In a letter dated 5 August 2004 the SEC noted that "the Sarbanes-Oxley Act of 2002 and the Commission's rules promulgated under the Act seek to strengthen pre-existing standards for internal controls, thereby potentially improving the ability of companies to track the costs and impact of economic espionage and theft of intellectual property." The SEC assumed — not unreasonably, albeit incorrectly — that internal controls were in place to identify and value intellectual property and critical information (IPCI), and to protect these from competitive intelligence, economic espionage, theft, and inappropriate disclosure.
The assumption was reasonable because there is a standard control process, OPSEC, developed by the U.S. Government, for the identification, valuation, and protection of information that would give adversaries and competitors an advantage. OPSEC is promulgated on the government side by the Interagency OPSEC Support Staff. The OPSEC Professionals Society is the independent professional society that provides certification of OPSEC Associate Professionals (OAP) and OPSEC Certified Professionals (OCP).
The assumption was incorrect because most senior managers do not think of IPCI as something that needs to be protected. After, the PCAOB says that intellectual property developed in-house has no book value, which many equate to having no economic value. In addition, Sarbanes-Oxley requirements are so new that the majority of organizations have not yet funded a senior executive with detailed knowledge of the company's business functions, as well as Sarbanes-Oxley audit responsibility, to bring qualified OPSEC professionals to oversee an OPSEC program to identify information as needing to be protected from competitive intelligence, economic espionage, inappropriate disclosure, and theft, the four primary sources of loss of critical information. Without an OPSEC program you are unlikely to be capable of being compliant.
By most calculations, seventy percent of the value of a modern company lies in it its IPCI, its intellectual property and critical information. Unfortunately, IPCI is an intangible. Some senior managers don't understand how something that is intangible can have real value. This lack of understanding is compounded by the fact that the PCAOB says that IPCI developed in-house has no book value, which many equate to having no economic value needing to be protected. They thus do not take appropriate measures to protect it, nor do they identify its value appropriately. Because of this IPCI is easlily lost to competitive intelligence, economic espionage, inappropriate disclosure, and theft.
What is the result of this? Substantial revenues not booked. According to the 2002 Annual Report to Congress on Foreign Economic Collection and Industrial Espionage, U.S. businesses fail to take $300 billion in revenues each year because of competitive intelligence, economic espionage, inappropriate disclosure, and theft. According to a study by the American Society for Industrial Security (ASIS) with consultation from PricewaterhouseCoopers, the average discovered incident reduces revenues by $50 million in a manufacturing environment and $500,000 in a non-manufacturing environment. Our experience is that when we find one incident, we more often than not find another two. With the potential of up to 600,000 incidents each year in the United States, it is a near-certainty that you are a target, and highly probable that you are a victim.
Working backwards, we know that the cost of the average loss in a manufacturing environment is $50 million. We also know that if we encounter one incident we more often than not encounter another two. This puts the theoretical potential loss of revenues at $150 million. Let us also assume a cost for a fully functional OPSEC program to be $1 million. This figure is high for all but the largest corporations, but a nice round sum.
With this basic information our model would be:
Once we have this, we can calculate probable revenues
So what did our model reveal? That if you have $150 million in revenues at risk in an operating unit, your revenues will likely be $75,500,000 higher if you implement an OPSEC program than they would be if you chose not to implement an OPSEC program.
Is increasing your revenues by $75 million — or some multiple of $75 million — worthwhile? To answer this, ask yourself a number of questions:
You will have to deal with the consequences of being in non-compliance with Sarbanes-Oxley, which can involve both civil and criminal exposure.
If the theft ends up being prosecuted under the Economic Espionage Act of 1996, a compelling case can be made that by not having an OPSEC program as required by Sarbanes-Oxley to identify, value, and protect information from competitive intelligence, economic espionage, and theft, you failed to take the required "reasonable measures to keep such information secret." This means that you have, through negligence or deliberate indifference, abandoned the trade secret status of the stolen information, which was therefore not a trade secret as defined under the Economic Espionage Act of 1996 and the Uniform Trade Secrets Act.
You face the increased possibility of a shareholder negligent action lawsuit because you knew, or should have known, that with annual domestic losses of $300 billion there was a high-probability threat that you should have addressed. PLUS you both abandoned the trade secret status of your information under the Economic Espionage Act AND were non-compliant with Sarbanes-Oxley, which were at least partly designed to force you to protect shareholders from just this type of loss. Since ignoring Sarbanes-Oxley requirements indicates negligence or deliberate indifference, there is an increasing probability that your liability will not be covered by your Directors and Officers Insurance because you did not exercise due care. It becomes personal liability.
Using experienced and skilled OPSEC professionals, we use OPSEC to help you identify, value, and protect all information, trade secret or not, that might give competitors and adversaries an advantage if known. We use OPSEC to help you identify competitors and adversaries who might try to get this information. We use OPSEC to help you make sure this information doesn't get to these people.
In order to be effective, and because of governance liability, OPSEC needs to authorized and overseen by a senior executive with detailed knowledge of the company's business functions. It is therefore appropriately handled through a team reporting to the CFO.
We can offer the specialized training and consulting you need to develop, implement, and maintain a successful program to protect you from competitive intelligence, economic espionage, and theft; comply with Sarbanes-Oxley; and demonstrate due care and a reasonable effort to protect trade secrets.
But an OPSEC can do more than make you Sarbanes-Oxley compliant and and remove the personal liability related to not having implemented an OPSEC program. Most obviously, if you are responsible for the sale of a company, and the benefits to the purchaser greatly outstrip the sale price because you had not adequately identified and valued the intellectual property, shareholders are increasingly likely to take you to task.
Next most obviously, it allows you to eliminate or reduce your company's share of the $300 billion lost every year to competitive intelligence, economic espionage, and theft. How much might this add to your bottom line? If you posited that losses were evenly divided among the Fortune 1000 companies, it could add as much as $300 million per year. But even if it were only $75 million a year added to the bottom line each year it would be contributory.
In addition, by fully identifying your actual assets and their value, you become equipped to exploit them to their fullest, maximizing their contribution to your bottom line. As an example, it costs roughly $80,000 to protect a patent over its lifetime, and an OPSEC program is likely to reveal that some patents no longer have real value. This puts you in the position of choosing how to deal with costs related to intellectual property that has lost its value.
By the same token, sometimes the value of an intellectual property lies not in the revenue stream it produces, but in its strategic value. But without identification of the asset and its potential value, a significant portion of the value will be wasted. Until the value is recognized it cannot be exploited.
If you have audit responsibility, and therefore personal liability under Sarbanes-Oxley for failure to implement an OPSEC program, you cannot afford to ignore the identification, valuation, and protection of intellectual proprety.
Join the OPSEC Professionals Society.
Contact The LUBRINCO Group about OPSEC consulting.