Cybersecurity, Shareholders, and the Boardroom: an Analysis of Current and Proposed Measures for Protecting Corporate Intellectual Property

• Publication year: 2018

Cybersecurity, Shareholders, and the Boardroom: An Analysis of Current and Proposed Measures for Protecting Corporate Intellectual Property

Kathryn V. Wymer
University of Georgia School of Law

CYBERSECURITY, SHAREHOLDERS, AND THE BOARDROOM: AN ANALYSIS OF CURRENT AND PROPOSED MEASURES FOR PROTECTING CORPORATE INTELLECTUAL PROPERTY

Kathryn V. Wymer^*

[Page 228]

I. INTRODUCTION.....................................................................................................229

II. BACKGROUND......................................................................................................233

A. DISCLOSURE FRAMEWORK..............................................................................233
B. CURRENT STATUS OF CYBERSECURITY IN DISCLOSURE REQUIREMENTS....................................................................................................235
C. CURRENT LEGISLATION REGARDING REGULATING CORPORATE CYBERSECURITY...................................................................................................237

III. ANALYSIS..............................................................................................................237

A. ADEQUACY OF CURRENT PROPOSAL..........................................................237
B. PROPOSED INCREASED REGULATION OF CORPORATE CYBERSECURITY MATTERS...................................................238
C. LIKELY CORPORATE RESPONSE....................................................................239

IV. CONCLUSION......................................................................................................240

[Page 229]

I. INTRODUCTION

The Zeitgeist of the digital era is so pervasive that it renders explicit observation of corporate technological dependence redundant: it is universally true that large corporations electronically store an overwhelmingly large amount of valuable data on internet-connected computer networks.¹ Electronically-stored intellectual property (IP) and intangible assets relating to sales, planning, research and development, finance, and clientele each comprise a significant portion of corporate assets.² Studies and common sense both dictate that this paradigm of electronically-based business is only strengthening. A recent analysis of S&P 500 companies revealed that 83% of corporate market value was comprised of tangible assets in 1975.³ By 1995, this figure fell to 32%; by 2015, 16%.⁴ A corporation in any industry, whether traditionally IP-intensive or not, will likely owe its success to any or all types of IP: trademarks, design rights, copyrights, patents, trade secrets, and information stored in confidential databases.⁵ Both derivative of and influential on these traditional corporate intellectual properties are a corporation's goodwill and reputational capital, the portion of excess market value attributed to the perception of a firm as a responsible corporate citizen.⁶ This goodwill and reputational capital create brand appeal that is often as important to sales as quality or price in determining ultimate success; a favorably-recognized brand is one of the most valuable assets a company can own.⁷ This asset is particularly valuable for corporations whose products or services lack sophisticated technology that can be protected through patents or copyrights as well as corporations that operate in industries with relatively low barriers to entry.⁸ For example, the reputational capital of CocaCola has been estimated at $52 billion, Gillette at $12 billion, and

[Page 230]

Campbell's at $9 billion, illustrating the immense value and importance corporations should and do place on promoting and protecting their public perception.⁹

Given the vast amount of corporate value stored electronically, it is unsurprising that cybersecurity incidents that compromise corporate data are increasingly damaging and frequent.¹⁰ James Comey, former Director of the Federal Bureau of Investigation, recently observed there were two types of companies: those who have been hacked and those who do not know they have been hacked.¹¹ Though this observation may be a slight exaggeration, it is not far removed from reality: Comey proceeded to very seriously posit that the cybersecurity threat to the United States will soon surpass that posed by international and domestic terrorism.¹²

These infamous and increasingly frequent cybersecurity attacks directly impact the corporate reputational capital, which devalues corporate intellectual property.¹³ In a recent study of sixty-five companies affected by cybersecurity hacks since 2013, two-thirds saw an adverse impact with an average long-term decline of 1.8% and at worst 15% in value.¹⁴ This is particularly pertinent with retailers; a recent study revealed that after revelation of a cybersecurity breach, 12% of "loyal" customers no longer shop at the retailer and 36% shop there less frequently.¹⁵ With corporate identity of goodwill and reputation carrying such a high economic value, it is unsurprising why companies both with and without traditional IP assets spend millions of dollars annually on cybersecurity protection.¹⁶

