Intellectual Property and Technology Risks Associated with International Business Operations
Dec. 18, 2019
Division of Corporation Finance
Securities and Exchange Commission
CF Disclosure Guidance: Topic No. 8
Date: December 19, 2019
Summary: This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations that companies should consider with respect to intellectual property and technology risks that may occur when they engage in international operations.
Supplementary Information: The statements in this CF Disclosure Guidance represent the views of the Division of Corporation Finance. This guidance is not a rule, regulation or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content. This guidance, like all staff guidance, has no legal force or effect: it does not alter or amend applicable law, and it creates no new or additional obligations for any person.
The global and technologically interconnected nature of today’s business environment exposes companies to a wide array of evolving risks. Our principles-based disclosure regime, rooted in materiality, recognizes that a variety of new risks may arise over time, and each of these risks may affect different companies in different ways. The Securities and Exchange Commission and its staff have recently issued statements and guidance discussing a number of these risks to assist public companies both in assessing their materiality and in drafting related disclosure that is material to an investment decision. This guidance continues those efforts and addresses risks to technology and intellectual property that may result from conducting business outside the United States, particularly in jurisdictions that do not have comparable levels of protection of corporate proprietary information and assets such as intellectual property, trademarks, trade secrets, know-how and customer information and records.
The increased reliance on technology, coupled with a shift in the composition of many companies’ assets from traditional brick-and-mortar assets towards intangible ones, may expose companies to material risks of theft of proprietary technology and other intellectual property, including technical data, business processes, data sets or other sensitive information. While many companies may face these types of risks, companies that conduct business in certain foreign jurisdictions, house technology, data and intellectual property abroad, or license technology to joint ventures with foreign partners may have more significant exposure.
Companies should consider their disclosure obligations regarding risks related to the potential theft or compromise of data, technology and intellectual property within the context of the federal securities laws and our principles-based disclosure system. The cornerstone of this system is the timely, robust and complete disclosure of material information, where reporting companies provide a comprehensive picture of the material risks they face, allowing investors to make informed investment and voting decisions. Although there is no specific line-item requirement under the federal securities laws to disclose information related to the compromise (or potential compromise) of technology, data or intellectual property, the Commission has made clear that its disclosure requirements apply to a broad range of evolving business risks in the absence of specific requirements. In addition, a number of existing rules or regulations could require disclosure regarding the actual theft or compromise of technology, data or intellectual property if it pertains to assets or intangibles that are material to a company’s business prospects. For example, disclosure may be necessary in management’s discussion and analysis, the business section, legal proceedings, disclosure controls and procedures, and/or financial statements.
Sources of Risk Associated with the Potential Theft of Technology and Intellectual Property
Among the risks faced by companies is the risk of theft of technology, data and intellectual property through a direct intrusion by private parties or foreign actors, including those affiliated with or controlled by state actors. While not exclusive, examples of situations in which technology, data or intellectual property may be stolen or compromised through direct intrusion include cyber intrusions into a company’s computer systems and physical theft through corporate espionage, including with the assistance of insiders.
In addition, a company’s technology, data and intellectual property may be subject to theft or compromise via more indirect routes. For example, a company’s products or components may be reverse engineered by joint venture partners or other parties, including those affiliated with state actors, and the company’s patents subsequently infringed or know-how or trade secrets stolen. Companies may be required to compromise protections or yield rights to technology, data or intellectual property in order to conduct business in or access markets in a foreign jurisdiction, either through formal written agreements or due to legal or administrative requirements in the host nation. By limiting or otherwise negatively impacting a company’s rights to protect its own technology, data or intellectual property, these types of agreements and requirements may impede both the company’s ability to compete today as well as its ability to retain and improve on this intellectual property, thereby inhibiting chances of future success. Examples include:
- patent license agreements pursuant to which a foreign licensee retains rights to improvements on the relevant technology, including the ability to sever such improvements and receive a separate patent, and the right to continued use of technology or intellectual property after the patent or license term of use expires;
- foreign ownership restrictions, such as joint venture requirements and foreign investment restrictions that potentially compromise control over a company’s technology and proprietary information;
- the use of unusual or idiosyncratic terms favoring foreign persons, including those associated with a foreign government, in technology license agreements, such as access and license provisions, as direct or indirect conditions to conducting business in the foreign jurisdiction; and
- regulatory requirements that restrict the ability of companies to conduct business, unless they agree to store data locally, use local services or technology in connection with their international operations, or comply with local licensing or administrative approvals that involve the sharing of intellectual property.
Assessing and Disclosing Risks Related to Potential Theft or Compromise of Technology and Intellectual Property
We encourage companies to assess the risks related to the potential theft or compromise of their technology, data or intellectual property in connection with their international operations, as well as how the realization of these risks may impact their business, including their financial condition and results of operations, and any effects on their reputation, stock price and long-term value. Where these risks are material to investment and voting decisions, they should be disclosed, and we encourage companies to provide disclosure that allows investors to evaluate these risks through the eyes of management. Importantly, disclosure about these risks should be specifically tailored to a company’s unique facts and circumstances. In this same vein, where a company’s technology, data or intellectual property is being or previously was materially compromised, stolen or otherwise illicitly accessed, hypothetical disclosure of potential risks is not sufficient to satisfy a company’s reporting obligations. We believe that companies should continue to consider this evolving area of risk and evaluate its materiality on an ongoing basis. As companies assess these risks and their related disclosure obligations, questions to consider with respect to their present and future operating plans may include:
- Is there a heightened risk to your technology or intellectual property because you have or expect to maintain significant assets or earn a material amount of revenue abroad?
