Deloitte survey finds lack of protection around Trade Secrets still a problem. The SEC is watching
A recent study by Deloitte IP Advisory found that although 53% of companies found trade secrets to give them a competitive advantage, yet less than half have a formal process for managing the risks against theft/misappropriation of them. One problem right off the bat is that fundamentally ALL trade secrets provide a competitive advantage in some way, or they are not trade secrets!
That aside, there are several other interesting findings summarized in this article by Maia Edilashvili Biermann.
One recent, very significant issue that is both good and bad as far as movement on the "leadership awareness" front is that the new SEC Cybersecurity Rule (which went into effect in the US on Dec 18th) is actually FORCING public companies to a) describe in detail in their 10ks what they are doing to manage risks around ANY asset that, if stolen, could have a material impact on future earnings and b) file an 8k as soon as “materiality” is determined. In their comments/statements the SEC cited examples of what could be “material” things that could a) impact a company’s competitiveness in the market and/or b) things that could damage your reputation. Theft of a Crown Jewel trade secret, if known and disclosed, would likely do both a and b! They are finally acknowledging that you cant make a fully informed investment decision into a company whose main assets are intangible/IP assets without knowing how they are managing the risk around the loss of those assets. Makes perfect sense! This is the "good" part because Boards are responsible for this, full stop!!
The “bad” is that because the SEC did not call these material assets “trade secrets” even though that is often precisely what they are (or should be if protected properly), few people seem to be connecting the dots. In my opinion this is a massive opportunity (by the SEC) blown to make this a Board room discussion, purely due to semantics.
On a related note, an SEC investigation into a violation of this new Rule may not trigger D&O insurance. In fact it is unlikely that it would, given that the SEC would normally name the Entity in the investigation and the Entity coverage under D&O insurance generally only covers Securities litigation. I have not been a D&O broker for many years (back before my Cyber days even) but as I understand it the market still generally provides entity coverage for investigations only if an individual Director or Officer is named as well. Therefore, Boards best be prepared to deal with this issue sans D&O insurance protection for the moment.
What else can a company do? Hire consultants to help you implement a trade secret asset risk management program and/or purchase trade secret insurance. Companies have full fledged risk management programs and robust "1 in 100 year" insurance to cover tangible assets (and money and securities).
Why would this be any different?
