Cyberattackers and. your intellectual. property: Valuing. and guarding prized. business assets

Transcription

1 Deloitte Transactions & Business Analytics LLP Cyberattackers and your intellectual property: Valuing and guarding prized business assets The Dbriefs Transactions & Business Events series Hector Calzada, Managing Director, Deloitte Transactions & Business Analytics LLP John Gelinne, Managing Director, Deloitte & Touche LLP Emily Mossburg, Principal, Deloitte & Touche LLP September 28, 2016

2 Agenda The landscape for intellectual property (IP) cyber theft A preparedness gap What does an IP theft cyberattack cost? Looking at a fictitious scenario Considerations for mitigating the risk of cyber IP theft Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 2

3 The IP cyber theft landscape 44% of executives named loss of IP or strategic proprietary information as one of their top three cyber risk concerns.* Trends fueling IP cyber theft Digitization of everything Connection of everyone and everything to the internet Expanding ecosystems even R&D is outsourced New technologies, such as 3D printing, continue to introduce new forms and vehicles for IP theft The issue receives growing law enforcement and policy attention. In a competitive economic landscape, stealing IP is easier and faster than creating it * Deloitte Regional Cybersecurity Survey, 2015 Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 3

4 Many types of IP and theft across many industries Automotive Employee steals trade secrets to foreign competitor for personal gain Industrial products Former employee steals formulas, raw materials information, sales and cost data, product research, marketing data and other proprietary information before gaining employment at a competitor Financial services Programmer steals software code owned by a third party Life sciences Scientists charged with stealing biomedical information from their employer for resale overseas Media and entertainment Cybercriminals plead guilty to conspiracy for stealing unreleased software, source code, and copyrighted materials Energy & resources Foreign nationals indicted for stealing design specifications, financial information, attorneyclient privileged communications and other IP from energy product manufacturers Information gathered from Federal government Foreign nationals hacked systems to steal manufacturing plans Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 4

5 Polling question #1: Has your organization suffered an intellectual property cybertheft incident (electronic theft of trade secrets, drawings and plans, or proprietary know-how) within the past 12 months? Yes No Don t know Not applicable Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 5

6 Are organizations adequately addressing the risk of IP theft? Cyber programs tend to be shaped around common data breaches Security controls, detection capabilities, and incident response plans are formed largely around risks associated with volumes of sensitive data records Organizations expect a set of well-known impacts Financial Regulatory Reputational Commonly associated costs Customer breach notification Post-breach customer protection Regulatory compliance costs Public relations costs Attorney fees and litigation Cybersecurity improvements Cost of lost customers Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 6

7 What is the broader impact of an attack aimed at undermining competitive advantage? Supply chain tampering Disruption of critical services Theft of strategic information Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 7

8 Polling question #2: Which category of potential adversary do you think would be most likely to attempt theft of your organization s IP? Employees or other insiders Third parties with which your organization engages regularly Nation-states Activist groups not sponsored by nation-states Competitors Don t know / not applicable Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 8

9 A narrow lens on cyberattacks can leave organizations unprepared for the broader potential costs Direct costs associated with data breaches Many are intangible and require our Valuation skills In our scenarios, costs beneath the surface account for over 95% of the financial impact. Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 9

10 and unprepared for the duration of recovery efforts Analyze and take immediate steps to stop compromises in progress Incident triage Reduce and address the direct consequences of the incident Impact management Repair damage to the business and prevent occurrence of future incidents Business recovery In our scenarios, less than 10% of the total costs are incurred during triage. Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 10

11 Polling question #3: Do you expect the number of IP cyber theft incidents (successful or attempted cyber theft of trade secrets, drawings and plans, or proprietary know-how) to change in the coming 12 months? Yes I expect the number will increase Yes I expect the number will decrease No I do not expect it to change Don t know Not applicable Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 11

12 Illustrating a case of IP cyber theft A fictitious technology company $40B Revenue 60,000 employees Growth rests on innovative products to support management of Internet of Things (IoT) environments Hundreds of contracts across many industries, including some very large government contracts Pay $3.75M annually for $150M in cyber insurance Relatively mature incident response capabilities Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 12

