Thou Shalt Not Steal: The Biggest Cyber Risks Are Not What You Might Think

Over the last 24 months cyber-security has exploded into public consciousness as organisations from Ashley Madison to the Democratic National Committee have been successfully targeted in cyber-security attacks.

Australasian Directors have become increasingly aware of the major risks associated with cyber-security for ill-prepared organisations. Damage from cyber-crime breaks down into four broad categories:

  1. Manipulation of systems to mis-direct funds (theft) e.g. an illegal bank transfer

  2. Withholding access to or damaging systems to extort payments (extortion) e.g. ransomware

  3. Damage to systems or leaking data with no apparent financial motive (vandalism) e.g. the Sony hack

  4. Theft of intangible assets (intellectual property) (espionage) to be used or sold

     

    Boards have started to respond: for example New Zealand now has the highest per capita penetration of cyber-insurance in the developed world. Well-crafted cyber-insurance generally covers (1) and (2) and the direct loss (such as system repair and downtime) associated with (3).

     

    The Danger is Elsewhere

    This is good news and represents a healthy step up from the previously low level of understanding. However many Boards are failing to manage the most catastrophic of all cyber-risks: number (4) intangible asset theft (espionage).

     

    Espionage includes theft of confidential information including algorithms, ingredients and formulas, manufacturing trade secrets and processes, product designs, bills of material, customer, supplier and employee data, pricing information and strategic business and financial information.

     

    The scale of such intangible asset theft is huge: the US Director of National Intelligence estimated that in 2015 alone Chinese interests stole US$460 billion in intellectual property from US companies.

     

    In “Cybersecurity Risk to Knowledge Assets” Kilpatrick Townsend & Stockton and the Ponemon Institute surveyed 600 North American companies about their approach to cyber risks to “knowledge assets”. The results were stark:

     

    Theft is rampant.

  • 74% reported it is likely that their company failed to detect a loss or theft of knowledge assets.

  • 60% stated it is likely one or more of their company’s knowledge assets are now in the hands of a competitor. 

  • Only 31% say their company has a classification system that segments intangible assets based on value or priority.

     

    Executives and boards aren’t focused on the issue

  • Over 72% rate the company’s approach to the problem as “not effective” and cite lack of in-house expertise (67%) and lack of clear leadership (59%) for this.

  • 59% state a data breach involving knowledge assets would impact a company’s ability to continue as a going concern.

  • 53% felt that senior management is more concerned about a data breach involving credit card or customer information rather than the leakage of knowledge assets.

  • Only 32% say senior management understands the risk caused by unprotected knowledge assets.

  • 69% believe that senior management do not make the protection of knowledge assets a priority.

  • The board of directors is even worse off: barely 23% say the board is made aware of all breaches involving the loss or theft of knowledge assets

  • Only 37% indicated that the board asked for assurances that knowledge assets are managed and safeguarded appropriately. 

     

    Three Reasons Cyber Theft of Intangible Assets Is Critical

    Cyber-theft of intangible assets has the potential to cause catastrophic damage for three reasons:

     

  1. It directly and systematically degrades the long term competitive edge of a company and transfers it to competitors. The victim company has typically expended substantial resources to develop a competitive edge but the thief enjoys the advantage for free (i.e. the victim pays 20% for its advantage, the thief gains 20%, a net 40% shift). Paying a false invoice of $50,000 (cyber damage type 1) is bad but an effective 20% or 40% net shift in margin in a large company can be catastrophic. According to Kilpatrick et al the average direct cost to remediate attacks against knowledge assets was US$5.4 million but nearly 7 out of 10 respondents indicated that the real cost of such attacks is more likely to top US$100 million. 5 in 10 assessed the real cost at more than US$250 million. 

     

  2. Over the long term it corrodes the incentive to develop new products. Writing in Harvard Business Review Erik Meyersson found that - even prior to the advent of cyber crime - theft of intellectual property by East German companies “was so successful it crowded out R&D” in West Germany. The cyber age makes such theft easier than ever.

     

  3. The damage associated with intangible asset theft is frequently uninsurable for the very reason that it can potentially run for years and have far reaching consequences, making it difficult for an insurance provider to identify the full quantum of damage. Interestingly, cyber-insurance is also unlikely to cover indirect loss associated with a hack such as damage to brand reputation (another form of intellectual property) – again because it is perceived to be difficult (though not impossible) to value the extent of the damage. Kilpatrick’s research found only 35% of respondents believed losses from the theft of knowledge assets were covered by their company’s insurance.

     

    Given that intangible assets are frequently a company’s most valuable assets (would you rather a competitor steals a company car or your customer database?) and now account for on average 87% of all company value, it is essential that directors take the risk of intangible asset theft seriously.

     

    Boards should insist their organisation institutes policies and processes to proactively identify, protect and monitor key knowledge assets such as trade secrets, know how and data. Employee education is likewise essential.

     

    Boards should absolutely consider taking cyber insurance but also need to carefully determine what the policy covers and in particular establish if theft of intangible assets (often the most substantial risk) is included and how quantum of damage is established.

     

    As American science fiction writer Ursula Le Guin wrote “where there’s property there’s theft” and Boards need to act to protect their most valuable property.