Outright theft, as well as forced technology transfers and other official conditions on doing business overseas, have caused U.S. companies to lose substantial value of their intellectual property (IP) in recent years. A February 2019 CNBC poll found that one in five companies doing business in China reported IP stolen in the prior year.1 China recently made gestures towards reducing IP theft in connection with the Administration’s trade war,2 but real progress is uncertain and U.S. companies continue to suffer the impact.
The Division of Corporation Finance (CorpFin) of the Securities and Exchange Commission (SEC) recently issued guidance to assist affected public companies to meet their disclosure obligations on the subject of risks to IP and technology from foreign operations.3 The guidance will also be helpful for addressing IP and technology risks more generally. CorpFin observes that “While many companies may face these types of risks, companies that conduct business in certain foreign jurisdictions, house technology, data and intellectual property abroad, or license technology to joint ventures with foreign partners may have more significant exposure.” The guidance urges companies to assess the risks of foreign theft or compromise of technology and IP and to provide better, more focused disclosure for investors’ benefit. It has detailed suggestions for assessing risks and related internal controls. This is likely to be a CorpFin focus when reviewing filings, so companies should pay heed.
The guidance stresses the need for “reporting companies [to] provide a comprehensive picture of the material risks they face,” as well as “disclosure regarding the actual theft or compromise of technology, data or intellectual property if it pertains to assets or intangibles that are material to a company’s business prospects” (as the SEC has previously said in the context of cybersecurity breaches4).
Good risk disclosure requires a thorough assessment of the risks. The guidance details numerous sources of such risks, including cyber intrusions and corporate espionage, as well as more indirect causes such as reverse engineering by joint venture partners or others, required compromise of protections or IP rights as a condition of doing business in foreign jurisdictions, and weak enforcement of IP rights. It then poses a series of questions for companies assessing the risks to their particular operations. Some of these are:
Following a familiar SEC theme, the guidance also asks companies to consider what level of knowledge, risk oversight and management their boards of directors and executive officers have with regard to the company’s data, technology and IP, and how these assets may be impacted by additional risks of operations in foreign jurisdictions.
After considering these questions, companies should consider the quality of their public disclosures in light of the answers. Statements made last year by the CorpFin Director in a different context are applicable here:
Risk factor disclosure should address the most significant things that make an investment in a company and its securities subject to uncertainties or risk. Concise and focused disclosure explaining how each risk affects the company is most useful for investors. Companies should take care not to bury the reader in generic boilerplate or laundry lists of risks that might apply to any company.
[I]nvestors are better served by understanding the lens through which each company’s management looks at its exposure. How does management assess and analyze [such] risks and the potential impacts on the company and its operations? What is management doing to mitigate and manage these risks? What is the nature of the board’s role in overseeing the management of these risks? Depending on the facts and circumstances of each company, the answers to these questions should provide material information to investors seeking to understand [such] risks . . . for that company. . . . [T]here should not be material gaps between how the board is briefed and how shareholders are informed. For those of you involved in crafting disclosure documents, you can ask yourself a straightforward question: would these disclosures satisfy the curiosity of a thoughtful, deliberative board member considering the potential impact of [such risks] on the company’s business, operations and strategic plans?5
Companies also should keep the need for disclosure in mind when negotiating IP arrangements; the prospect of disclosure may affect the terms of the arrangement.
---
1 Found here.
2 Found here.
3 CF Disclosure Guidance: Topic No. 8, “Intellectual Property and Technology Risks Associated with International Business Operations” (December 19, 2019), available here.
4 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (Feb.26, 2018), available here.
5 William Hinman, Director, CorpFin, “Applying a Principles-Based Approach to Disclosing Complex, Uncertain and Evolving Risks” (March 15, 2019), available here.
Sign up for our newsletter and get the latest to your inbox.