Edward Snowden had authorized access to, and subsequently stole, some of the most valuable proprietary assets of the United States Government. The National Security Agency’s strategies and tactics for fighting the war on terrorism have no dollar value on the balance sheet, but are fundamental to the long term success of the government’s most critical mission, protecting the American people.
While incomparable to the CFO’s role of protecting the assets of Corporate America, there is a common denominator—namely, that some of the most critical assets of U.S. companies are also not valued on their balance sheets. The estimated top line value of intellectual property theft in 2013 was over $300 billion, according to the May 22 Commission on the Theft of American Intellectual Property Report. This theft translates into financial statement impact in the form of shorter revenue streams and/or missed revenue growth expectations, and can translate into longer term deflated stock prices.
From product and sales strategies to acquisition and geographic expansion plans, the list of publicly declared proprietary and intellectual property (P&IP) stolen from Corporate America has grown rapidly in size and impact over the last five years.
The source of this risk is a cadre of players, including foreign governments, competitors, hackers and employees with and without intent. Despite best efforts and significant time and money spent implementing an expensive suite of technology solutions to firewall off access to the company’s networks and electronic P&IP, the incidents of theft continue and, in fact, are increasing.
Enterprise-cyber-security programs are an economic requirement in today’s business model. But in isolation, they will not succeed in protecting P&IP. During 2012, over 470 U.S. companies, government agencies and other institutions were forced to publicly acknowledge material breaches to their computer networks and tally the stolen data. Year-to-date, 343 companies have disclosed a network break-in, and that number is on pace to hit 588 by the end of 2013, according to the Identity Theft Resource Center.
Congress is publicly pushing the SEC to review existing disclosure rules, and it is anticipated that current guidelines will be transformed into more formal standards. CFOs will carry the burden of understanding and conveying their company’s P&IP risk profile and protection program as a basis for compliance with future disclosure rules.
This is in alignment with the existing role that CFOs play under the Sarbanes-Oxley Act. While IT supports technology-enabled internal controls; the broader top- down management view of the enterprise control environment inclusive of technology is the domain of the CFO.
As displayed in the Snowden incident, and routinely identified as the root cause of continued failure in cyber- protection programs, not all of the theft is from outsiders and, and successful theft from outside is typically enabled by unsuspecting employees and third-party vendors who have legitimate need to be in the company’s networks. CFOs, with their broader influence, visibility and accountability are best fitted to oversee the necessary components of the company’s P&IP risk profile and protection program inclusive of both cyber and non-cyber.
This oversight starts with the CFO engaging the organization at both the board and senior executive levels to establish a common understanding of the company’s risk profile and P&IP asset inventory.
The CFO must provide the board with a better understanding of the threat actors and their wide variety of methods, technology and human target based, to targeting P&IP. Once the fundamental language of P&IP is established, a more robust discussion on how best to define, value, prioritize and protect can occur.
When pushing this initiative forward, CFOs should place a good amount of attention on the non-technology aspects of the issue, specifically on employees. Supplementing technology tools with the creation of a resistant “human firewall” will significantly improve the overall capability of your protection program.
Employees must have a clear definition of what needs to be protected, a mandate that defines the employee role in protection, and the tools and knowledge about how to deflect the thieves.
Jim Burns is a managing director at MorganFranklin, a business consulting and technology solutions firm.