Firms that refer in annual reports to their trade secrets + markedly increase risk of cyber-attacks, study suggests
“The threat is incredibly serious,” the FBI warns in a report this May on cyber-crime. “Intrusions are becoming more commonplace, more dangerous, and more sophisticated… [as] companies are targeted for trade secrets and other sensitive corporate data.”
Strong stuff, but hardly a surprise amid widespread charges nowadays of commercial larceny by nations and companies alike.
And, as a new scholarly study explains, "Trade secrets are one of the primary means through which firms create and maintain value. A firm's ability to prevent [them] from being stolen, copied, or eroded is one of the key factors ensuring its longevity...Even so, trade-secret theft has become a serious threat to the U.S. economy [causing damage] in the range of one to three percent of its GDP."
With the principal means of trade-secret thievery shifting from betrayals by former employees to cyber-attacks, the new research, to be presented at the forthcoming annual meeting of the American Accounting Association (Aug. 3-8), offers what seems a disarmingly simple option for reducing theft: Desist from disclosing the existence of trade secrets in the company 10-K, the financial report that public companies are required to submit annually to the SEC and that they disseminate widely to investors.
Drawing on data from about 7,500 companies over a span of nine years, the study finds that about one third of their 10-Ks mentioned that the firms possessed trade secrets. Even though essential information about the secrets is customarily withheld, simply revealing their existence increases the chances of a cyber-breach by an average of about 30%, according to the paper by Michael Ettredge and Yijun Li of the University of Kansas and Feng Guo of Iowa State University.
The likelihood of subsequent breaches, the authors add, is "most pronounced among younger firms, firms with fewer employees, and firms operating in more competitive industries…consistent with the notion that firms’ trade secrets are more likely to be hacked when the trade secrets are more valuable or when alternative ways to obtain firms’ trade secrets, such as hiring away firms’ employees are not available.”
The authors concede that a decision not to mention trade secrets may be difficult for many companies. As they explain, mere acknowledgement of trade secrets “does not impose any direct proprietary costs on the firm. Furthermore, firms…could signal greater value of their stocks by discussing the existence of trade secrets…and how [they] take the appropriate steps to protect [them] from misappropriations.” A further advantage, the authors add, is that allusions to trade secrets in 10-Ks can provide evidence in case of subsequent litigation alleging misappropriation.
Comments Prof. Ettredge, “Given such advantages, managers may well be reluctant to forgo the opportunity of revealing in their annual reports that they have trade secrets to protect. Since the number of breaches in our sample amounted to less than five percent of the total 10-Ks containing allusions to trade secrets, the relationship we’ve discovered is something of a black swan. But should the black swan land, it could be disastrous for a company, and our findings suggest that the chance of its landing increases by almost one third when the existence of trade secrets is disclosed.”
In sum, if the benefits are considerable for a firm, disclosure may be worth the increased risk of a cyber-breach. What the new study is the first to suggest is that disclosure does, indeed, markedly increase that risk.
Of the two principal means companies use to protect intellectual property, trade secrets lack the legal protections provided by patent status, but their details do not have to be publicly disclosed, as is the case with patents. Celebrated examples of trade secrets include Google’s search algorithms, Coca-Cola’s ingredients, Big Mac’s special sauce, and the process to produce the lubricant WD-40. A 2016 report from the U.S. Chamber of Commerce estimated that publicly traded U.S. companies own $5 trillion in trade secrets. An earlier survey by the U.S. Census Bureau, comparing firms’ valuation of trade secrets and patents, revealed them to be three times more likely to consider the former very important, and a survey in Europe found that companies rated secrecy more valuable than patents for protecting innovations. Given the vast stakes, it is no surprise that, in the words of the new study, “trade secrets are most likely to be stolen not by amateur hackers or informal hacker groups but by well-trained and well-supported hackers on behalf of companies that can use such information.”
The paper’s findings emerge from an analysis of the relationship between companies’ references to trade secrets in their annual reports from 2006 through 2014 (as indicated by the key words “trade secret” and “trade secrecy” in the 10-Ks) and the occurrence of cyber-breaches in the course of the following year. Data on breaches were obtained from several sources, principally from a nonprofit organization dedicated to gathering cybersecurity information. A total of 39,992 10-Ks were included in the analysis of which 12,542 mentioned trade secrets, and 591 cyber-breaches were identified. The secrets not only pertained to methods and formulas but in some cases consisted of confidential customer information, such as the data stolen in the headline-making breach of Target in 2013. The industries that accounted for the most breaches were the finance, insurance, and real estate group (accounting for about 33% of the total); service industries (about 20.5%); and manufacturing (about 20%). Manufacturing and service industries accounted for the most 10-Ks that referred to trade secrets, the former making up about 56.5% of the total and the latter about 26%.
In their analysis, the researchers controlled for many factors that can influence the likelihood of breaches, prominent among them cyber defense and cyber vulnerability. These were estimated by counting pertinent words and phrases in 10-Ks – terms suggestive of defense, such as “risk control” or “risk governance,” and others suggestive of vulnerability, such as “IT risk” or “security breach.” While cyber vulnerability was found to be significantly associated with subsequent breaches, the results for cyber-defenses were mixed.
The authors add: “If firms having trade secrets employ extra care in protecting these secrets against cyberattacks, it is possible that disclosures of the existence of trade secrets are not associated with increased propensity for hacker attacks. Although this ‘deterrence’ argument is plausible, we believe that the argument for a positive association [between such disclosures and subsequent breaches] is stronger.”
The paper, “Trade Secrets and Cybersecurity Breaches," is among hundreds of scholarly presentations scheduled for the American Accounting Association annual meeting, expected to attract some 4,000 scholars and practitioners to National Harbor, MD, outside Washington, from August 3rd to 8th. The AAA is a worldwide organization devoted to excellence in accounting education, research, and practice. Journals published by the AAA and its specialty sections include The Accounting Review, Accounting Horizons, Issues in Accounting Education, Behavioral Research in Accounting, Journal of Management Accounting Research, Auditing: A Journal of Practice & Theory, The Journal of the American Taxation Association, Journal of Financial Reporting,, and Journal of Forensic Accounting Research.
Article by American Accounting Association