SEC Provides Disclosure Guidance on Intellectual Property and Technology Risks Associated with International Business Operations
On December 19, 2019, the Division of Corporate Finance of the Securities Exchange Commission (SEC) released Number 8 in its series of CF Disclosure Guidance documents, entitled: Intellectual Property and Technology Risk Associated with International Business Operations. The guidance is directed at providing the Division’s views related to disclosure obligations that companies should consider with respect to intellectual property, and technology risks that may occur when engaging in international operations, including conducting business with foreign governments and companies.
The guidance notes that given the global nature of today’s economies, domestic companies are routinely exposed to an ever evolving and growing set of risks from international concerns, particularly with respect to intellectual property and technology related matters. In particular, the guidance notes that it is intended to address, “risks to technology and intellectual property that may result from conducting business outside the United States, particularly in jurisdictions that do not have comparable levels of protection of corporate proprietary information and assets such as intellectual property, trademarks, trade secrets, know-how and customer information and records.”
No Line-Item Requirement
The guidance specifically notes that there is no, “[S]pecific line-item requirement under federal securities laws to disclose information related to the compromise (or potential compromise) of technology, data or intellectual property.” However, it does note that the SEC has made it clear that the disclosure requirements apply to a, “broad range of evolving business risks in the absence of specific requirements,” and that there are existing rules and regulations “[T]hat could require disclosure regarding actual theft or compromise of technology, data or intellectual property.”
The guidance further provides for examples of where disclosure may be required in a company’s reports, such as in, “[M]anagement’s discussion and analysis, the business section, legal proceedings, disclosure controls and procedures, and/or financial statements.”
Sources of Risk Associated with the Potential Theft of Technology and Intellectual Property
The Division further detailed sources of potential risk to such intellectual property and technology concerns, through direct actions, such as theft or direct intrusion by foreign actors, and indirect actions, such as reverse engineering by JV partners, or requirements to yield rights to technology in order to conduct business in a foreign jurisdiction. The guidance gave several illustrative examples:
- patent license agreements pursuant to which a foreign licensee retains rights to improvements on the relevant technology, including the ability to sever such improvements and receive a separate patent, and the right to continued use of technology or intellectual property after the patent or license term of use expires;
- foreign ownership restrictions, such as joint venture requirements and foreign investment restrictions that potentially compromise control over a company’s technology and proprietary information;
- the use of unusual or idiosyncratic terms favoring foreign persons, including those associated with a foreign government, in technology license agreements, such as access and license provisions, as direct or indirect conditions to conducting business in the foreign jurisdiction; and
- regulatory requirements that restrict the ability of companies to conduct business, unless they agree to store data locally, use local services or technology in connection with their international operations, or comply with local licensing or administrative approvals that involve the sharing of intellectual property.
Assessing and Disclosing Risks Related to Potential Theft or Compromise of Technology and Intellectual Property
The guidance encourages companies to assess the risks related to: i) the potential theft or compromise of their technology, data or intellectual property in connection with their international operations; ii) how the realization of these risks may impact their business; and iii) effects on their reputation, stock price and long-term value that may come as a result.
Without surprise, the guidance notes that “Where these risks are material to investment and voting decisions, they should be disclosed.” These disclosures should be tailored to unique facts and circumstances specific to the disclosing company. Similarly, the guidance states that “[W]here a company’s technology, data or intellectual property is being or previously was materially compromised, stolen or otherwise illicitly accessed, hypothetical disclosure of potential risks is not sufficient to satisfy a company’s reporting obligations.”
SEC staff suggests consideration of the following questions with respect a company’s present and future operating plans:
- Is there a heightened risk to your technology or intellectual property because you have or expect to maintain significant assets or earn a material amount of revenue abroad?
- Do you operate in an industry or foreign jurisdiction that has caused, or may cause, you to be particularly susceptible to the theft of technology or intellectual property or the forced transfer of technology? Do you believe that your products have been, or may be, subject to counterfeit and sale, including through e-commerce?
- Have you directly or indirectly transferred or licensed technology or intellectual property to a foreign entity or government, such as through the creation of a joint venture with a foreign entity? Do you store technology or intellectual property locally in a foreign jurisdiction? Are you required to use equipment and services provided by a state actor, including equipment or services that could result in a reduction in protections?
- Have you entered into a patent or technology license agreement with a foreign entity or government that provides such entity with rights to improvements on the underlying technology and/or rights to continued use of the technology following the licensing term, including in connection with a joint venture?
- Are you subject to a requirement that foreign parties must be controlling shareholders or hold a majority of shares in a joint venture in which you are involved, or are you involved in a joint venture that is subject to foreign ownership restrictions or requirements that a foreign party retain certain ownership rights?
- Have you provided access to your technology or intellectual property to a state actor or regulator in connection with foreign regulatory or licensing procedures, including but not limited to local licensing and administrative procedures?
- Have you been required to yield rights to technology or intellectual property as a condition to conducting business in or accessing markets located in a foreign jurisdiction?
- Are you operating in foreign jurisdictions where the ability to enforce rights over intellectual property is limited as a statutory or practical matter?
- Do you conduct business in a foreign jurisdiction or through a joint venture that may be subject to state secrecy or other laws, such as those limiting or prohibiting the export of data or financial documentation? Are you able to readily produce data or other information that is housed internationally in response to regulatory requirements or inquiries?
- Have conditions in a foreign jurisdiction caused you to relocate or consider relocating your operations to a different host nation? Have you considered related material costs, such as costs to train new employees, establish new facilities and supply chains, and the impact of any related gaps or lags in production, manufacture and/or export of your products?
- Do you have controls and procedures in place to adequately protect technology and intellectual property from potential compromise or theft? Do these policies and procedures enable you to identify risks and incidents, analyze the impact on your business, respond expediently, appropriately and effectively when incidents occur and repair any damage caused by such incidents? Are your controls and procedures designed to detect:
- malfeasance by employees, contractors or other insiders who may have access to your technology and intellectual property;
- industrial, corporate or other espionage events;
- unauthorized intrusions into commercial computer networks; and
- other forms of theft and cyber-theft of your technology and intellectual property?
- What level of risk oversight and management does the board of directors and executive officers have with regard to the company’s data, technology and intellectual property and how these assets may be impacted by operations in foreign jurisdictions where they may be subject to additional risks? What knowledge do these individuals have about these risks and what role do they have in responding if and when an issue arises?
Ultimately, for companies with exposure to international business operations involving intellectual property and technology matters it is important to analyze whether concerns of potential or actual compromise of a company’s intellectual property rights or technology would warrant disclosure in a company’s periodic reports and other disclosure documents.
Generally, discussion with both internal and external counsel on these matters is ideal, particularly where there may be elevated causes for concern, such as operating in foreign jurisdictions with high occurrences of incidents or risks, or where the intellectual property and technology of a company are vital to the ongoing successful business operations of that company.