SEC disclosure obligations
Technology, IP and cybersecurity risks
The SEC has recently issued new guidance on US reporting companies’ disclosure obligations in relation to technology, intellectual property and cybersecurity risks arising specifically from their international operations. The guidance focuses on companies conducting business in countries that do not afford the same protections to corporate proprietary information, including intellectual property and trade secrets, as those available in the US.
The SEC presented a list of questions that reporting companies should answer when assessing risks in this area and their potential impact on present and future operating plans. They include the following.
- Foreign operations susceptible to theft. Do you operate in an industry or foreign jurisdiction that has caused, or may cause, you to be particularly susceptible to the theft of technology or intellectual property or the forced transfer of technology?
- Storing technology abroad. Do you store technology or intellectual property locally in a foreign jurisdiction?
- Required suppliers. Are you required to use equipment and services provided by a state actor?
- License agreements. Have you entered into patent or technology license agreements with a foreign entity or government that provides such entity with rights to improvements on the underlying technology or rights to use the technology following the licensing term?
- Controlling shareholder requirements. Are you subject to a requirement that foreign parties must be controlling shareholders or hold a majority of shares in a joint venture in which you are involved, or are you involved in a joint venture that is subject to foreign ownership restrictions or requirements that a foreign party retain certain ownership rights?
- Conditions to business. Have you been required to yield rights to technology or intellectual property as a condition to conducting business in or accessing markets in a foreign jurisdiction?
- Limited enforcement rights. Are you operating in foreign jurisdictions where the ability to enforce rights over intellectual property is limited as a statutory or practical matter?
- Relocation due to foreign conditions. Have conditions in a foreign jurisdiction caused you to relocate or consider relocating your operations to a different host nation?
- Controls. Do you have controls and procedures in place to adequately protect technology and intellectual property from potential compromise or theft?
The SEC emphasized that companies that conduct business in certain foreign jurisdictions, house technology, data and intellectual property abroad, or license technology to joint ventures with foreign partners, may have more significant exposure. As a prerequisite to engaging in business in a particular jurisdiction, reporting companies may be required to submit to contractual or regulatory provisions that place their intellectual property at risk. Examples of potentially difficult situations cited by the SEC include the following.
- License agreements. Patent license agreements pursuant to which a foreign licensee retains rights to improvements on the relevant technology, and the right to continued use of technology or intellectual property after the patent or license term of use expires;
- Foreign ownership restrictions. Foreign ownership restrictions, such as joint venture requirements and foreign investment restrictions that potentially compromise control over a company’s technology and proprietary information.
- Idiosyncratic terms favoring foreigners. The use of unusual or idiosyncratic terms favoring foreign persons, including those associated with a foreign government, in technology license agreements.
- Regulatory requirements. Regulatory requirements that restrict the ability of companies to conduct business, unless they agree to store data locally, or comply with local licensing or administrative approvals that involve the sharing of intellectual property.
While there is no specific SEC line item that requires disclosure of information relating to the threat of cybersecurity or intellectual property breaches, the SEC has made it clear through this guidance, and other guidance previously issued, that it believes there may be a heightened risk of cybersecurity and data breaches associated with international business operations. The SEC also indicated that disclosure of any material compromise or theft may be required in management’s discussion and analysis, the business section, legal proceedings, disclosure controls and procedures, and the reporting company’s financial statements.
Practical guidance for boards
Intellectual property (IP) protection and cybersecurity remains a key area of SEC focus.
In particular, IP and technology protection concerns arising from non-US operations are a specific area of SEC scrutiny.
Companies need to evaluate risks to their technology and IP arising from foreign operations, joint ventures and license agreements and potentially increase the disclosure of these risks where material.
Reporting companies must disclose the occurrence of a material cybersecurity compromise or theft of intellectual property or data.
Heading into annual reporting season, reporting companies should review the questions provided by the SEC in this guidance when preparing their disclosure.
Additional disclosures regarding risks to intellectual property and technology could potentially be required in the annual report’s MD&A, business section, legal proceedings section, description of the disclosure controls and financial statements.