On December 19, 2019, the Staff of the U.S. Securities and Exchange Commission’s Division of Corporation Finance issued guidance outlining the Staff’s views about disclosure obligations that companies should consider with respect to technology, data and intellectual property risks that could arise when operations take place outside the United States. Companies should consider this guidance when preparing risk factor and other disclosures included in upcoming periodic reports and registration statements.
The Staff notes that the SEC’s principles-based disclosure regime recognizes that new risks may arise over time, affecting different companies in different ways. For those companies that conduct business operations outside the United States, risks can arise for technology and intellectual property, particularly when operations take place in jurisdictions that do not provide protection that is comparable to the United States. The Staff observes that companies may be exposed to material risks of “theft of proprietary technology and other intellectual property, including technical data, business processes, data sets or other sensitive information.” Exposure to such risks can be heightened when companies conduct business in some foreign jurisdictions, house technology, data and intellectual property abroad, or license technology to joint ventures with foreign partners.
The Staff notes that while there is no specific line-item requirement under the federal securities laws to disclose “information related to the compromise (or potential compromise) of technology, data or intellectual property,” the SEC’s disclosure requirements apply to a broad range of evolving business risks. The Staff indicates that disclosure about such matters may be necessary in risk factors, management’s discussion and analysis, the business section, legal proceedings, disclosure controls and procedures, and/or financial statements.
Sources of Risk
The Staff notes that companies face the risk of theft of technology, data and intellectual property, which could occur through a direct intrusion by private parties or foreign actors (including those affiliated with or controlled by state actors). In this regard, a company could experience cyber intrusions, as well as physical theft through corporate espionage. Indirect theft or compromise could also occur when a company’s products or components are “reverse engineered” by joint venture partners or other parties, resulting in infringement on the company’s patents or the theft of know-how or trade secrets. In addition, the Staff notes that companies may be required to “compromise protections or yield rights to technology, data or intellectual property in order to conduct business or access markets in a foreign jurisdiction, either through formal written agreements or due to legal or administrative requirements in the host nation.” The Staff cites examples such as:
Assessing and Disclosing Risks
The Staff encourages companies “to assess the risks related to the potential theft or compromise of their technology, data or intellectual property in connection with their international operations, as well as how the realization of these risks may impact their business, including their financial condition and results of operations, and any effects on their reputation, stock price and long-term value.” The Staff notes that when these risks are material to investment and voting decisions, the risks should be disclosed in a manner that allows investors to evaluate these risks “through the eyes of management.” The Staff states that disclosure about these risks should be specifically tailored to a company’s unique facts and circumstances, and that “hypothetical disclosure of potential risks is not sufficient to satisfy a company’s reporting obligations.” The Staff suggests that companies consider the following questions when assessing and disclosing risks:
While the Staff’s guidance is not a new rule, regulation or statement of the U.S. Securities and Exchange Commission, it does represent an important reminder for companies preparing disclosures for upcoming periodic reports and registration statements. While the potential risks for a company’s technology, data and intellectual property are often addressed in risk factor disclosures, companies with international operations should consider whether such disclosures need to be augmented to address the particular risks of theft or compromise that can arise because of the jurisdictions in which operations occur and relationships with foreign entities. We expect that the Staff will be focused on these disclosures in their review of periodic reports and registration statements.
 CF Disclosure Guidance Topic No. 8, Intellectual Property and Technology Risks Associated with International Business Operations, available at: https://www.sec.gov/corpfin/risks-technology-intellectual-property-international-business-operations.