SEC disclosure obligations
Technology, IP and cybersecurity risks
The SEC has recently issued new guidance on US reporting companies’ disclosure obligations in relation to technology, intellectual property and cybersecurity risks arising specifically from their international operations. The guidance focuses on companies conducting business in countries that do not afford the same protections to corporate proprietary information, including intellectual property and trade secrets, as those available in the US.
The SEC presented a list of questions that reporting companies should answer when assessing risks in this area and their potential impact on present and future operating plans. They include the following.
- Foreign operations susceptible to theft. Do you operate in an industry or foreign jurisdiction that has caused, or may cause, you to be particularly susceptible to the theft of technology or intellectual property or the forced transfer of technology?
- Storing technology abroad. Do you store technology or intellectual property locally in a foreign jurisdiction?
- Required suppliers. Are you required to use equipment and services provided by a state actor?
- License agreements. Have you entered into patent or technology license agreements with a foreign entity or government that provides such entity with rights to improvements on the underlying technology or rights to use the technology following the licensing term?
- Controlling shareholder requirements. Are you subject to a requirement that foreign parties must be controlling shareholders or hold a majority of shares in a joint venture in which you are involved, or are you involved in a joint venture that is subject to foreign ownership restrictions or requirements that a foreign party retain certain ownership rights?
- Conditions to business. Have you been required to yield rights to technology or intellectual property as a condition to conducting business in or accessing markets in a foreign jurisdiction?
- Limited enforcement rights. Are you operating in foreign jurisdictions where the ability to enforce rights over intellectual property is limited as a statutory or practical matter?
- Relocation due to foreign conditions. Have conditions in a foreign jurisdiction caused you to relocate or consider relocating your operations to a different host nation?
- Controls. Do you have controls and procedures in place to adequately protect technology and intellectual property from potential compromise or theft?
The SEC emphasized that companies that conduct business in certain foreign jurisdictions, house technology, data and intellectual property abroad, or license technology to joint ventures with foreign partners, may have more significant exposure. As a prerequisite to engaging in business in a particular jurisdiction, reporting companies may be required to submit to contractual or regulatory provisions that place their intellectual property at risk. Examples of potentially difficult situations cited by the SEC include the following.
- License agreements. Patent license agreements pursuant to which a foreign licensee retains rights to improvements on the relevant technology, and the right to continued use of technology or intellectual property after the patent or license term of use expires;
- Foreign ownership restrictions. Foreign ownership restrictions, such as joint venture requirements and foreign investment restrictions that potentially compromise control over a company’s technology and proprietary information.
- Idiosyncratic terms favoring foreigners. The use of unusual or idiosyncratic terms favoring foreign persons, including those associated with a foreign government, in technology license agreements.
- Regulatory requirements. Regulatory requirements that restrict the ability of companies to conduct business, unless they agree to store data locally, or comply with local licensing or administrative approvals that involve the sharing of intellectual property.
While there is no specific SEC line item that requires disclosure of information relating to the threat of cybersecurity or intellectual property breaches, the SEC has made it clear through this guidance, and other guidance previously issued, that it believes there may be a heightened risk of cybersecurity and data breaches associated with international business operations. The SEC also indicated that disclosure of any material compromise or theft may be required in management’s discussion and analysis, the business section, legal proceedings, disclosure controls and procedures, and the reporting company’s financial statements.
Practical guidance for boards
Intellectual property (IP) protection and cybersecurity remains a key area of SEC focus.
In particular, IP and technology protection concerns arising from non-US operations are a specific area of SEC scrutiny.
Companies need to evaluate risks to their technology and IP arising from foreign operations, joint ventures and license agreements and potentially increase the disclosure of these risks where material.
Reporting companies must disclose the occurrence of a material cybersecurity compromise or theft of intellectual property or data.
Heading into annual reporting season, reporting companies should review the questions provided by the SEC in this guidance when preparing their disclosure.
Additional disclosures regarding risks to intellectual property and technology could potentially be required in the annual report’s MD&A, business section, legal proceedings section, description of the disclosure controls and financial statements.
Leveraging talent for growth
Emphasizing the "human" in human capital management
What sustainability means for business
ESG, climate change and litigation risk
Reforming the US corporation
Can boards serve more than their shareholders?
Employee benefits: the forward view
Say on Pay, activism and compensation deductibility
A renewed focus on process
Proxy advisers: the essentials
Dealing with the proxy advisory firms
Trends in Delaware litigation
Managing the threat of stockholder action
Key themes in litigation
From "event-driven" claims to the rise of third-party funding
Priority areas for global enforcers
What's on the agenda for regulators and prosecutors?
Trends in stockholder activism
Where will campaigns focus next?
Deal-making in 2020
M&A drivers for the year ahead
Corporate minority investments
Managing the risks of non-controlling stakes
The shifting antitrust landscape
Themes in tech, merger control, consortium bids and innovation
Navigating foreign investment rules
CFIUS and other international frameworks
Technology and business
Cybersecurity, data and regulatory risk
SEC disclosure obligations
Technology, IP and cybersecurity risks
Taxing the digital economy
What shifting rules mean for global businesses
Libor transition, creditor risk and flexible covenants