Locke Lord QuickStudy: SEC Urges Enhanced Disclosure of Foreign Risks to Corporate IP

Outright theft, as well as forced technology transfers and other official conditions on doing business overseas, have caused U.S. companies to lose substantial value of their intellectual property (IP) in recent years.  A February 2019 CNBC poll found that one in five companies doing business in China reported IP stolen in the prior year.¹  China recently made gestures towards reducing IP theft in connection with the Administration’s trade war,² but real progress is uncertain and U.S. companies continue to suffer the impact.

The Division of Corporation Finance (CorpFin) of the Securities and Exchange Commission (SEC) recently issued guidance to assist affected public companies to meet their disclosure obligations on the subject of risks to IP and technology from foreign operations.³  The guidance will also be helpful for addressing IP and technology risks more generally.  CorpFin observes that “While many companies may face these types of risks, companies that conduct business in certain foreign jurisdictions, house technology, data and intellectual property abroad, or license technology to joint ventures with foreign partners may have more significant exposure.” The guidance urges companies to assess the risks of foreign theft or compromise of technology and IP and to provide better, more focused disclosure for investors’ benefit. It has detailed suggestions for assessing risks and related internal controls. This is likely to be a CorpFin focus when reviewing filings, so companies should pay heed.

The guidance stresses the need for “reporting companies [to] provide a comprehensive picture of the material risks they face,” as well as “disclosure regarding the actual theft or compromise of technology, data or intellectual property if it pertains to assets or intangibles that are material to a company’s business prospects” (as the SEC has previously said in the context of cybersecurity breaches⁴).

Good risk disclosure requires a thorough assessment of the risks. The guidance details numerous sources of such risks, including cyber intrusions and corporate espionage, as well as more indirect causes such as reverse engineering by joint venture partners or others, required compromise of protections or IP rights as a condition of doing business in foreign jurisdictions, and weak enforcement of IP rights. It then poses a series of questions for companies assessing the risks to their particular operations. Some of these are:

• Is there a heightened risk to your technology or IP because you have or expect to maintain significant assets or earn a material amount of revenue abroad?
• Have you directly or indirectly transferred or licensed technology or IP to a foreign entity or government, such as through the creation of a joint venture with a foreign entity? Do you store technology or IP locally in a foreign jurisdiction?
• Have you entered into a patent or technology license agreement with a foreign entity or government that provides such entity with rights to improvements on the underlying technology and/or rights to continued use of the technology following the licensing term?
• Are you subject to a requirement that foreign parties must be controlling shareholders or hold a majority of shares in a joint venture in which you are involved, or are you involved in a joint venture that is subject to foreign ownership restrictions or requirements that a foreign party retain certain ownership rights?
• Have you been required to yield rights to technology or IP as a condition to conducting business in or accessing markets located in a foreign jurisdiction?
• Are you operating in foreign jurisdictions where the ability to enforce rights over IP is limited as a statutory or practical matter?
• Have conditions in a foreign jurisdiction caused you to relocate or consider relocating your operations to a different host nation? Have you considered related material costs, such as costs to train new employees, establish new facilities and supply chains, and the impact of any related gaps or lags in production, manufacture and/or export of your products?
• Do you have controls and procedures in place to adequately protect technology and IP from potential compromise or theft? The guidance identifies some desirable features for such controls and procedures.

Following a familiar SEC theme, the guidance also asks companies to consider what level of knowledge, risk oversight and management their boards of directors and executive officers have with regard to the company’s data, technology and IP, and how these assets may be impacted by additional risks of operations in foreign jurisdictions. 

After considering these questions, companies should consider the quality of their public disclosures in light of the answers.  Statements made last year by the CorpFin Director in a different context are applicable here:

Risk factor disclosure should address the most significant things that make an investment in a company and its securities subject to uncertainties or risk. Concise and focused disclosure explaining how each risk affects the company is most useful for investors. Companies should take care not to bury the reader in generic boilerplate or laundry lists of risks that might apply to any company.  

[I]nvestors are better served by understanding the lens through which each company’s management looks at its exposure. How does management assess and analyze [such] risks and the potential impacts on the company and its operations? What is management doing to mitigate and manage these risks? What is the nature of the board’s role in overseeing the management of these risks? Depending on the facts and circumstances of each company, the answers to these questions should provide material information to investors seeking to understand [such] risks . . . for that company. . . . [T]here should not be material gaps between how the board is briefed and how shareholders are informed. For those of you involved in crafting disclosure documents, you can ask yourself a straightforward question: would these disclosures satisfy the curiosity of a thoughtful, deliberative board member considering the potential impact of [such risks] on the company’s business, operations and strategic plans?⁵

Companies also should keep the need for disclosure in mind when negotiating IP arrangements; the prospect of disclosure may affect the terms of the arrangement.

---

_{1 Found here.
2 Found here.
3 CF Disclosure Guidance: Topic No. 8, “Intellectual Property and Technology Risks Associated with International Business Operations” (December 19, 2019), available here.
4 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (Feb.26, 2018), available here.
5 William Hinman, Director, CorpFin, “Applying a Principles-Based Approach to Disclosing Complex, Uncertain and Evolving Risks” (March 15, 2019), available here.}