The SEC has issued new guidance it believes will assist public companies both in assessing materiality and in drafting disclosure related to risks to technology and intellectual property that may result from conducting business outside the United States. The SEC believes that this is important for jurisdictions that do not have comparable levels of protection as the United States of corporate proprietary information and assets such as intellectual property, trademarks, trade secrets, know-how and customer information and records.
The SEC believes companies should consider their disclosure obligations regarding risks related to the potential theft or compromise of data, technology and intellectual property within the context of the federal securities laws and its principles-based disclosure system. The SEC notes that although there is no specific line-item requirement under the federal securities laws to disclose information related to the compromise (or potential compromise) of technology, data or intellectual property, the SEC has made clear that its disclosure requirements apply to a broad range of evolving business risks in the absence of specific requirements.
The guidance states among the risks faced by companies is the risk of theft of technology, data and intellectual property through a direct intrusion by private parties or foreign actors, including those affiliated with or controlled by state actors. While not exclusive, examples of situations in which technology, data or intellectual property may be stolen or compromised through direct intrusion include cyber intrusions into a company’s computer systems and physical theft through corporate espionage, including with the assistance of insiders.
In addition, a company’s technology, data and intellectual property may be subject to theft or compromise via more indirect routes. For example, a company’s products or components may be reverse engineered by joint venture partners or other parties, including those affiliated with state actors, and the company’s patents subsequently infringed or know-how or trade secrets stolen. Companies may be required to compromise protections or yield rights to technology, data or intellectual property in order to conduct business in or access markets in a foreign jurisdiction, either through formal written agreements or due to legal or administrative requirements in the host nation. By limiting or otherwise negatively impacting a company’s rights to protect its own technology, data or intellectual property, these types of agreements and requirements may impede both the company’s ability to compete today as well as its ability to retain and improve on this intellectual property, thereby inhibiting chances of future success.
The SEC encourages companies to assess the risks related to the potential theft or compromise of their technology, data or intellectual property in connection with their international operations, as well as how the realization of these risks may impact their business, including their financial condition and results of operations, and any effects on their reputation, stock price and long-term value. Where these risks are material to investment and voting decisions, the SEC states they should be disclosed, and the SEC encourages companies to provide disclosure that allows investors to evaluate these risks through the eyes of management.