The Law and Business of Social Media
January 21, 2020 - Securities Law, Cybersecurity, IP

SEC Staff Issues Guidance on Technology, Data & IP Risks in International Operations

SEC Staff Issues Guidance on Technology, Data & IP Risks in International Operations

On December 19, 2019, the Staff of the U.S. Securities and Exchange Commission’s Division of Corporation Finance issued guidance outlining the Staff’s views about disclosure obligations that companies should consider with respect to technology, data and intellectual property risks that could arise when operations take place outside the United States. Companies should consider this guidance when preparing risk factor and other disclosures included in upcoming periodic reports and registration statements.

Background

The Staff notes that the SEC’s principles-based disclosure regime recognizes that new risks may arise over time, affecting different companies in different ways. For those companies that conduct business operations outside the United States, risks can arise for technology and intellectual property, particularly when operations take place in jurisdictions that do not provide protection that is comparable to the United States. The Staff observes that companies may be exposed to material risks of “theft of proprietary technology and other intellectual property, including technical data, business processes, data sets or other sensitive information.” Exposure to such risks can be heightened when companies conduct business in some foreign jurisdictions, house technology, data and intellectual property abroad, or license technology to joint ventures with foreign partners.

The Staff notes that while there is no specific line-item requirement under the federal securities laws to disclose “information related to the compromise (or potential compromise) of technology, data or intellectual property,” the SEC’s disclosure requirements apply to a broad range of evolving business risks. The Staff indicates that disclosure about such matters may be necessary in risk factors, management’s discussion and analysis, the business section, legal proceedings, disclosure controls and procedures, and/or financial statements.

Sources of Risk

The Staff notes that companies face the risk of theft of technology, data and intellectual property, which could occur through a direct intrusion by private parties or foreign actors (including those affiliated with or controlled by state actors). In this regard, a company could experience cyber intrusions, as well as physical theft through corporate espionage.  Indirect theft or compromise could also occur when a company’s products or components are “reverse engineered” by joint venture partners or other parties, resulting in infringement on the company’s patents or the theft of know-how or trade secrets. In addition, the Staff notes that companies may be required to “compromise protections or yield rights to technology, data or intellectual property in order to conduct business or access markets in a foreign jurisdiction, either through formal written agreements or due to legal or administrative requirements in the host nation.” The Staff cites examples such as:

  • Patent license agreements pursuant to which a foreign licensee retains rights to improvements on the relevant technology, including the ability to sever such improvements and receive a separate patent, and the right to continued use of technology or intellectual property after the patent or license term of use expires;
  • Foreign ownership restrictions, such as joint venture requirements and foreign investment restrictions that can potentially compromise control over a company’s technology and proprietary information;
  • The use of unusual or idiosyncratic terms favoring foreign persons, including those associated with a foreign government, in technology license agreements, such as access and license provisions, as direct or indirect conditions to conducting business in the foreign jurisdiction; and
  • Regulatory requirements that restrict the ability of companies to conduct business, unless they agree to store data locally, use local services or technology in connection with their international operations, or comply with local licensing or administrative approvals that involve the sharing of intellectual property.

Assessing and Disclosing Risks

The Staff encourages companies “to assess the risks related to the potential theft or compromise of their technology, data or intellectual property in connection with their international operations, as well as how the realization of these risks may impact their business, including their financial condition and results of operations, and any effects on their reputation, stock price and long-term value.” The Staff notes that when these risks are material to investment and voting decisions, the risks should be disclosed in a manner that allows investors to evaluate these risks “through the eyes of management.” The Staff states that disclosure about these risks should be specifically tailored to a company’s unique facts and circumstances, and that “hypothetical disclosure of potential risks is not sufficient to satisfy a company’s reporting obligations.”  The Staff suggests that companies consider the following questions when assessing and disclosing risks:

  • Is there a heightened risk to your technology or intellectual property because you have or expect to maintain significant assets or earn a material amount of revenue abroad?
  • Do you operate in an industry or foreign jurisdiction that has caused, or may cause, you to be particularly susceptible to the theft of technology or intellectual property or the forced transfer of technology?  Do you believe that your products have been, or may be, subject to counterfeit and sale, including through e-commerce?
  • Have you directly or indirectly transferred or licensed technology or intellectual property to a foreign entity or government, such as through the creation of a joint venture with a foreign entity? Do you store technology or intellectual property locally in a foreign jurisdiction? Are you required to use equipment and services provided by a state actor, including equipment or services that could result in a reduction in protections?
  • Have you entered into a patent or technology license agreement with a foreign entity or government that provides such entity with rights to improvements on the underlying technology and/or rights to continued use of the technology following the licensing term, including in connection with a joint venture?
  • Are you subject to a requirement that foreign parties must be controlling shareholders or hold a majority of shares in a joint venture in which you are involved, or are you involved in a joint venture that is subject to foreign ownership restrictions or requirements that a foreign party retain certain ownership rights?
  • Have you provided access to your technology or intellectual property to a state actor or regulator in connection with foreign regulatory or licensing procedures, including but not limited to local licensing and administrative procedures?
  • Have you been required to yield rights to technology or intellectual property as a condition to conducting business in or accessing markets located in a foreign jurisdiction?
  • Are you operating in foreign jurisdictions where the ability to enforce rights over intellectual property is limited as a statutory or practical matter?
  • Do you conduct business in a foreign jurisdiction or through a joint venture that may be subject to state secrecy or other laws, such as those limiting or prohibiting the export of data or financial documentation? Are you able to readily produce data or other information that is housed internationally in response to regulatory requirements or inquiries?
  • Have conditions in a foreign jurisdiction caused you to relocate or consider relocating your operations to a different host nation? Have you considered related material costs, such as costs to train new employees, establish new facilities and supply chains, and the impact of any related gaps or lags in production, manufacture and/or export of your products?
  • Do you have controls and procedures in place to adequately protect technology and intellectual property from potential compromise or theft? Do these policies and procedures enable you to identify risks and incidents, analyze the impact on your business, respond expediently, appropriately and effectively when incidents occur and repair any damage caused by such incidents? Are your controls and procedures designed to detect:
    • Malfeasance by employees, contractors or other insiders who may have access to your technology and intellectual property;
    • Industrial, corporate or other espionage events;
    • Unauthorized intrusions into commercial computer networks; and
    • Other forms of theft and cyber-theft of your technology and intellectual property?
  • What level of risk oversight and management does the board of directors and executive officers have with regard to the company’s data, technology and intellectual property and how these assets may be impacted by operations in foreign jurisdictions where they may be subject to additional risks? What knowledge do these individuals have about these risks and what role do they have in responding if and when an issue arises?

Next Steps

While the Staff’s guidance is not a new rule, regulation or statement of the U.S. Securities and Exchange Commission, it does represent an important reminder for companies preparing disclosures for upcoming periodic reports and registration statements. While the potential risks for a company’s technology, data and intellectual property are often addressed in risk factor disclosures, companies with international operations should consider whether such disclosures need to be augmented to address the particular risks of theft or compromise that can arise because of the jurisdictions in which operations occur and relationships with foreign entities. We expect that the Staff will be focused on these disclosures in their review of periodic reports and registration statements.