Calculating – assigning dollar values to losses and impacts attributed to cyber-economic espionage…may appear to some, at first blush, to be relatively straightforward tasks.
When its conclusively demonstrated that a company’s… intellectual properties and other categories of intangible assets have been targeted, accessed, and acquired by a foreign economic and competitive advantage adversary, ala economic espionage…
- the legitimate holder of those assets is fiduciarily obligated to objectively describe to their board, investors, and insurers, etc., the respective…
- what, when, where, and how elements to the loss, and
- objectively assess the assets value and how the loss has-will adversely affect company reputation, brand, value, competitive advantages, revenues, and sustainability.
Similarly, if an external cyber attack, even temporarily, causes a company’s IT network to ‘go offline’…the targeted company is obliged to objectively calculate losses to productivity, sales, and essential communications, etc., during the time period of being offline. This calculation will includes costs to return their system to operational normalcy, presumably, with relevant safeguard upgrades.
Obviously, there is much more to calculating and assigning a dollar values to such costs/losses than engaging in mere guesstimates.
In these circumstances, company leadership is obliged to be candid…which for readers of this blog, it should come as no surprise that there are significant differences of opinion globally about assessing -calculating the costs and losses attributed to both malicious cyber activity and economic espionage, especially when such acts are directed to companies’ valuable, revenue generating, and competitive advantage (intangible) assets.
As conveyed in previous posts at this blog…the dollar values attached to economic – cyber espionage losses cited in numerous respected surveys and studies, range from a mere few billion dollars to hundreds of billion dollars annually.
To be sure, assigning specific price tags to companies’ cyber – economic espionage losses is challenging…but too, the processes are often embedded with subjective – agenda driven assessments that do not reflect a comprehensive accounting of the contributory value of each of the intangible assets which serve as the underlying foundations to a patent for example.
So, in these instances, business leadership may not find it prudent to… assume the findings of open source and/or sponsored surveys on this subject have been reached using objectively collected data and/or the calculations are free from the influence of larger political, social, and national security agendas.
There is little doubt in my view that circumstances such as this, contribute to…skepticism and reasons why practitioners, like myself, are witnessing such a broad range of loss estimates as outcomes to cyber – economic espionage. The first step to start mediating this sort of skepticism is for business leadership to seek – achieve operational familiarity with the contributory role and value of their company’s intangible assets.
Is economic-cyber the greatest transfer of wealth in history or merely a rounding error?…while I am not the originator of this question, it should now be much less challenging to recognize why its framed this way, i.e.,
- there are numerous responsible parties that do characterize losses attributed to cyber – economic espionage in this fashion, i.e., as constituting either the greatest transfer of wealth in human history, or merely as rounding errors in a $14 trillion dollar economy?
The former…of course, represents a perspective, I believe, intended to elevate the significance and adverse impact of cybercrime-economic espionage, while the latter represents a perspective, I believe, largely intended to diminish the ‘sticker shock’ if you will, regarding the value – cost of adverse impacts by characterizing it in the context of what is, too most, incomprehensible dollar amounts.
Since the passage of the Economic Espionage Act (EEA) in October, 1996…there has been no shortage of surveys and studies launched into the public domain. In some instances their findings are agenda driven and dramatized as is the case with identifying an array of adverse (economic, competitive advantage) impacts.
Having read and studied most, if not all, of these reports, I am inclined to…interpret the findings and supporting documentation to be variously competitive in the sense that each successive report offers a conceptually broader range of losses and impacts and in more dramatic fashion.
Too, more reports, particularly those published in recent years, are collaborative…in that a known and usually global player (i.e., accounting, consulting, or IT firm) has partnered with a prestigious university (academic unit) or ‘think tank’.
Presumably, by doing so, it will elevate the reports’ credence and validity…in the eyes of its targeted audience, and, too, serve as an effective marketing tool. Too, more reports include examples and/or mini-case studies describing the impact to a victimized company, whom, for multiple reasons elected to ‘go public’, perhaps at the behest of federal (EEA) prosecutors and thus agree to seek prosecution against the perpetrators, whomever, whatever, or wherever they may be.