13 Anatomy of the attack they face In six months, the company plans to launch a new version of a core product. A federal agency notifies the company that its infrastructure has been breached by a foreign nationstate.! Day One Day 10 Day 40 An investigation shows that IP tied to 15 out of 30 product lines was stolen. Revenue associated with these products is expected to be 25% of the total revenue over the next five years. A tech blog reveals that the foreign entity is reverseengineering the product that is due to be launched. Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 13

14 Recovering from the rippling effects Incident response timeline and distribution of impacts Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 14

15 Polling question #4: If your organization was to suffer theft of IP (trade secrets, drawings and plans, or proprietary know-how), which do you think would be the largest challenges? Assessing what IP had been stolen, or the impact of IP loss Seeking recovery of the IP as soon as possible Modification of existing IP to minimize loss of competitive advantage Preparing for litigation as a result of IP theft Managing investor and customer/client relationships Don t know / Not applicable Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 15

16 Estimating financial impact of an attack Deriving cost and duration data Leveraged experience helping companies recover from major cyberattacks Developed fictitious profiles and scenarios based on industry knowledge Used publicly available information on similar companies as benchmark data to derive factors used in direct cost and valuation equations Calculating direct costs Relatively simple to approximate based on publicly available information Leveraged existing studies Customer protection programs PR costs Legal costs Customer notification Regulatory fines Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 16

17 Estimating the financial impact of an attack Calculating intangible impacts Applying professional judgement, accepted financial modeling methods and reasonable assumptions in the absence of detailed, actual data Financial impact is associated with a specific point in time With-and-without/But-for methodology Relief-from-royalty methodology Reliance on assumptions Loss of IP Increased cost to raise debt Lost contracts Devaluation of trade name Lost value of customer relationships Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 17

18 What does it cost? Total potential impact >$3B Many costs associated with PIItype data breaches do not factor in Greatest impacts are intangible costs The value of lost IP is not the major cost, but the theft of IP has rippling impacts Known costs Hidden costs Cost Factors Cost (millions) % Total Customer breach notification Post-breach customer protection Regulatory compliance Public relations $ % Attorney fees and litigation $ % Cybersecurity improvements $ % Lost value of customer relationships Increased cost to raise debt Insurance premium increases $ % Loss of intellectual property $ % Devaluation of trade name $ % Operational disruption $1, % Value of lost contract revenue $1, % Total $3, % Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 18

19 Polling question #5: How would you describe your organization s current effort to secure its IP (whether trade secrets, drawings and plans, or proprietary know-how)? Leading access to IP is very limited, on a need-to-know basis only Building we re working to strengthen our security protocols and systems around IP Lacking we do not have a defined program to protect and monitor access to IP Don t know / Not applicable Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 19

20 Improving the management of IP cyber risk: no need to start from scratch Creators of IP researchers and scientists understand what s at stake Technology leaders understand what s needed More attention needs to be paid to insider threat programs Most organizations still don t have a good data inventory & classification a daunting but essential effort Protection Trading/ cross-licensing Cyber risk Culture Product pipeline Sensing/ blocking IP monetization Industry reputation M&A activity Internal structure Integrate cyber awareness throughout the IP management lifecycle Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 20

21 There s a big disconnect with the business Cybersecurity programs continue to focus on the threats, vulnerabilities and probability. Often, not enough attention is paid to the true damages a particular type of cyberattack can cause. By looking realistically at the potential costs, business leaders can right-size investments to better protect their most valuable assets. How likely is this type of attack? What are the threats? What is the business impact? Where are our vulnerabilities? Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 21

22 Question and answer Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 22

23 Join us October 19 at 2 p.m. ET as our Transactions & Business Events series presents: Elevating risk: A new paradigm for risk management leadership Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 23

24 Eligible viewers may now download CPE certificates. Click the CPE icon in the dock at the bottom of your screen. CPE Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 24

25 Contact information Hector Calzada Managing Director Deloitte Transactions & Business Analytics John Gelinne Managing Director Deloitte & Touche LLP Connect with me on LinkedIn Connect with me on LinkedIn Emily Mossburg Principal Deloitte & Touche Connect with me on LinkedIn Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 25

26 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. Copyright 2016 Deloitte Development LLC. All rights reserved. Cyberattackers and your intellectual property: Valuing and 26

27 About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see for a detailed description of DTTL and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright 2016 Deloitte Development LLC. All rights reserved. 36 USC