CorpFin issues tech, IP risk disclosure guidance


On Dec. 19, 2019, the SEC’s Division of Corporation Finance (CorpFin) issued CF Disclosure Guidance: Topic No. 8, Intellectual Property and Technology Risks Associated with International Business Operations.

The guidance provides CorpFin’s views on disclosure obligations regarding risks related to the potential theft or compromise of data, technology, and intellectual property (IP) within the context of the federal securities laws and the SEC’s principles-based disclosure system, which companies should consider when conducting business in foreign jurisdictions.

Sources of risks In today’s business environment, companies may be exposed to material risks of theft of proprietary technology and other IP, including technical data, business processes, data sets or other sensitive information. These risks may increase when companies conduct business in certain jurisdictions outside the United States: store technology, data, or intellectual property abroad or license technology to joint ventures with foreign partners. For example, technology, data, or IP may be stolen or compromised through direct intrusions, such as cyber intrusions into a company’s computer systems or physical theft, or through indirect intrusions, such as reverse engineering of products or components.

Further, in order to access or conduct business in certain foreign markets, companies may be required to compromise protections or yield rights to their technology, data or IP. The guidance provides examples of arrangements or requirements that could limit the company’s ability to protect its own technology, data, or IP, which may negatively impact the company’s current and future competitive edge.

Assessing and disclosing risks Key takeaway Currently, companies may have general disclosure in risk factors about how technology and IP could impact their businesses. Where material, these disclosures may be required in management’s discussion and analysis, the business section, legal proceedings, disclosure controls and procedures or in the financial statements. The guidance encourages companies to assess the risks of potential theft or compromise of technology, data, or IP in connection with international operations, including how these risks could impact their business, financial condition and results of operations, reputation, stock price, and long-term value. When material to investment and voting decisions, companies should provide tailored disclosures that are specific to a company’s facts and circumstances.

Notably, the guidance indicates that when a company’s technology, data, or IP is or was previously compromised, hypothetical disclosure of potential risks is not sufficient.

In CorpFin’s view, companies should assess the materiality of these risks now and on an ongoing basis and update disclosures accordingly. The guidance includes detailed questions regarding a company’s current and future operations that should be considered to assess risks related to IP and technology and the related disclosure obligations.




© 2020 Grant Thornton LLP, U.S. member firm of Grant Thornton International Ltd. All rights reserved.

This Grant Thornton LLP bulletin provides information and comments on SEC reporting issues and developments. It is not a comprehensive analysis of the subject matter covered and is not intended to provide accounting or other advice or guidance with respect to the matters addressed in the bulletin. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this bulletin.

For additional information on topics covered in this bulletin, contact your Grant Thornton LLP professional.



Our fresh thinking