Insofar as expectations of victimized companies (pursuing criminal actions under the EEA) to receive restitution for damages and losses…I don’t encourage companies to ‘hold their breadth’. In part, that’s because the probability is, at best, slim, and, when a Federal court does award damages, in EEA violations) it may be considered largely a symbolic message. That’s because those engaged in and prosecuted for EEA violations are obviously foreign in origin who may appear to be independent actors, its likely ‘state sponsorship’ will be a factor.
Another potential option for victim companies…with ‘deep pockets’, ample patience, and less concern for being globally competitive, is to seek action before the World Trade Organization (WTO).
Victim companies going public…readers of this blog will recognize there may be numerous factors – variables in play that influence a company to ‘go public’.
Going public, represents among other things, a companies’ admission…of being victimized, followed by the obligatory guesstimates of the extent – value of the losses attributed to the acts. All is initially, and frequently framed in passionate and angry guesstimates of how the acts and losses will impact the victim company, who the culprit(s) may be, and the stealth – methodology applied to commit the adverse act(s).
Victimized companies’, anger and passion aside…we now it is challenging to determine, let alone isolate and accurately assess, losses in rapid fashion, as will inevitably be necessary, once the matter becomes public.
That’s because, in many instances, the losses are not limited solely to…lost or undermined intellectual – structural capital, or trade secrets, proprietary intangible assets, or other intellectual properties.
Instead, the full extent of a targeted companies’ losses are frequently… more strategic, longer term, and manifest in the form of relationship – competitive capital, and thus, may not be fully realized – subject to assessment for several months out.
Reputation risk factor…is another factor in play with respect to the counsel and ultimate decision to ‘go public’ with a companies’ victimization. There is the very real possibility that having the matter come to public knowledge, scrutiny, and possible skepticism, there is, unfortunately, a probability the victim company, will experience reputation risk.
I refer to materialization of reputation risk, with the phrase...‘at some level’, because company (product, service) specific reputation risks can manifest in different ways for different sets of consumers, stakeholders, and investors, etc.
Yes, a company’s reputation is an intangible asset of the first order…a company’s reputation is embedded with – comprised of many other contributing intangible assets which collectively produce significant value. In other words, reputation represents expectations, and therefore serves as the rationale in which consumers distinguish, seek, and likely purchase one product or service over another because it consistently meets or exceeds our expectations.
Calculating losses attributed to economic espionage require objectively framed calculations and an operational familiarity with intangible assets, i.e., the intellectual, structural, and relationship capital produced…
For many years there has been a general inclination to accept…perhaps naively, the guesstimated findings of after-the-fact prognosticative research, regarding losses – impacts attributed to cyber – economic espionage valuations.
My counsel is that most any formula and/or conventional intangible asset valuation methodology…used to calculate – assign a dollar value to a loss and/or compromise of proprietary intangible assets and intellectual properties attributed to cyber-economic espionage should…
- differentiate the assets which have been targeted, lost, and/or compromised by category, i.e., intellectual, structural, and relationship capital to ensure the findings
- bring quantitative – qualitative distinctions and clarity to a fuller range of related acts/events which can materialize following an act of cyber-economic espionage,
- e.g., produce adverse stock market reactions if the targeted company is publicly traded, reputation risks, productivity losses, business disruptions, loss of consumer trust, expectations, and goodwill, as well as the costs required to re-establish IT and supply chain security, etc.
Michael D. Moberly [email protected] St. Louis August 11, 2014 the ‘Business Intangible Asset Blog’ since May 2006, 650+ posts, ‘where intangible assets, business, and effective solutions converge’.
Please explore other relevant blog posts, videos, books, and position papers at https://kpstrat.com/blog
As always, reader comments are most welcome!