- Do you operate in an industry or foreign jurisdiction that has caused, or may cause, you to be particularly susceptible to the theft of technology or intellectual property or the forced transfer of technology? Do you believe that your products have been, or may be, subject to counterfeit and sale, including through e-commerce?
- Have you directly or indirectly transferred or licensed technology or intellectual property to a foreign entity or government, such as through the creation of a joint venture with a foreign entity? Do you store technology or intellectual property locally in a foreign jurisdiction? Are you required to use equipment and services provided by a state actor, including equipment or services that could result in a reduction in protections?
- Have you entered into a patent or technology license agreement with a foreign entity or government that provides such entity with rights to improvements on the underlying technology and/or rights to continued use of the technology following the licensing term, including in connection with a joint venture?
- Are you subject to a requirement that foreign parties must be controlling shareholders or hold a majority of shares in a joint venture in which you are involved, or are you involved in a joint venture that is subject to foreign ownership restrictions or requirements that a foreign party retain certain ownership rights?
- Have you provided access to your technology or intellectual property to a state actor or regulator in connection with foreign regulatory or licensing procedures, including but not limited to local licensing and administrative procedures?
- Have you been required to yield rights to technology or intellectual property as a condition to conducting business in or accessing markets located in a foreign jurisdiction?
- Are you operating in foreign jurisdictions where the ability to enforce rights over intellectual property is limited as a statutory or practical matter?
- Do you conduct business in a foreign jurisdiction or through a joint venture that may be subject to state secrecy or other laws, such as those limiting or prohibiting the export of data or financial documentation? Are you able to readily produce data or other information that is housed internationally in response to regulatory requirements or inquiries?
- Have conditions in a foreign jurisdiction caused you to relocate or consider relocating your operations to a different host nation? Have you considered related material costs, such as costs to train new employees, establish new facilities and supply chains, and the impact of any related gaps or lags in production, manufacture and/or export of your products?
- Do you have controls and procedures in place to adequately protect technology and intellectual property from potential compromise or theft? Do these policies and procedures enable you to identify risks and incidents, analyze the impact on your business, respond expediently, appropriately and effectively when incidents occur and repair any damage caused by such incidents? Are your controls and procedures designed to detect:
- malfeasance by employees, contractors or other insiders who may have access to your technology and intellectual property;
- industrial, corporate or other espionage events;
- unauthorized intrusions into commercial computer networks; and
- other forms of theft and cyber-theft of your technology and intellectual property?
- What level of risk oversight and management does the board of directors and executive officers have with regard to the company’s data, technology and intellectual property and how these assets may be impacted by operations in foreign jurisdictions where they may be subject to additional risks? What knowledge do these individuals have about these risks and what role do they have in responding if and when an issue arises?
 See, e.g., Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (Feb. 26, 2018), available at https://www.sec.gov/rules/interp/2018/33-10459.pdf; William Hinman, Director, Division of Corporation Finance, Applying a Principles-Based Approach to Disclosing Complex, Uncertain and Evolving Risks (Mar. 15, 2019), available at https://www.sec.gov/news/speech/hinman-applying-principles-based-approach-disclosure-031519; Staff Statement on LIBOR Transition, Division of Corporation Finance, Division of Investment Management, Division of Trading and Markets, and Office of the Chief Accountant (July 12, 2019), available at https://www.sec.gov/news/public-statement/libor-transition. See also Chairman Jay Clayton, SEC Rulemaking Over the Past Year, the Road Ahead and Challenges Posed by Brexit, LIBOR Transition and Cybersecurity Risks (Dec. 6, 2018), available at https://www.sec.gov/news/speech/speech-clayton-120618.
 See, e.g., 2019 Special 301 Report, Office of the United States Trade Representative (April 2019), available at https://ustr.gov/sites/default/files/2019_Special_301_Report.pdf; Update to the IP Commission Report, The Theft of American Intellectual Property: Reassessments of the Challenge and United States Policy (Feb. 2017), available at http://ipcommission.org/report/IP_Commission_Report_Update_2017.pdf; U.S. Chamber of Commerce International IP Index, Global Innovation Policy Center (Feb. 2019), available at https://www.theglobalipcenter.com/wp-content/uploads/2019/03/023593_GIPC_IP_Index_2019_Full_04.pdf.
 Companies must disclose “such further material information, if any, as may be necessary to make the required statements, in the light of the circumstances under which they are made, not misleading.” See Securities Act Rule 408 and Exchange Act Rule 12b-20.
 For example, the Commission has highlighted that although no existing disclosure requirement specifically refers to cybersecurity risks and cyber incidents, a number of requirements may impose an obligation on companies to disclose such risks and incidents. See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (Feb. 26, 2018), available at https://www.sec.gov/rules/interp/2018/33-10459.pdf.