The staff of the Division of Corporation Finance at the Securities and Exchange Commission (SEC) released new guidance on December 19, 2019, about disclosure obligations concerning companies' intellectual property and technology risks originating from international operations. The guidance highlights the evolving nature of this growing risk category and provides suggestions to companies for assessing and disclosing intellectual property and technology risks associated with international operations.

The guidance builds on the SEC staff's recent efforts to assist companies with the assessment and disclosure of new and evolving risk areas such as cybersecurity and LIBOR discontinuation.

The foundation of the principles-based disclosure system is the "timely, robust, and complete disclosure of material information, where reporting companies provide a comprehensive picture of the material risks they face, allowing investors to make informed investment and voting decisions." No line-item requirement exists under the federal securities laws, but the SEC staff has already clarified in previous SEC guidance that disclosure requirements apply to a broad range of evolving business risks. For example, the SEC staff highlighted in its February 2018 cybersecurity risk publication that the general disclosure obligations apply to cybersecurity risks when material, even though the federal securities laws do not require companies to disclose cybersecurity risks as a line item.

Intellectual Property and Technology Risks Associated with International Business Operations

The shift toward intangible assets (as opposed to brick-and-mortar assets) and the increase in reliance on technology expose more companies to the risk of intellectual property, proprietary technology and data theft. Because many jurisdictions outside the United States do not have comparable levels of intellectual property protection, companies conducting business in foreign jurisdictions face an even greater level of risk than those conducting business domestically in the US. This is especially true for companies that maintain intellectual property abroad or license technology to joint ventures with foreign partners. Depending on the foreign jurisdiction, companies may even have to compromise protections of their intellectual property, technology or data in order to transact business in the jurisdiction or have access to the market.

The SEC staff's guidance provides examples of agreements and requirements that limit a company's ability or rights to protect its intellectual property, proprietary technology or data, including:

  • patent license agreements pursuant to which a foreign licensee retains rights to improvements on the relevant technology, including the ability to sever such improvements and receive a separate patent, and the right to continued use of technology or intellectual property after the patent or license term of use expires;
  • foreign ownership restrictions, such as joint venture requirements and foreign investment restrictions that potentially compromise control over a company's technology and proprietary information;
  • the use of unusual or idiosyncratic terms favoring foreign persons, including those associated with a foreign government, in technology license agreements, such as access and license provisions, as direct or indirect conditions to conducting business in the foreign jurisdiction; and
  • regulatory requirements that restrict the ability of companies to conduct business unless they agree to store data locally, use local services or technology in connection with their international operations or comply with local licensing or administrative approvals that involve the sharing of intellectual property.

Assessing and Disclosing Risk

The SEC staff's guidance notes that when assessing and disclosing risk, companies should examine the impact on their financial condition, results of operations, effect on reputation, stock price and long-term value. Companies should also consider whether risks are material to voting decisions and, if so, companies should disclose these risks. Further, if a company's intellectual property or proprietary technology has already been materially compromised, mere disclosure of potentials risks is insufficient. Instead, the company should specifically describe the applicable event and the related adverse consequences. This evaluation should occur on an ongoing basis.

The SEC staff's guidance proposes several questions companies should consider in relation to their disclosure obligations. Companies should review these questions found in the original guidance. Based on the new guidance, companies with material business operations abroad should pay special attention to their intellectual property, technology and data risks. We expect more companies to disclose risks arising out of their international business operations in upcoming annual and quarterly reports.