In December 2019, the SEC Division of Corporation Finance issued CF Disclosure Guidance: Topic No. 8 providing guidance related to the disclosure of intellectual property and technology risks associated with international business operations.
The global and technologically interconnected nature of today’s business environment exposes companies to a wide array of evolving risks, which they must individually examine to determine proper disclosures using a principles-based approach. A company is required to conduct a continuing analysis on the materiality of risks in the ever-changing technological landscape to ensure proper reporting of risks. To assist management in making these determinations, the SEC has issued additional guidance.
The guidance, which is grounded in materiality and a principles-based approach, is meant to supplement prior guidance on technology and cybersecurity matters including the February 2018 SEC statement on public company cybersecurity disclosures (see my blog HERE); Director Hinman’s speech at the 18th Annual Institute on Securities Regulation in Europe in March, 2019; the SEC statement on LIBOR Transition in July 2019; and Chair Clayton’s remarks on LIBOR transition and cybersecurity risks from December 2018. The new guidance concentrates on risks resulting from conducting business outside the U.S. and particularly in jurisdictions that do not have comparable protections for corporate proprietary information.
Although there is no specific line-item requirement under the federal securities laws to disclose information related to the compromise or potential compromise of technology, data or intellectual property, the SEC has made clear that its disclosure requirements apply to a broad range of evolving business risks regardless of the absence of specific requirements. Also, the actual material theft or compromise of technology or intellectual property assets would generally require disclosure, including potentially in management’s discussion and analysis, the business section, legal proceedings, internal controls and procedures and/or financial statements.
The newest guidance is broken down by sources of risk associated with potential theft of technology and intellectual property and assessing and disclosing risks related to potential theft or compromise of technology and intellectual property.
Sources of Risk Associated with Potential Theft of Technology and Intellectual Property
There are many cybersecurity risks associated with technology and intellectual property. Cyber-incidents can take many forms, both intentional and unintentional, and commonly include the unauthorized access of information, including personal information related to customers’ accounts or credit information, data corruption, misappropriating assets or sensitive information or causing operational disruption. Attacks use increasingly complex methods, including malware, ransomware, phishing, structured query language injections and distributed denial-of-service attacks. A cyber-attack can be in the form of unauthorized access or a blocking of authorized access.
In the global context, the risk of theft includes through a direct intrusion by private parties or foreign actors, including those affiliated with or controlled by sovereign entities such as foreign states. The SEC guidance also warns of corporate espionage including the infiltration of moles and insiders.
In addition to direct intrusions, a theft or compromise can be accomplished using indirect attacks such as reverse engineering of technology and intellectual property. Patents together with reverse engineering can be used to assist in obtaining trade secrets and know-how.
Some foreign nations take a very direct route to obtain technology and intellectual property information by requiring companies to yield rights in order to conduct business in or access markets in their jurisdiction, either through formal written agreements or legal or administrative requirements. Companies need to be cognizant of the risks associated with these types of agreements or laws, including unintended consequences. Examples which require cautious risk assessment include: (i) patent license agreements which allow the foreign licensee to retain rights on improvements, including the ability to sever the improvements and receive a separate patent; (ii) patent license agreements which allow the foreign licensee to continue to use the technology or intellectual property after the patent or license term expires; (iii) foreign ownership and investment restrictions which can result in a loss of control over the foreign assets or entity holding the foreign assets; (iv) the use of unusual or idiosyncratic terms favoring foreign persons; (v) regulatory requirements which restrict the ability to conduct business in a foreign jurisdiction unless technology or data is stored locally; (vi) regulatory requirements which require the use of local service providers or technology in connection with international operations; and (vii) local licensing or administrative approvals that involve the sharing of intellectual property.
Assessing and Disclosing Risks Related to Potential Theft or Compromise of Technology and Intellectual Property
In addition to assessing the risks of a potential theft or compromise of technology, data or intellectual property in connection with international operations, companies must conduct an analysis as to how the realization of these risks may impact their business, including financial condition and results of operations, and any effects on their reputation, stock price and long-term value. As always, where the risks are material, they must be disclosed.
Where a company’s technology, data or intellectual property is being or previously was materially compromised, stolen or otherwise illicitly accessed, hypothetical disclosure of potential risks is not sufficient to satisfy a company’s reporting obligations.
The SEC guidance provides a list of questions for management to consider when assessing risks and related disclosure requirements involving international technology, data and intellectual property, including:
(i) Is there a heightened risk by virtue of conducting business, maintaining assets or earning revenue abroad;
(ii) Does the company have operations in a jurisdiction that is particularly susceptible to heightened risk;
(iii) Does the company have operations in a jurisdiction that requires entering into contracts related to technology as a condition to conducting business;
(iv) Has the company’s products been, or may they be, subject to counterfeit and sale through e-commerce;
(v) Has the company directly or indirectly transferred or licensed technology or intellectual property to a foreign entity or government, such as through the creation of a joint venture with a foreign entity;
(vi) Does the company store technology abroad;
(vii) Is the company required to use equipment or service providers in a foreign jurisdiction;
(viii) Has the company entered into a patent or technology license agreement with a foreign entity or government that provides such entity with rights to improvements on the underlying technology and/or rights to continued use of the technology following the licensing term, including in connection with a joint venture;
(ix) Is the company subject to foreign jurisdiction requirements which limit foreign ownership or investment and, in that vein, does the company have foreign subsidiaries where the majority ownership is held by governments or entities in that foreign jurisdiction;
(x) Has the company provided access to your technology or intellectual property to a state actor or regulator in connection with foreign regulatory or licensing procedures, including but not limited to local licensing and administrative procedures;
(xi) Has the company been required to yield rights to technology or intellectual property as a condition to conducting business in or accessing markets located in a foreign jurisdiction;
(xii) Does the company operate in a jurisdiction where the ability to enforce rights over intellectual property is limited as a statutory or practical matter;
(xiii) Does the company conduct business with local laws that limit or prohibit the export of data or financial documentation;
(xiv) Is the company readily able to produce data or other information that is housed internationally in response to regulatory requirements or inquiries;
(xv) Have conditions in a foreign jurisdiction caused the company to relocate or consider relocating operations to a different host nation and, if so, what are the related costs including material costs, training new employees, establishing new facilities and supply chains and the impact on import and export;
(xvi) Does the company have adequate controls and procedures in place to protect technology, data and intellectual property, and do these procedures include the ability to adequately respond to an actual or potential threat;
(xvii) Does the company have adequate controls and procedures in place to detect: (a) malfeasance by employees and others; (b) industrial or corporate espionage; (c) unauthorized intrusions into computer networks; and (d) other forms of cyber-theft and breaches; and
(xviii) What level of risk oversight and management does the board of directors and executive officers have with regard to the company’s data, technology and intellectual property and how these assets may be impacted by operations in foreign jurisdictions where they may be subject to additional risks.
