology, and intellectual property within the context of federal securities laws and the SEC’s principles-based disclosure system, which focuses on timely, robust and complete disclosure of material information so investors can make informed investment and voting decisions. Finally, similar to the situation involving Facebook that was published in our August 9, 2019 Client Alert, if a company actually experiences a material compromise, the Guidance makes clear that hypothetical disclosure of that incident as merely a potential risk will not satisfy the company’s reporting obligation.