Cyber-risk: A board responsibility
A new priority has risen to the top of the corporate executive’s agenda: priceless proprietary and intellectual property (P&IP) is at increased risk of being pilfered by cyber-thieves. It is with heightened urgency that boards must implement and enforce a risk management framework to protect these invaluable assets. While constructing a sound risk management platform is critical to successfully protecting P&IP, a board’s primary hurdles involve ensuring management appropriately defines the P&IP itself and creates a holistic approach to risk management that addresses both technology and people risk.
The SEC acknowledged the mounting threat of P&IP theft through disclosure guidelines released in October 2011. The Corporate Finance Disclosure Guidance states: ‘We are mindful of potential concerns that detailed disclosures could compromise cyber-security efforts – for example, by providing a ‘road map’ for those who seek to infiltrate a registrant’s network security – and we emphasize that disclosures of that nature are not required under the federal securities laws.’
The SEC guidance urges companies to ‘evaluate their cyber-security risks and take into account all available relevant information, including prior cyber-incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber-incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data, or operational disruption.’ Nearly two years after the SEC published its disclosure guidelines, Senate Commerce Committee chairman Jay Rockefeller sent a letter to the SEC chair advising increased disclosure requirements around a company’s ability to defend against network attacks.
P&IP theft has typically been defined through a focus on patents, trademarks, copyrights, proprietary processes and trade secrets. Over the past two years, however, a more realistic view of P&IP theft has evolved to include technology blueprints, test results, business plans, strategic plans, pricing documents, partnership agreements, merger and acquisition information, in-house work manuals, publications, employee and customer information, and emails. Management’s success in safeguarding these assets requires first and foremost an agreed-upon definition of what constitutes P&IP. Secondly, executive and organizational awareness of this definition is fundamental to establishing an operating environment that supports the long-term identification and protection of these assets as the company’s strategies, markets and competitive landscapes change.
A key responsibility of the corporate secretary is to support the execution of the board’s due care responsibility, ensuring management decisions are made with a comprehensive view of risk tolerance. This comprehensive risk assessment considers the financial, operational, compliance and strategic impact that a breach of P&IP security would have on the company. Risk management as it pertains to the internet has been a bit nebulous for boards, due in part to the lack of a concrete understanding of cyber-risk, the overwhelming breadth of the technology footprint and an over-reliance on ‘silver bullet’ technology solutions. The days of ensuring the filing cabinet is locked to mitigate P&IP theft are not gone, but things are complicated by the fact that P&IP is also electronically stored.
Instantaneously, cyber-attacks can destroy a company’s reputation, invalidate long-term business strategy, terminate business relationships, damage stock prices and erode customer confidence. Successful cyber-defense calls for the board to ensure management proactively defines and documents the P&IP assets that have the greatest impact on the company’s financial performance and strategic success, and ensure a regular review of P&IP inventory.
Management’s methodology for identifying and valuing P&IP assets should be directly linked in a quantitative and qualitative manner to the company’s financial position and strategic direction, and risk management solutions should be tailored accordingly. Risk management solutions will vary significantly depending on a company’s classification of P&IP, but the documentation of owners and consumers and the access paths, both logical and physical, to P&IP should be standard areas to consider in defining a risk approach. While the risk management framework will differ depending on a company’s classification of P&IP, it is vital that technology risk be evaluated in addition to the often overlooked but equally important human component of risk.
The human factor
Companies have historically relied on technology to monitor access to P&IP, spending minimal energy addressing the human element of P&IP protection – which is, ironically, where the bulk of theft occurs. Recent news has been flooded with reports detailing the cyber-threat that China and other nation-states pose to US businesses’ P&IP. These reports, spanning industries and geographies, share a common theme: the attackers have deployed or victimized company employees to gain access to prized P&IP assets.
Surprisingly, most companies do not have a proper risk infrastructure in place to prevent employees, suppliers or visitors from walking off with critical P&IP on a USB device, gathering trade secrets during a factory tour or removing proprietary documents. Other access paths to your company’s valued assets include former employees, competitors, trusted customers and distributors or vendors.
Social engineering and other forms of information gathering are regularly deployed by competitors seeking to gain access to P&IP. Competitors have become innovative at luring unsuspecting employees to speak with them at meetings and conferences or in airports, and reaching them on personal telephones after office hours. A more modern phenomenon is tracking employee and company updates through social media monitoring and website crawling. Ultimately, an employee’s innocent slip about a recent award may tip off competitors to valuable information about sales quotas or new territory targets.
Regardless of the process used by management to implement a risk management framework, board discussion should prioritize three foundational concepts: engage, enable and ensure. First, what has management done to engage employees in order to reinforce their understanding of the risks and their roles critical to the P&IP protection program? Second, what has management done to enable employees to effectively perform their role? This includes having access to and knowledge of tools, policies, programs and education. Finally, what has management done to ensure the people, tools, processes, programs and procedures it uses are functioning over time?
Public awareness of cyber-theft will continue to grow, driving increased scrutiny of existing disclosure rules and a heightened need for management to address the scope of potential risks of P&IP theft. Remarkably absent in today’s business world is the connection between improper protection of P&IP, failed strategy execution and the acceptable level of board due care with regards to safeguarding P&IP. It is important that boards be proactive and keep an active dialogue with management on their understanding of the company’s P&IP inventory, sources of potential risks, and the approach management takes in determining an acceptable risk framework.