The tentacles of cyber crime seem to be reaching everywhere. For one, have you considered your company’s exposure to the potential threat of trade secrets being stolen?
Trade secrets are among the primary means by which companies create and maintain value. The ability to prevent them from being stolen, copied, or eroded is one of the key factors ensuring a company’s longevity.
Even so, trade-secret theft has become a serious threat to the U.S. economy, causing damage in the range of 1% to 3% of gross domestic product, according to a new academic study.
With the principal means of trade-secret thievery shifting from betrayals by former employees to cyber attacks, companies have a surprisingly simple option for reducing the risk of such theft: Desist from disclosing the existence of trade secrets in 10-K reports.
That’s according to the new research, scheduled to be presented at the annual meeting of the American Accounting Association (August 3-8).
Drawing on data from about 7,500 companies over a span of nine years, the study finds that about one third of their 10-Ks mentioned that the firms possessed trade secrets.
Even though essential information about the secrets is customarily withheld, simply revealing their existence increases the chances of a cyber breach by an average of about 30%, according to the paper by Michael Ettredge and Yijun Li of the University of Kansas and Feng Guo of Iowa State University.
The likelihood of subsequent breaches, the authors add, is most pronounced among younger firms, those with fewer employees, and those operating in more competitive industries.
Those findings are consistent with the notion that firms’ trade secrets are more likely to be hacked when the trade secrets are more valuable or when alternative ways to obtain them, such as hiring away firms’ employees, are relatively unavailable.
The authors concede that a decision not to mention trade secrets may be difficult for many companies. Mere acknowledgement of trade secrets “does not impose any direct proprietary costs on the firm,” they write.
Further, companies could boost the value of their shares by discussing the existence of trade secrets, as well as how they take appropriate steps to protect them from misappropriation.
A further rationale for including allusions to trade secrets in 10-Ks is that it can provide evidence in case of subsequent litigation alleging misappropriation.
The number of breaches in the study sample amounted to less than 5% of the total 10-Ks containing allusions to trade secrets. That makes the relationship the professors found “something of a black swan,” Ettredge acknowledges.
“But should the black swan land,” he adds, “it could be disastrous for a company, and our findings suggest that the chance of its landing increases by almost one third when the existence of trade secrets is disclosed.”
Of the two principal means companies use to protect intellectual property, trade secrets lack the legal protections provided by patent status. But their details do not have to be publicly disclosed, as is the case with patents.
Celebrated examples of trade secrets include Google’s search algorithms, Coca-Cola’s ingredients, Big Mac’s special sauce, and the process to produce the lubricant WD-40. A 2016 report from the U.S. Chamber of Commerce estimated that publicly traded U.S. companies own $5 trillion worth of trade secrets.
Given the vast stakes, it is no surprise that, in the study’s words, “trade secrets are most likely to be stolen not by amateur hackers or informal hacker groups but by well-trained and well-supported hackers on behalf of companies that can use such information.”
The paper’s findings emerge from an analysis of the relationship between companies’ references to trade secrets in their annual reports from 2006 through 2014 (as indicated by the keywords “trade secret” and “trade secrecy”) and the occurrence of cyber breaches over the following year.
The researchers controlled for many factors that can influence the likelihood of breaches, prominent among them cyber defense and cyber vulnerability. These were estimated by counting pertinent words and phrases in 10-Ks such as “risk control” or “risk governance,” and others suggestive of vulnerability, such as “IT risk” or “security breach.”
While cyber vulnerability was found to be significantly associated with subsequent breaches, the results for cyber defenses were mixed.
“If firms having trade secrets employ extra care in protecting these secrets against cyber attacks, it is possible that disclosures of the existence of trade secrets are not associated with increased propensity for hacker attacks,” the authors write.