On December 19, 2019, the Division of Corporation Finance (the Division) of the Securities and Exchange Commission (SEC) released guidance on two topics: (1) intellectual property (IP) and technology risks associated with international operations and (2) confidential treatment matters. This client alert provides a brief overview of this new guidance.
IP and Technology Risks
The Division’s guidance on IP and technology risks associated with operations outside of the United States includes an overview of evolving areas of risk and questions companies should use to guide their assessment of these risks. While there is no specific requirement under the federal securities laws to disclose information related to the compromise (or potential compromise) of technology, data, or IP, the Division stated that “the [SEC] has made clear that its disclosure requirements apply to a broad range of evolving business risks in the absence of specific requirements.” Moreover, the Division confirmed that disclosures relating to actual theft or compromise of technology, data, or IP may already be required under existing disclosure requirements in other sections of company filings, if material to a company’s business, for example, in management’s discussion and analysis, the business section, legal proceedings, disclosure controls and procedures, and/or the financial statements. Notably, the Division clarified that in situations where a company’s technology, data, or IP has been materially compromised, stolen, or otherwise illicitly accessed, hypothetical disclosure of potential risks is insufficient to satisfy a company’s reporting obligations.
Sources of Risk
In its release, the Division highlighted several sources of risk associated with the potential theft of technology and IP by private parties or foreign actors through direct or indirect routes. These include, for example:
- Cyber intrusions into a company’s computer systems;
- Physical theft through corporate espionage, including by insiders;
- Reverse engineering of company products or components by joint venture partners or other parties, lending to patent infringement or stolen know-how or trade secrets; and
- Entry into agreements in foreign jurisdictions that require compromised protections or yielding of rights to technology, data, or IP in order to conduct business or access markets.
Assessing and Disclosing Risk
In its release, the Division indicated that companies should review evolving risks related to IP and technology in connection with international operations, and the materiality of such risks, on an ongoing basis. To assist in this effort, the Division provided a sample list of questions that companies may consider with respect to their present and future operating plans. In addition, the Division encouraged companies “to provide disclosure that allows investors to evaluate these risks through the eyes of management” and stated that any risks that are disclosed should be “specifically tailored to a company’s unique facts and circumstances.” The Division’s sample list of questions includes, among others:
- Is there a heightened risk to your technology or IP because you have or expect to maintain significant assets or earn a material amount of revenue abroad?
- Do you operate in an industry or foreign jurisdiction that has caused, or may cause, you to be particularly susceptible to the theft of technology or IP or the forced transfer of technology?
- Have you provided access to your technology or IP to a state actor or regulator in connection with foreign regulatory or licensing procedures, including but not limited to local licensing and administrative procedures?
- Have you been required to yield rights to technology or IP as a condition to conducting business in or accessing markets located in a foreign jurisdiction?
- Do you have controls and procedures in place to adequately protect technology and IP from potential compromise or theft?
- What level of risk oversight and management does the board of directors and executive officers have with regard to the company’s data, technology and IP and how these assets may be impacted by operations in foreign jurisdictions where they may be subject to additional risks?
Confidential Treatment Matters
In March 2019, the SEC changed several of its exhibit filing requirements to allow companies to omit immaterial, competitively harmful information from material agreements without having to provide the omitted information to the SEC and request staff approval of such omissions under the traditional process related to confidential treatment under Securities Act Rule 406 and Exchange Act Rule 24b-2. While most companies now rely on the new procedures, this new Division guidance affirmed that the traditional process to seek confidential treatment is still an available alternative to companies and updated its instructions on the traditional application process. The Division also reconfirmed that the newly liberalized and traditional confidential treatment processes both only apply to immaterial information; all material information must be filed publicly. Companies wishing to utilize the traditional process should undertake the following procedures:
- File exhibit on EDGAR. The applicant should omit all confidential information from the exhibit, mark the exhibit to indicate where confidential information has been omitted and indicate within the exhibit that confidential information has been filed separately with the Division.
- Submit a written application to the Office of the Secretary. The written application should:
- Provide one unredacted copy of the contract filed with the SEC with the confidential portions of the document identified;
- Identify the Freedom of Information Act exemption relied upon to object to the public release of the information and provide an analysis of how that exemption applies to the omitted information;
- Justify the time period for which confidential treatment is sought;
- Explain, in detail, why, based on the applicant’s specific facts and circumstances, disclosure of the information is unnecessary for the protection of investors;
- Provide written consent to the furnishing of the confidential information to other government agencies, offices or bodies and to the Congress;
- Identify each exchange, if any, with which the material is filed (required in applications under Rule 24b-2 relating to Exchange Act filings only); and
- Provide the name, address, and telephone number of the person with whom the Division should communicate and direct all issued notices and orders.
The Division also provided guidance on obtaining extensions of previously granted confidential treatment orders, reminding companies that while a new short form application is available for unexpired confidential treatment orders, the traditional application process is also available
What to Do Now?
IP and Technology Risks
- As we recently reminded companies in another Wilson Sonsini Client Alert, Form 10-K season is an ideal time to take a fresh look at risk factors and risk management and oversight disclosures. In particular, the SEC continues to focus companies on risk disclosures regarding the United Kingdom’s potential exit from the European Union (Brexit), the transition away from the London Interbank Offered Rate (LIBOR), and cybersecurity. Companies and their counsel should review together the questions relating to IP and technology risks listed in the Division’s guidance, as well as the SEC’s statements around their other key areas of risk factor focus, when preparing their annual reports.
- As you review your risk factor disclosure, remember that the SEC has recently brought enforcement actions for misleading disclosure against companies that have continued to describe certain risks as hypothetical (i.e., “our users’ data may be improperly accessed, used or disclosed”) when in fact the risk had occurred (i.e., data had in fact been improperly accessed, used or disclosed). It may be appropriate to update certain risk factors to reflect that in the past certain risks have occurred, and in the future they may occur again.
- If your review of risks highlights issues that should be brought to your board’s attention, be sure to do so. As we have discussed in other Client Alerts, recent Delaware cases involving Blue Bell Creameries and Clovis Oncology show that Delaware courts expect boards, as part of their fiduciary duty oversight obligations, to ensure that they regularly spend adequate time on regulatory and legal compliance issues, including changes in risks within the company or its industry, that there is a system in place for management to report any concerns up to the board, and that the board's processes are properly documented in board or committee minutes.
Confidential Treatment Matters
- We expect most companies will continue to rely on the SEC’s March 2019 rules liberalizing the confidential treatment request process rather than use the more time consuming traditional approach, as modified by the Division’s guidance.
- If your company currently has outstanding confidential treatment orders relating to material contracts, check the expiration dates of these orders at least annually so that you can take advantage of the SEC’s short form application for extensions, as discussed in the Division’s guidance.