The global and technologically interconnected nature of today’s business environment exposes companies to a wide array of evolving risks, which they must individually examine to determine proper disclosures using a principles-based approach. A company is required to conduct a continuing analysis on the materiality of risks in the ever-changing technological landscape to ensure proper reporting of risks. To assist management in making these determinations, the SEC has issued additional guidance.
The guidance, which is grounded in materiality and a principles-based approach, is meant to supplement prior guidance on technology and cybersecurity matters including the February 2018 SEC statement on public company cybersecurity disclosures (see my blog HERE); Director Hinman’s speech at the 18th Annual Institute on Securities Regulation in Europe in March, 2019; the SEC statement on LIBOR Transition in July 2019; and Chair Clayton’s remarks on LIBOR transition and cybersecurity risks from December 2018. The new guidance concentrates on risks resulting from conducting business outside the U.S. and particularly in jurisdictions that do not have comparable protections for corporate proprietary information.
Although there is no specific line-item requirement under the federal securities laws to disclose information related to the compromise or potential compromise of technology, data or intellectual property, the SEC has made clear that its disclosure requirements apply to a broad range of evolving business risks regardless of the absence of specific requirements. Also, the actual material theft or compromise of technology or intellectual property assets would generally require disclosure, including potentially in management’s discussion and analysis, the business section, legal proceedings, internal controls and procedures and/or financial statements.
The newest guidance is broken down by sources of risk associated with potential theft of technology and intellectual property and assessing and disclosing risks related to potential theft or compromise of technology and intellectual property.
Sources of Risk Associated with Potential Theft of Technology and Intellectual Property
There are many cybersecurity risks associated with technology and intellectual property. Cyber-incidents can take many forms, both intentional and unintentional, and commonly include the unauthorized access of information, including personal information related to customers’ accounts or credit information, data corruption, misappropriating assets or sensitive information or causing operational disruption. Attacks use increasingly complex methods, including malware, ransomware, phishing, structured query language injections and distributed denial-of-service attacks. A cyber-attack can be in the form of unauthorized access or a blocking of authorized access.
In the global context, the risk of theft includes through a direct intrusion by private parties or foreign actors, including those affiliated with or controlled by sovereign entities such as foreign states. The SEC guidance also warns of corporate espionage including the infiltration of moles and insiders.
In addition to direct intrusions, a theft or compromise can be accomplished using indirect attacks such as reverse engineering of technology and intellectual property. Patents together with reverse engineering can be used to assist in obtaining trade secrets and know-how.
Some foreign nations take a very direct route to obtain technology and intellectual property information by requiring companies to yield rights in order to conduct business in or access markets in their jurisdiction, either through formal written agreements or legal or administrative requirements. Companies need to be cognizant of the risks associated with these types of agreements or laws, including unintended consequences. Examples which require cautious risk assessment include: (i) patent license agreements which allow the foreign licensee to retain rights on improvements, including the ability to sever the improvements and receive a separate patent; (ii) patent license agreements which allow the foreign licensee to continue to use the technology or intellectual property after the patent or license term expires; (iii) foreign ownership and investment restrictions which can result in a loss of control over the foreign assets or entity holding the foreign assets; (iv) the use of unusual or idiosyncratic terms favoring foreign persons; (v) regulatory requirements which restrict the ability to conduct business in a foreign jurisdiction unless technology or data is stored locally; (vi) regulatory requirements which require the use of local service providers or technology in connection with international operations; and (vii) local licensing or administrative approvals that involve the sharing of intellectual property.
Assessing and Disclosing Risks Related to Potential Theft or Compromise of Technology and Intellectual Property
In addition to assessing the risks of a potential theft or compromise of technology, data or intellectual property in connection with international operations, companies must conduct an analysis as to how the realization of these risks may impact their business, including financial condition and results of operations, and any effects on their reputation, stock price and long-term value. As always, where the risks are material, they must be disclosed.
Where a company’s technology, data or intellectual property is being or previously was materially compromised, stolen or otherwise illicitly accessed, hypothetical disclosure of potential risks is not sufficient to satisfy a company’s reporting obligations.
The SEC guidance provides a list of questions for management to consider when assessing risks and related disclosure requirements involving international technology, data and intellectual property, including:
(i) Is there a heightened risk by virtue of conducting business, maintaining assets or earning revenue abroad;
(ii) Does the company have operations in a jurisdiction that is particularly susceptible to heightened risk;
(iii) Does the company have operations in a jurisdiction that requires entering into contracts related to technology as a condition to conducting business;
(iv) Has the company’s products been, or may they be, subject to counterfeit and sale through e-commerce;
(v) Has the company directly or indirectly transferred or licensed technology or intellectual property to a foreign entity or government, such as through the creation of a joint venture with a foreign entity;
(vi) Does the company store technology abroad;
(vii) Is the company required to use equipment or service providers in a foreign jurisdiction;
(viii) Has the company entered into a patent or technology license agreement with a foreign entity or government that provides such entity with rights to improvements on the underlying technology and/or rights to continued use of the technology following the licensing term, including in connection with a joint venture;
(ix) Is the company subject to foreign jurisdiction requirements which limit foreign ownership or investment and, in that vein, does the company have foreign subsidiaries where the majority ownership is held by governments or entities in that foreign jurisdiction;
(x) Has the company provided access to your technology or intellectual property to a state actor or regulator in connection with foreign regulatory or licensing procedures, including but not limited to local licensing and administrative procedures;
(xi) Has the company been required to yield rights to technology or intellectual property as a condition to conducting business in or accessing markets located in a foreign jurisdiction;
(xii) Does the company operate in a jurisdiction where the ability to enforce rights over intellectual property is limited as a statutory or practical matter;
(xiii) Does the company conduct business with local laws that limit or prohibit the export of data or financial documentation;
(xiv) Is the company readily able to produce data or other information that is housed internationally in response to regulatory requirements or inquiries;
(xv) Have conditions in a foreign jurisdiction caused the company to relocate or consider relocating operations to a different host nation and, if so, what are the related costs including material costs, training new employees, establishing new facilities and supply chains and the impact on import and export;
(xvi) Does the company have adequate controls and procedures in place to protect technology, data and intellectual property, and do these procedures include the ability to adequately respond to an actual or potential threat;
(xvii) Does the company have adequate controls and procedures in place to detect: (a) malfeasance by employees and others; (b) industrial or corporate espionage; (c) unauthorized intrusions into computer networks; and (d) other forms of cyber-theft and breaches; and
(xviii) What level of risk oversight and management does the board of directors and executive officers have with regard to the company’s data, technology and intellectual property and how these assets may be impacted by operations in foreign jurisdictions where they may be subject to additional risks.