The Author
Laura Anthony, Esq.
Founding Partner
Anthony L.G., PLLC
A Corporate Law Firm
LAnthony@AnthonyPLLC.com
Securities attorney Laura Anthony and her experienced legal team provide ongoing corporate counsel to small and mid-size private companies, OTC and exchange traded public companies as well as private companies going public on the Nasdaq, NYSE American or over-the-counter market, such as the OTCQB and OTCQX. For more than two decades Anthony L.G., PLLC has served clients providing fast, personalized, cutting-edge legal service. The firm’s reputation and relationships provide invaluable resources to clients including introductions to investment bankers, broker-dealers, institutional investors and other strategic alliances. The firm’s focus includes, but is not limited to, compliance with the Securities Act of 1933 offer sale and registration requirements, including private placement transactions under Regulation D and Regulation S and PIPE Transactions, securities token offerings and initial coin offerings, Regulation A/A+ offerings, as well as registration statements on Forms S-1, S-3, S-8 and merger registrations on Form S-4; compliance with the Securities Exchange Act of 1934, including registration on Form 10, reporting on Forms 10-Q, 10-K and 8-K, and 14C Information and 14A Proxy Statements; all forms of going public transactions; mergers and acquisitions including both reverse mergers and forward mergers; applications to and compliance with the corporate governance requirements of securities exchanges including Nasdaq and NYSE American; general corporate; and general contract and business transactions. Ms. Anthony and her firm represent both target and acquiring companies in merger and acquisition transactions, including the preparation of transaction documents such as merger agreements, share exchange agreements, stock purchase agreements, asset purchase agreements and reorganization agreements. The ALG legal team assists Pubcos in complying with the requirements of federal and state securities laws and SROs such as FINRA for 15c2-11 applications, corporate name changes, reverse and forward splits and changes of domicile. Ms. Anthony is also the author of SecuritiesLawBlog.com, the small-cap and middle market’s top source for industry news, and the producer and host of LawCast.com, Corporate Finance in Focus. In addition to many other major metropolitan areas, the firm currently represents clients in New York, Los Angeles, Miami, Boca Raton, West Palm Beach, Atlanta, Phoenix, Scottsdale, Charlotte, Cincinnati, Cleveland, Washington, D.C., Denver, Tampa, Detroit and Dallas.
Ms. Anthony is a member of various professional organizations including the Crowdfunding Professional Association (CfPA), Palm Beach County Bar Association, the Florida Bar Association, the American Bar Association and the ABA committees on Federal Securities Regulations and Private Equity and Venture Capital. She is a supporter of several community charities including siting on the board of directors of the American Red Cross for Palm Beach and Martin Counties, and providing financial support to the Susan Komen Foundation, Opportunity, Inc., New Hope Charities, the Society of the Four Arts, the Norton Museum of Art, Palm Beach County Zoo Society, the Kravis Center for the Performing Arts and several others. She is also a financial and hands-on supporter of Palm Beach Day Academy, one of Palm Beach’s oldest and most respected educational institutions. She currently resides in Palm Beach with her husband and daughter.
Ms. Anthony is an honors graduate from Florida State University College of Law and has been practicing law since 1993.
Contact Anthony L.G., PLLC. Inquiries of a technical nature are always encouraged.
Follow Anthony L.G., PLLC on Facebook, LinkedIn, YouTube, Pinterest and Twitter.
Listen to our podcast on iTunes Podcast channel.
law·cast
Noun
Lawcast is derived from the term podcast and specifically refers to a series of news segments that explain the technical aspects of corporate finance and securities law. The accepted interpretation of lawcast is most commonly used when referring to LawCast.com, the securities law network. Example: “LawCast expounds on NASDAQ listing requirements.”
Anthony L.G., PLLC makes this general information available for educational purposes only. The information is general in nature and does not constitute legal advice. Furthermore, the use of this information, and the sending or receipt of this information, does not create or constitute an attorney-client relationship between us. Therefore, your communication with us via this information in any form will not be considered as privileged or confidential.
This information is not intended to be advertising, and Anthony L.G., PLLC does not desire to represent anyone desiring representation based upon viewing this information in a jurisdiction where this information fails to comply with all laws and ethical rules of that jurisdiction. This information may only be reproduced in its entirety (without modification) for the individual reader’s personal and/or educational use and must include this notice.
© Anthony L.G., PLLC