The hidden costs of an IP breach



In 2014, the Intellectual Property Office of the Philippines, the government’s lead agency for handling the registration and conflict resolution of intellectual property (IP) rights, logged over 2,000 inspections into possible violations of IP rights. These operations resulted in the seizure of over 13 million pieces of counterfeit and pirated goods, with a combined estimated value of P13.3 billion. That represents a 68.7 percent increase in value from the goods seized in 2013.

There’s no question that IP is a valuable asset to an organization. The design of the latest Hermés bag; the technology behind a Rolex watch; the chemical composition of Viagra—these are all examples of IP that help drive innovation, competitiveness, and business growth.In many cases, IP is the heart of a company: According to a study on intangible assets, IP can constitute more than 80 percent of a single company’s value today.

And yet IP cyber theft is a crime that has largely remained in the shadows. Unlike more familiar cybercrimes such as theft of credit card and other personally identifiable information, IP cyber theft has not received as much attention, possibly because the impact to the consuming public is less direct. Companies also have little incentive to report such incidents since they risk potential brand and reputational damage.

Unfortunately, this lack of attention sometimes goes all the way up to management, with companies often neglecting to appropriately prioritize IP protection and incident readiness.

In a report entitled, “The hidden costs of an IP breach,” Deloitte executives specializing in cyber risk and forensics write about how organizations can value the spectrum of losses from IP cyber theft so that they can better appreciate the full ramifications of this crime and from there, position IP within a broader cyber risk program.

Often cybercriminals target corporate secrets rather than IP that is already in the public domain, such as patents and trademarks. These perpetrators are looking for proprietary business information that can be monetized quickly and that will help them save on R&D costs.

Last year, an industrial company based in South Korea pleaded guilty to conspiring with former employees of a US-based engineering company to steal the latter’s trade secrets. The South Korean firm admitted that it obtained the confidential information because it wanted to improve its own product, which was similar to the US company’s most popular brand. In an effort to shortcut the R&D process by appropriating the proven technology of a competitor, the company ended up having to pay $85 million in criminal fines and $275 million in restitution.

So how can a company attach a value to theft such as this?

In Deloitte’s report, it used a fictitious IT company called Thing to Thing to illustrate the costs a company will likely rack up across the three phases following a cyber breach.

Incident triage
This is the phase immediately following the discovery of the attack, when a company is scrambling to analyze what happened, plug any gaps, implement emergency business continuity measures, and attend to legal and public relations (PR) needs.

In the case of Thing to Thing, cybercriminals were able to steal IP relevant to a product that would have contributed one-quarter of the company’s total revenues over the next five years. The company also discovered that the cyber thieves were reverse-engineering the stolen IP in order to beat Thing to Thing to market.

As a response, Thing to Thing hired a top PR firm to reach out to stakeholders and to manage its public image. It also retained lawyers and a forensics firm to investigate the extent of the breach, and a cybersecurity firm to remediate the breach.

Impact management
During this phase, the company takes steps—such as repairing relationships with stakeholders, strengthening IT infrastructure, studying the legal challenges—to reduce and address the direct consequences of the theft.

In Deloitte’s scenario, Thing to Thing is forced to suspend planned sales of its new product. Instead, it focuses on hiring additional R&D talent to help its existing R&D team develop an upgraded product that will be ready for release two months ahead of the original launch date in order to beat the cyber thieves to the punch.

Unfortunately, the seeming inability of Thing to Thing to protect its own network results in the government canceling a key contract that would have contributed 5 percent of revenues. The company also loses an additional 5 percent in revenue as existing customers and clients step back.

Business recovery
This phase encompasses the months and years after the attack, when the company continues to repair the damage to the business, works to thwart competitors’ efforts to profit from the stolen IP, and shores up its cyber defenses for the long term.

In the case of Thing to Thing, it conducts an enterprise-wide assessment with the goal of developing a stronger cyber risk management strategy and implementation plan. This exercise leads to other initiatives, such as an IP inventory, classification, and protection program and security infrastructure upgrades, all of which entail additional costs. The company also covers additional investigation and litigation costs associated with the breach, and PR costs to rebuild public trust.

In total, over time, Deloitte estimates that this one incident of cyber theft cost Thing to Thing, which is valued at $40 billion, over $3.2 billion. (For a more detailed computation, download the Deloitte publication in full here:

By highlighting the must-dos in the aftermath of a cyber breach in this walk-through, Deloitte hopes to give executives a clearer picture of the full ramifications of IP theft. If anything, it should communicate this message: that managing the risk of IP theft must become an integral part of corporate IP strategy under the purview of the CEO, CFO, general counsel, and the CIO. And for consumers, maybe this will give them an idea of the gravity of the crime they end up abetting when they purchase counterfeit or pirated goods.

The author is a senior director with the Risk Advisory group of Navarro Amper & Co., the local member firm of Deloitte Southeast Asia Ltd., a member firm of Deloitte Touche Tohmatsu Limited – comprising Deloitte practices operating in Brunei, Cambodia, Guam, Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam.


Leave A Reply