SEC Cybersecurity Disclosure Rule requires affirmative Trade Secret Risk Management

Written By Mary Guzman

The recently passed Cybersecurity Dislclosure Requirements by the U.S. Securities and Exchange Commission are broad enough to trigger notification if high value trade secrets are compromised. The loss of a company’s ability to enforce its trade secret rights around such an asset is, by definition, “material”. So even though this new regulation is being pushed out to and through the “cyber”echo chamber, I believe it is just as much an IP risk management issue. This puts to bed, finally, the frequent argument that companies should not identify and list their trade secrets, or value them, for fear that they might “miss something”.

This is a plea for companies to start paying closer attention to their trade secret asset risk management (TSARM) practices and for the silos between cyber and IP, specifically trade secrets, to be broken down. That goes for law firms, insurance brokers, and other advisors to Board of Directors as well.

The requirements to notify via an 8k any “material’ breach in security (within 4 days of the materiality determination which must be done expeditiously, etc) means that a company has to know what is “material”. If you don’t know what or where your trade secrets are or how valuable they are to future earnings (or savings as the case may be), it will be virtually impossible to meet this requirement.

The SEC used as an example of “material” a breach that could “damage your reputation or competitiveness”. And since trade secrets, especially Crown Jewels, ARE your competitive advantage, you must be able to document unequivocally what they are, why they’re valuable, and that you took reasonable measures to protected them. Reasonable measures in the context of trade secrets does NOT mean they are treated like every other asset. Can you prove what you were doing differently?

The rule also states that annual public filings must describe the “process” used to manage cyber risk AND disclose any PRIOR incidents that have not yet been disclosed. This has significant implications because many companies to date have kept these incidents quiet, for fear of reputation damage, etc. (further underscoring the fact that the published data around frequency and severity of TS misappropriation are way underestimated).

Obviously any cyber attack by an outsider (competitors or nation state actors included) is contemplated here. But what about the former employee who takes things on his/her own device? Or emails trade secret information to a home computer or to the cloud? Are those is scope? I would argue YES.
Cyber laws and most cyber insurance policies covering privacy and security breaches generally support those types of compromises as being on your “network”, so there is a ton of precedent for this being in scope. What cyber policies DO NOT cover is the value of IP, especially the potential future part of it.

We can help! See video in LinkedIn post below.

Mary Guzman

Founder and CEO of Crown Jewel® Insurance.

Previous

Trade Secret Newsletter: October

Next

Ongoing Debate: Should companies keep a running list of Trade Secret Assets?