On December 19, 2019, the Securities and Exchange Commission’s (“SEC”) Division of Corporation Finance released new disclosure guidance about intellectual property and technology risks that companies with international business operations should consider while preparing annual reports, proxy statements and other filings made with the SEC. This guidance encourages companies to consider and identify the sources of risk for their intellectual property and technology assets, and to disclose those risks when material to investment and voting decisions. This new guidance is available here.
Sources of Intellectual Property and Technology Risks
Over the last year, the SEC has identified a few emerging risks for public companies to consider while assessing the material risks those companies face, including risks related to cybersecurity, the impending transition away from LIBOR and the United Kingdom’s upcoming withdrawal from the European Union. This most recent guidance identifies the additional risks faced by companies with international business operations as more companies rely on technology and shift their investments from physical assets into intangible assets. These companies are increasingly exposed to the risks of potential theft or compromise of data, technology and intellectual property.
Specifically, the guidance explains that companies operating internationally face the risk of theft of data, technology or intellectual property through direct intrusion by private parties or foreign actors, such as cyberattacks of company computer systems or physical theft via the help of corporate insiders.
Additionally, a company’s data, technology or intellectual property may be subject to theft or compromise through indirect routes. For example, the guidance explains that companies doing business abroad may be required to compromise protections or forego their control of or rights to data, technology or intellectual property in order to conduct business in or to access markets in a foreign country, either through formal written agreements or due to legal or administrative requirements. Examples mentioned in the guidance that may increase these risks include:
- patent license agreements that grant the foreign licensee rights to improvement of the technology and continued use after expiration of the patent or license;
- foreign ownership or investment restrictions;
- idiosyncratic terms favoring foreign parties; and
- regulatory requirements that require companies to store data locally in the foreign jurisdiction or use local services or technology.
Assessing and Disclosing Intellectual Property and Technology Risks
The guidance encourages companies to assess the heightened risks related to the potential theft or compromise of their data, technology or intellectual property that may result from conducting business in a foreign jurisdiction. The guidance provides a list of questions to assist companies with assessing these risks and their related disclosure obligations. In the list of questions, the SEC focused on whether a company maintains significant assets in a foreign jurisdiction; if it has transferred or licensed technology that a foreign entity may have the right to use after the expiration of a set term; if the company has provided information about its intellectual property to a state actor or has yielded rights to gain access to a foreign jurisdiction; and whether the company has adequate controls and procedures in place to identify and respond to the risks highlighted by the guidance.
After assessing these risks, the guidance encourages companies to disclose these risks when they are material to investment and voting decisions. Under federal securities laws, there is no specific line-item requirement to disclose information related to the compromise (or potential compromise) of data, technology or intellectual property. The guidance, however, emphasizes that the SEC has made clear that disclosure requirements for public companies are principles-based and apply to a broad range of evolving business risks. Furthermore, current regulations could require disclosure regarding the actual theft or compromise of data, technology or intellectual property if material to the company and its operations.
What to Do Now
While this guidance is non-binding and does not change existing rules, it is a signal from the SEC of the issues the SEC Staff will be focused on while reviewing annual reports, proxy statements and registration statements. Companies preparing their annual reports and proxy statements should assess the risks posed by their international business operations to their intellectual property and technology assets and evaluate how these risks may affect their business, results of operations, reputation and stock price, among other potential impacts, especially where material to investment or voting decisions. Accordingly, companies should consider adding disclosure to certain sections of their annual reports and proxy statements, such as risk factors, management’s discussion and analysis and the business and legal proceedings sections. If you would like more information regarding the impact of the SEC’s recent guidance, please contact a member of Harter Secrest & Emery LLP’s Securities and Capital Markets group.