Thursday, December 26, 2019

CorpFin issues guidance on technology risks associated with international business operations

By Joanne Cursinella, J.D.

The Commission’s Division of Corporation Finance has issued Disclosure Guidance: Topic No. 8, which discusses the disclosure obligations that companies should consider regarding intellectual property and technology risks that may occur when they engage in international operations. The SEC disclosure regime recognizes that a variety of new risks may arise over time and each of these risks may affect different companies in different ways. This guidance is a continuation of the Commission’s effort to guide public companies both in assessing materiality of risks and in drafting related disclosure that is material to an investment decision.

According to the guidance, the increased reliance on technology, coupled with a shift in the composition of many companies’ assets from traditional brick-and-mortar assets toward intangible ones, may expose companies to material risks of theft of proprietary technology and other intellectual property. Companies that conduct business in certain foreign jurisdictions; house technology, data, and intellectual property abroad; or license technology to joint ventures with foreign partners may have more significant exposure.

These companies should consider their disclosure obligations regarding risks related to the potential theft or compromise of data, technology, and intellectual property within the context of the federal securities laws and its principles-based disclosure system. The Commission has made it clear that its disclosure requirements apply to evolving business risks, even in the absence of specific requirements, but existing rules may also require such disclosure regarding the actual theft or compromise of technology, data, or intellectual property if it pertains to assets or intangibles that are material to a company’s business prospects. The guidance provides, as an example, that disclosure may be necessary in management’s discussion and analysis, the business section, legal proceedings, disclosure controls and procedures, and/or financial statements.

Sources of risk. One source of risk is a direct intrusion by private parties or foreign actors, including those affiliated with or controlled by state actors. But a company’s technology, data, and intellectual property may be subject to theft or compromise via more indirect routes as well, the guidance points out. For example, companies may be required to compromise protections or yield rights to technology, data, or intellectual property to conduct business or access markets in a foreign jurisdiction, either through formal written agreements or due to legal or administrative requirements in the host nation. The guidance provides four specifics: (1) when patent license agreements pursuant to which a foreign licensee retains rights to improvements on the relevant technology; (2) foreign ownership restrictions, such as joint venture requirements and foreign investment restriction; (3) the use of unusual or idiosyncratic terms favoring foreign persons; and (4) regulatory requirements that restrict the ability of companies to conduct business unless they agree to some type of arrangement that involves the sharing of intellectual property.

Assessing and disclosing risk. The Division encourages companies to assess the risks related to the potential theft or compromise of their technology, data, or intellectual property in connection with their international operations and how these risks may impact their business. When risks are deemed material to investment and voting decisions, they should be disclosed and specifically tailored to a company’s unique facts and circumstances.

When a company’s technology, data, or intellectual property is being, or previously was, materially compromised, stolen, or otherwise illicitly accessed, hypothetical disclosure of potential risks is not sufficient to satisfy a company’s reporting obligations, the guidance warns. It advises that companies should continue to consider this "evolving area of risk" to evaluate its materiality on an ongoing basis. As companies assess these risks and their related disclosure obligations, there are questions to consider with respect to their present and future operating plans. The guidance provides 12 bullet points of specific matters to consider.
  • Is there a heightened risk to your technology or intellectual property because you have or expect to maintain significant assets or earn a material amount of revenue abroad?
  • Do you operate in an industry or foreign jurisdiction that has caused, or may cause, you to be particularly susceptible to the theft of technology or intellectual property or the forced transfer of technology?
  • Have you directly or indirectly transferred or licensed technology or intellectual property to a foreign entity or government?
  • Have you entered into a patent or technology license agreement with a foreign entity or government that provides such entity with rights to improvements on the underlying technology?
  • Are you subject to a requirement that foreign parties must be controlling shareholders or hold a majority of shares in a joint venture in which you are involved?
  • Have you provided access to your technology or intellectual property to a state actor or regulator in connection with foreign regulatory or licensing procedures?
  • Have you been required to yield rights to technology or intellectual property as a condition to conducting business in or accessing markets located in a foreign jurisdiction?
  • Are you operating in foreign jurisdictions where the ability to enforce rights over intellectual property is limited as a statutory or practical matter?
  • Do you conduct business in a foreign jurisdiction or through a joint venture that may be subject to state secrecy or other laws?
  • Have conditions in a foreign jurisdiction caused you to relocate or consider relocating your operations to a different host nation?
  • Do you have controls and procedures in place to adequately protect technology and intellectual property from potential compromise or theft?
  • What level of risk oversight and management does the board of directors and executive officers have with regard to the company’s data, technology and intellectual property and how these assets may be impacted by operations in foreign jurisdictions where they may be subject to additional risks?