In December 2019, the Division of Corporation Finance (Staff) of the U.S. Securities and Exchange Commission (SEC) published new "CF Disclosure Guidance: Topic No. 8" (Guidance) regarding disclosure obligations companies should consider with respect to intellectual property and technology risks associated with international business operations. As a follow on to the SEC's 2018 interpretive guidance on cybersecurity and the recent statements by Chairman Jay Clayton and Director William Hinman, the Guidance focuses on business conducted outside the United States, particularly in countries that do not have comparable levels of protection of corporate proprietary information and assets, including intellectual property, trademarks, trade secrets, know-how, and customer information and records.
Companies should consider the Guidance in assessing the materiality of these risks and preparing related disclosures. When material, companies often include disclosures related to these risks in their periodic reports, including in their management's discussion and analysis, the business description, legal proceedings, disclosure controls and procedures, and/or financial statements.
Sources of Risk. The Guidance explains that companies face risks associated with the potential theft of technology, data and intellectual property from a variety of sources. Examples include direct intrusions into company computer systems and physical theft, as well as more indirect routes such as the reverse engineering of company products or components.
In addition, the Guidance states that companies may be required to compromise protections or yield rights to their technology, data or intellectual property in order to conduct business or access markets in certain foreign jurisdictions. This may occur through formal written agreements or due to legal or regulatory requirements in that jurisdiction, including, for example:
- patent license agreements that provide the foreign licensee certain rights to improvements on the technology and rights to continued use of the technology after the patent or license term of use expires;
- foreign ownership restrictions that may result in the compromise of a company's control of its technology and proprietary information;
- the use of unusual or idiosyncratic terms favoring foreign persons in technology license agreements as conditions to conducting business in the foreign jurisdiction; and
- regulatory requirements that restrict the ability of companies to conduct business unless the company agrees to store data locally, to use local services or technology, or to comply with local requirements that involve the sharing of intellectual property.
Assessing and Disclosing the Risks. The Guidance encourages companies to assess the risks related to the potential theft or compromise of their technology, data and intellectual property associated with international operations and how the realization of such risks may impact their business. Consistent with past Staff statements and other guidance, the Guidance also "encourage[s] companies to provide disclosure that allows investors to evaluate these risks through the eyes of management" and emphasizes that "disclosure about these risks should be specifically tailored to a company's unique facts and circumstances." In addition, if a company actually has experienced a material compromise, the Guidance makes clear that hypothetical disclosure of that incident as merely a potential risk would not satisfy the company's reporting obligation.
The Guidance indicates that the Staff expects companies to continue to monitor the evolving risks in this area and evaluate the materiality of such risks on an ongoing basis. In doing so, the Guidance provides a sample list of questions that companies may consider when assessing the associated risks and their related disclosure obligations. Some of these questions include:
- Is there a heightened risk to your technology or intellectual property because you have or expect to maintain significant assets or earn a material amount of revenue abroad?
- Do you operate in an industry or foreign jurisdiction that has caused, or may cause, you to be particularly susceptible to the theft of technology or intellectual property or the forced transfer of technology? Do you believe that your products have been, or may be, subject to counterfeit and sale, including through e-commerce?
- Have you been required to yield rights to technology or intellectual property as a condition to conducting business in or accessing markets located in a foreign jurisdiction?
- Are you operating in foreign jurisdictions where the ability to enforce rights over intellectual property is limited as a statutory or practical matter?
- What level of risk oversight and management do the board of directors and executive officers have with regard to the company's data, technology and intellectual property and how these assets may be impacted by operations in foreign jurisdictions where they may be subject to additional risks? What knowledge do these individuals have about these risks and what role do they have in responding if and when an issue arises?