A cybersecurity event can be initiated by a wide range of perpetrators, with a slew of diverse motivations, whether the main driver is a desire to steal passwords to access customer data or customer deposits, hold an organisation to ransom or simply to cause disruption. As a result of high-profile scrutiny, businesses are ever-more aware of their cyber vulnerabilities and regulatory consequences from a customer or personal data breach. By contrast, core intellectual property (IP) can often be overlooked and trade secrets are particularly vulnerable - and often least-well understood - even though they are potentially the most valuable assets or ‘crown jewels’ of a business.
A company’s IP is potentially even more at risk from such cyber-attacks when compared to loss of personal data, although the absence of regulatory scrutiny similar to that afforded by the EU’s GDPR regulations that may lull businesses into a false sense of security. Given the rise of businesses’ intangible value relative to overall value, organisations of all sizes and particularly those whose intangible assets account for more than 75% of their enterprise value, should ensure that the C-Suite prioritises protection of these assets on the Board agenda.
Intangible assets are just as vulnerable
Intangible assets often constitute at least 50% of the value of a company and, for a tech- or innovation-led services business, that value can be upwards of 85%. As my Aon colleague, Lewis Lee, (Chief Executive Officer, Aon Intellectual Property Solutions), recently stated :
“Across industries, intangible assets are becoming primary sources of value. Over the past decade, intangible assets have begun to overtake tangible assets…. Copyrights, patents, formulae and source code have overtaken [physical] property or equipment as some of the most valuable items on a balance sheet.”
Intangible assets are no less vulnerable to the threat from a hacker who might stumble on IP. We know hackers will compromise systems that given an immediate benefit such as customer or password data details but according to IBM, the average time to detect a cyber-attack is 197 days, giving ample opportunity to comprise confidential information or trade secrets.
In other instances, IP may also be the primary motive behind some cyber-attacks. The cybersecurity business, CrowdStrike, recently claimed that China largely stole the technology used to build its first passenger airline through a targeted cyber espionage campaign on a wide range of foreign aviation businesses. State-sponsored cyber-attacks may not be an every-day occurrence and acquiring IP in this way is less frequent but often the cyber-attack may in fact target specific IP for plain commercial gain.
Some of the most IP-savvy companies have recognised that cyber risk is now a critical issue for IP. At a conference in Paris one IP Head, from a major supplier to the semiconductor industry, recognised that cyber risk was now their number 1 issue, ahead of IP litigation or IP monetisation.
Here are 4 fundamental considerations when approaching IP protection:
1. Be ready to deal with the threat
Every organisation should treat its trade secrets and other core IP with the same attention that is paid to protecting its confidential customer data even in the absence of regulatory fines. A successful hack can result in immediate business interruption and negatively impact profits.
2. Know the value of your IP
Some important questions remain: how well do businesses understand the value of their IP? How well do businesses protect IP in comparison to the customer and personal data they hold?
Not very well, according to Lewis Lee: “Many companies have been slow to adopt approaches to managing and valuing their intellectual property portfolio.”
The absence of comparable regulatory consequences for IP theft may be a factor; however, a loss of IP represents a loss in value for shareholders and could lead to a class action, which could potentially be just as damaging and expensive as a regulatory fine.
How will a company account for the value lost or at risk if it does not know the value of its IP in the first place? Knowing the value of an organisation’s IP is therefore critical. Just as, once upon a time, businesses didn’t understand the value of their customer data or personal data, so they now need to address the lack of understanding around the value of their IP.
Whilst not a result of a cyber-attack, earlier this year, the cosmetics firm L’Oréal was found liable for a $91.3 million pay-out to Olaplex, a California start-up in relation to the theft of trade secrets. This highlights the monetary value of trade secrets, and IP in general. The size of a company’s investment in the protection of its IP should be proportionate to its value.
Surprisingly, the threat to IP is ranked as low as #34 in the top risks facing businesses according to the latest 2019 Aon Global Risk Management Survey. Many attribute this to organisations not seeing the value of the IP they own. The loss of IP can wipe out competitive advantage and, when both increasing competition and failure to innovate are included within the top ten risks in Aon’s survey, it becomes clear what impact the loss of IP can have.
From a monetary perspective, the implications are clear: the Commission on the Theft of American Intellectual Property puts a figure of between $225 billion to $600 billion on the annual costs from the loss of IP in the United States alone.
3. Strengthen your IP defences
Aon’s latest C-Suite report – Prepare for the expected: Safeguarding value in the era of cyber risk – provides a valuable cyber security framework for businesses to follow when it comes to protecting the overall business from a cyber threat.
From an IP perspective, a fresh framework to IP governance is required. It will be useful to layer on that framework specific initiatives, such as establishing a trade secrets registry, which is encrypted and where only the public elements of the trade secret (date of creation, title/abstract and author/company name and update history) are held on the blockchain. This will protect a business if, for instance, systems are hacked, and all records of the trade secrets are lost. Whilst a trade secret register can help innovation capture and managing risk, senior stakeholders should note that before or after implementing such a tool, conducting an IP audit is also key - to identify the IP the company holds and what governance processes a company has to capture its IP – so as not to build on sandy ground.
The risk of disgruntled employees stealing company IP should also be addressed more carefully. During a recent Silicon Valley panel, Leland Gardner, patent counsel for Google, was reported by news service Law360 as stating that the “biggest thing companies can do to prevent trade secret misappropriation is to implement preventative employee training and enact strong policies against employee IP theft.” On the same panel, an FBI agent added that most of the IP theft cases pursued by the government involve employees, with a quarter (26%) using email to steal information and 25% using USB devices. And that is only the tip of the iceberg.
4. Make IP a C-suite priority
A company’s IP is at risk from cyber incidents and the absence of regulatory scrutiny or the threat of a GDPR or regulatory fines should not be a reason for Boards to underestimate the threat to trade secrets and core IP assets in the current cyber-threat environment. Given the rise in businesses’ intangible assets relative to overall value, most organisations – large or small, and particularly those where intangible assets represent a significant proportion of overall value – should see the protection of IP from a cyber threat as a high priority item on the C-suite agenda.
To find out more about how to protect your business from the cyber threat, read the Aon report: Prepare for the expected: Safeguarding value in the era of cyber risk