Yesterday, the Division of Corporation Finance (CorpFin) of the SEC released CF Disclosure Guidance: Topic No. 8, Intellectual Property and Technology Risks Associated with International Business Operations (Guidance). The Guidance aims to assist public companies in evaluating intellectual property (IP) and technology risks related to their international operations, assessing their materiality, and drafting useful disclosures, consistent with their obligations under the federal securities laws and our principles-based disclosure regime.
CorpFin encourages companies to assess risks related to the potential theft or compromise of their technology, data or IP (including technical data, business processes, data sets or other sensitive information) in connection with their international operations, as well as how the realization of these risks may impact their business, financial condition, results of operations, reputation, stock price and long-term value. CorpFin notes that companies that conduct business in certain foreign jurisdictions, house technology, data and IP abroad, or license technology to joint ventures with foreign partners may have more significant exposure to these IP and technology risks than domestic companies. For instance, companies may suffer direct intrusion by foreign actors, including state-controlled or state-affiliated actors, in the form of cyber intrusions into computer systems and physical theft through corporate espionage. Technology, data and IP may also be stolen or compromised via indirect routes, including where companies are required to compromise protections or yield rights to technology, data or IP in order to conduct business in or access markets in a foreign jurisdiction. CorpFin cites as examples: (i) patent license agreements that allow foreign licensees to retain rights to improvements on the relevant technology, including the ability to sever such improvements and receive a separate patent; (ii) foreign ownership restrictions, such as joint venture requirements and foreign investment restrictions that potentially compromise control over a company’s technology and proprietary information; (iii) unusual or idiosyncratic terms favoring foreign persons, including those associated with a foreign government, in technology license agreements, such as access and license provisions as conditions to conducting business in foreign jurisdictions; and (iv) regulatory requirements that restrict the ability of companies to conduct business, unless they agree to store data locally, use local services or technology in connection with their international operations, or comply with local licensing or administrative approvals that involve the sharing of IP.
According to CorpFin, in assessing and disclosing risks related to the potential theft or compromise of technology and IP, companies should consider the following questions, which may serve as a useful checklist in drafting Form 10-K risk factors, with respect to their present and future operating plans:
- Is there a heightened risk to your technology or IP because you have or expect to maintain significant assets or earn a material amount of revenue abroad?
- Do you operate in an industry or foreign jurisdiction that has caused, or may cause, you to be particularly susceptible to the theft of technology or IP or the forced transfer of technology? Do you believe that your products have been, or may be, subject to counterfeit and sale, including through e-commerce?
- Have you directly or indirectly transferred or licensed technology or IP to a foreign entity or government, such as through the creation of a joint venture with a foreign entity? Do you store technology or IP locally in a foreign jurisdiction? Are you required to use equipment and services provided by a state actor, including equipment or services that could result in a reduction in protections?
- Have you entered into a patent or technology license agreement with a foreign entity or government that provides such entity with rights to improvements on the underlying technology and/or rights to continued use of the technology following the licensing term, including in connection with a joint venture?
- Are you subject to a requirement that foreign parties must be controlling shareholders or hold a majority of shares in a joint venture in which you are involved, or are you involved in a joint venture that is subject to foreign ownership restrictions or requirements that a foreign party retain certain ownership rights?
- Have you provided access to your technology or IP to a state actor or regulator in connection with foreign regulatory or licensing procedures, including but not limited to local licensing and administrative procedures?
- Have you been required to yield rights to technology or IP as a condition to conducting business in or accessing markets located in a foreign jurisdiction?
- Are you operating in foreign jurisdictions where the ability to enforce rights over IP is limited as a statutory or practical matter?
- Do you conduct business in a foreign jurisdiction or through a joint venture that may be subject to state secrecy or other laws, such as those limiting or prohibiting the export of data or financial documentation? Are you able to readily produce data or other information that is housed internationally in response to regulatory requirements or inquiries?
- Have conditions in a foreign jurisdiction caused you to relocate or consider relocating your operations to a different host nation? Have you considered related material costs, such as costs to train new employees, establish new facilities and supply chains, and the impact of any related gaps or lags in production, manufacture and/or export of your products?
- Do you have controls and procedures in place to adequately protect technology and IP from potential compromise or theft? Do these policies and procedures enable you to identify risks and incidents, analyze the impact on your business, respond expediently, appropriately and effectively when incidents occur and repair any damage caused by such incidents? Are your controls and procedures designed to detect: (i) malfeasance by employees, contractors or other insiders who may have access to your technology and IP; (ii) industrial, corporate or other espionage events; (iii) unauthorized intrusions into commercial computer networks; and (iv) other forms of theft and cyber-theft of your technology and IP?
- What level of risk oversight and management does the board of directors and executive officers have with regard to the company’s data, technology and IP and how these assets may be impacted by operations in foreign jurisdictions where they may be subject to additional risks? What knowledge do these individuals have about these risks and what role do they have in responding if and when an issue arises?
A copy of the Guidance is available here.