[Page 231]

Though cybersecurity breaches often result in devaluation of corporate assets, this value can often rebound quite rapidly if met with appropriate corporate responses.¹⁷ Customers typically respond well to humility, transparency, and timely responses to breaches, which are corporate practices that can be provided for with sufficient foresight and preparation.¹⁸ In some cases, a scintilla of corporate response can assist in a rebound. For example, the former Chief Executive Officer of Equifax recently testified before the House Energy and Commerce Committee on the credit reporting bureau's 2017 hack of nearly one hundred and fifty million Americans' sensitive data.¹⁹ Though the corporation's stock declined dramatically upon the revelation of the breach, it saw its third-largest gain of 2017—3.9%, resulting in a market value increase of $500 million—by the end of the testimony.²⁰ Clearly, market value hinges on corporate response to cybersecurity breaches.

Our government officials, corporate leaders, and consumers are all concerned with the increasing threat of cybersecurity breaches. In the Equifax testimony, many Senators expressed incredulity over the corporation's executives' responses, with one Texas Senator Green comparing the continuing operation of Equifax to that of a restaurant with a failing health inspection remaining open.²¹ In a recent study, Information Systems Audit and Control Association (ISACA), an international professional association focused on information technology (IT) governance, found that loss of enterprise intellectual property was the greatest concern amongst corporate leaders when asked of the top risks of a cybersecurity breach.²² As previously explained, consumers respond to breaches with their wallets, directly impacting corporate value.²³

All of these concerns are compounded and expanded upon in investor concern. After the September 2017 disclosure of a cyberattack on Equifax that harmed nearly 43% of the entire U.S. population, Equifax's stock fell by 18% as individuals both affected and unaffected lashed out against the corporation in anger—the very entity that was supposed to protect their identities had exposed them to the world.²⁴ Max Wolff, chief economist at Disruptive Technology Advisors, commented that because of the sensitive nature of this security breach,

[Page 232]

this breach in particular will dramatically impact how investors feel about cybersecurity and disclosure.²⁵ As cybersecurity incidents become more prevalent, the trend is shifting away from investors' concern being sparked by an incident and towards a proactive concern upon making an investment in a corporation.²⁶ Cybersecurity vulnerabilities and threats, as well as corporate policies relating to prevention and response of attacks, are becoming key questions for today's investors.²⁷ Currently, shareholders lack sufficient information on cybersecurity incidents and "tools to measure their impact."²⁸ In fact, the declines in corporate value we see after a cybersecurity breach actually dramatically underestimate the harm done to the value of the company. This is largely because the long-term effects of a data breach are difficult to quantify: lost intellectual property, sensitive data, and customer confidence are all highly likely to occur but difficult to capture in a stock price.²⁹ As such, shareholder reactions to cybersecurity breaches up until recently have largely consisted of knee-jerk reactions to dramatic breaking news of the breach and direct impact on business operations that immediately affect a corporation's known property.³⁰ Because of a lack of information (and sometimes misinformation), it is almost impossible for shareholders to assess the very real implications of a cybersecurity breach.³¹

The prominence and severity of cybersecurity breaches and resulting financial risks have increasingly pervaded conversations on corporate governance and securities regulation for the past decade.³² Today's corporate environment has become increasingly compliance-focused, highlighting the need of effective disclosure and regulation to detect, monitor, and fix systemic corporate problems.³³ The United States is particularly and notoriously susceptible to cyberattacks because of the high number of insufficient networks and the presence of immensely valuable intellectual property.³⁴ Despite this, relatively little has been done to increase required disclosure of cybersecurity threats and regulate the response to them. The Dodd-Frank Wall Street Reform and

[Page 233]

Consumer Protection Act, the most sweeping piece of legislation in securities regulation in recent times, did not contemplate cybersecurity disclosures because it was not until the bill became law in 2010 that these issues took center stage. Cybersecurity simply became an issue too late to be fully...