Cyber Criminals Target Intellectual Property

Business Insurance

Cyber Criminals Target Intellectual Property

01 November 2022

Theft, misappropriation or infringement of intellectual property (IP) – assets that lack physical substance such as patents, trademarks, copyrights, data rights and trade secrets – poses a significant and growing risk to organisations. IP is core to innovation and business growth, and with cyber incidents targeting IP on the rise, the danger of brands and IP being hijacked by cybercriminals is rapidly escalating.

  • From 2005 to 2018, the value of intangible assets held by the five hundred largest US companies by market cap increased from $9.28 trillion to $21,03 trillion.[1]
  • Intangible assets now command over 90% of the S&P500 market value.[2]
  • 28% of IP, cyber and risk professionals reported experiencing a material IP incident within the last two years, with 69% of incidents involving infringements of, or challenges to, the company’s IP.[3]

The threat of intellectual property theft or misappropriation comes from several different actors, including current and former employees, the organisation’s supply chain, third-party vendors and state-sponsored cyber criminals or hackers.

According to Zamani Ngidi, Cyber Solutions Client Manager at Aon South Africa, Intellectual property losses are often complex. “IP is typically more difficult to value and insure when compared to traditional property losses that have a physical presence, for example, the costs associated with IP litigation, damages and theft can be devastating. Despite the importance of IP to an organisation and the percentage contribution of IP to the total assets on the balance sheet, physical assets in the form of property, plant and equipment, have far more coverage by insurance (60% vs 16%)[4],” he illustrates.

Trade Secrets

A key concern is the theft of trade secrets, which according to the US Chamber of commerce is valued in excess of $5 trillion. Trade secrets are defined differently around the world, but broadly, according to the World Intellectual Property Organisation (WIPO), trade secrets include “any confidential business information that provides an enterprise with a competitive edge.”

Case Study 1:

In December 2019, the U.S. federal government brought criminal charges against two former technology company employees accused of stealing trade secrets. In its request to monitor the location of the suspected perpetrators, the prosecution expressed ‘deep concerns’ that the former employees would try to flee the U.S. One worked on a secretive self-driving car program and allegedly took files related to the project before disclosing his intent to work for a foreign competitor. The second purportedly took more than 2,000 files containing ‘manuals, schematics, diagrams and photographs of computer screens showing pages in secure databases,’ with intent to share.

 

Case Study 2:

On South African shores, in November 2019 President Cyril Ramaphosa authorised the Special Investigating Unit (SIU) to launch an investigation into allegations that a major security breach at state arms company Denel may have led to the theft of classified and highly sensitive data about the company and the South African military’s missile capabilities. The unprecedented breach has been compared to treason and industrial espionage by a senior military officer.[5]

 

With this backdrop, it makes sense that nearly half of 400 senior executives report that trade secrets are more important than patents and trademarks[6]. However, less than one-third of companies have taken basic measures to protect trade secrets. The significance and protection of IP need to be front and centre with organisations allocating appropriate resources to the strategy, valuation and protection of IP based on a cost-benefit analysis.

“Although intellectual property strategy, valuation and protection are issues for a board of directors to consider, IP protection resides in and across the remit of many corporate stakeholders including innovation officers, Chief Technology Officers (CTO), heads of IP and human resources,” explains Zamani.

Identifying Critical Assets

“An important step in solving the IP puzzle is for organisation to identify critical assets, sometimes referred to as ‘crown jewels,’ to understand what intellectual property the company holds and where it sits across the organisation’s operating environment,” says Zamani.

  • Is the data stored on a network server, in cloud storage, on an employee’s personal device or a third-party vendor system?
  • What, exactly, is the essence of the intellectual property?

“Once identified, assets can be tagged, classified and protected – both physically and digitally. The use of advanced control technologies and processes should be contemplated, including encryption, access controls, monitoring and logging technologies. These controls should be augmented by a robust employee training programme. People are often the weakest link in an organisation and IP is vulnerable to human error or carelessness. Training that addresses how IP can be unintentionally exposed is vital,” Zamani explains.

Quantifying the value of IP is an important step on the way to evaluating risk appetite and then insuring the value of the IP that could be compromised. “Financial analytics and modelling can help inform risk transfer methods, such as limits and scope of intellectual property insurance coverage. As IP theft becomes a more considerable issue and competitors look to increase market share in any way, companies may also need to defend themselves against accusations of IP infringement or theft. As a result, businesses may be exposed to potentially significant financial losses and reputational damage,” says Zamani.

Even with adequate and appropriate training, IP can still be vulnerable. The intelligence gathered during a strategic assessment can inform and strengthen an organisation’s incident response. In the event of a breach, knowing where the IP is held within the network helps the response team to more rapidly identify what data might have been impacted or infiltrated. Was IP data compromised? And importantly, what exactly was in that data? If it can be determined that IP was misappropriated, organisations can more rapidly set a defensible path to try to mitigate the impact of the IP theft and preserve the secrecy of their most valuable assets. The effective management of incident response, including forensics, is critical as it may serve to support subsequent litigation or loss recovery.

It is at this junction that the assistance of an experienced broker that has insight into intellectual property solutions and the cyber risk presented by a company’s intellectual property comes to the fore. “Speak to your broker today to make sure that your organisation’s IP is quantified and protected in addition to having a solid incident response strategy in place to keep your company’s most valued assets secure,” concludes Zamani.

 

[1] https://www.aon.com/getmedia/60fbb49a-c7a5-4027-ba98-0553b29dc89f/Ponemon-Report-V24.aspx

[2] https://www.oceantomo.com/intangible-asset-market-value-study/

[3] https://www.aon.com/getmedia/60fbb49a-c7a5-4027-ba98-0553b29dc89f/Ponemon-Report-V24.aspx

[4] https://www.aon.com/getmedia/60fbb49a-c7a5-4027-ba98-0553b29dc89f/Ponemon-Report-V24.aspx

[5] https://www.news24.com/citypress/news/how-sas-weapons-tech-was-stolen-and-given-to-saudi-arms-company-20191118

[6] https://www.bakermckenzie.com/en/insight/publications/2018/12/board-ultimatum