SEC reminds public companies to assess technology and IP theft risks when preparing their disclosures

Of particular concern are companies that do business in certain jurisdictions, house data or IP outside the US or license IP to JVs with non-US partners

In the past few years, instead of issuing rules requiring specific disclosure, the US Securities and Exchange Commission (the “SEC”) has chosen instead to provide disclosure guidance for certain key areas. In 2018, the focus was on cybersecurity, and earlier in 2019, it was the transition away from LIBOR. Most recently, the SEC staff has issued guidance reminding public companies that engage in international operations to consider intellectual property (“IP”) and technology risks when assessing their disclosure obligations.

According to the guidance, companies that conduct business in non-US jurisdictions, house technology, data and IP outside the US or license technology to joint ventures with non-US partners should pay particular attention to the technology and IP theft risks.

While there is no specific line-item requirement under the federal securities laws or the SEC rules to disclose information related to the compromise (or potential compromise) of technology, data or IP, the SEC has made clear that its disclosure requirements apply to a broad range of evolving business risks. In the absence of specific requirements, the guidance says, disclosure may be necessary in the following areas:

  • the management’s discussion and analysis;
  • the business section;
  • legal proceedings;
  • disclosure controls and procedures; and/or
  • the financial statements.

While there are many obvious direct risks of theft (such as hacking or corporate espionage), the guidance reminds companies also to look at the indirect risks. For example, a company’s products or components may be reverse-engineered by joint venture partners, or a company could be required to compromise protections or yield rights in order to conduct business in a non-US jurisdiction, either through written agreements or due to legal or administrative requirements in the host nation. Examples could include non-US ownership restrictions that compromise control over a company’s technology or IP, use of idiosyncratic terms favoring non-US persons or regulatory requirements to store data locally, or to use local services or technology.

The guidance provides a list of questions that companies should consider in assessing their disclosure obligations, when determining whether the risks may have an impact on their respective businesses (including financial condition and results of operations, and any effects on reputation, stock price and long-term value).

Importantly, the guidance also reminds companies that, if a company’s technology, data or IP is being, or previously was, materially compromised, stolen or otherwise illicitly accessed, hypothetical disclosure of potential risks is not sufficient to satisfy a company’s reporting obligations.

We will continue to monitor developments in this area and welcome any queries you may have.