On December 19, the SEC issued guidance on disclosure obligations that companies should consider with respect to intellectual property and technology risks that may result from conducting business outside the United States, particularly in jurisdictions that do not have comparable levels of protection of corporate proprietary information and assets such as intellectual property, trademarks, trade secrets, know-how and customer information and records. The guidance identifies several sources of potential risk, ranging from situations in which technology, data or intellectual property may be directly stolen or compromised (e.g., cyber intrusions into a company’s computer systems and physical theft through corporate espionage), to more indirect forms of theft or compromise (e.g., companies being required to compromise protections or yield rights to technology, data or intellectual property in order to conduct business in a foreign jurisdiction).
Much like the SEC’s February 2018 guidance on disclosures about cybersecurity risks and incidents, the guidance acknowledges that there is no specific line-item requirement under the federal securities laws to disclose information related to the compromise (or potential compromise) of technology, data or intellectual property. However, the guidance stresses the principles-based nature of the SEC’s disclosure regime and advises that disclosure may be necessary in management’s discussion and analysis, the business section, legal proceedings, disclosure controls and procedures, and/or financial statements. The guidance encourages companies to consider this evolving area of risk and evaluate its materiality on an ongoing basis. The guidance includes an extensive list of questions for companies to consider as they assess these risks and their related disclosure obligations.