Placing a Value on an R&D Loss

A Q&A with Rob Chiang of Navigant Consulting
When a company loses valuable R&D data during a breach incident, that loss or value must be calculated for financial and legal purposes. I asked Rob Chiang, leader of the Intellectual Property valuation practice at Navigant Consulting, about the valuation process, and how he determines the value of lost data.

What are the valuation methods you use?
There are generally three main valuation approaches:

  • Income Approach. This approach is based on the future cash flows that the business or asset is expected to generate going forward.
  • Market Approach. This approach is based on prices paid in transactions involving similar businesses or assets.
  • Cost Approach. This approach is based on the principle of replacement/substitution, or what it would cost to replace the asset or business.

For technology or R&D, the Income Approach is usually the most appropriate since it’s based specifically on future cash flows associated with the asset. The Market Approach should also be considered although it is generally difficult to find comparables in the market, especially when you’re talking about something that is unique or innovative like R&D. In addition, information regarding specific market transactions is usually confidential so it can be difficult to get the details of the transaction. The Cost Approach is sometimes considered but cost does not always translate into value. Just because you’ve put a lot of money into an R&D project doesn’t mean you will earn an adequate return in cash flow.

Can you explain how you might value an R&D loss, as in the case of hackers from a foreign nation-state?
When hackers come in and steal IP, clients come to me to learn what that IP is worth on its own or what profits they might have lost due to the theft. Accordingly, we can assist in estimating the IP’s overall value or estimating a component of that value (lost profits). In most cases, we will work with the client to develop the valuation model based on future cash projections, sales, profits, market industry research, and the background of the technology or asset in question. Of course, the clients usually know their products better than anyone else, so I generally need their input. In our projects, we generally deliver a full valuation report with detailed exhibits from the valuation model , but we can provide whatever the client needs and wants. Usually the valuation model is income-based and is flexible enough to run various sensitivities and scenarios in order to identify which variables have the greatest impact on value.

What issues or disputes might arise in the valuation process?
As I mentioned previously, the Income Approach is based on financial projections – which are based on assumptions for future sales, costs and profits associated with the asset or business. Therefore, the biggest issue or dispute generally pertains to the assumptions that are incorporated into the valuation model. These assumptions must be reasonable and supportable based on available market, industry, and historical information. Supporting these assumptions can be even more challenging with R&D projects and new technologies which don’t have the history of sales and profits for support.

In summary…
Theft of intellectual property, especially trade secrets, is arguably one of the leading cyber risk threats facing businesses and research organizations. Our hope is to someday convince our insurance carrier partners to cover this exposure – especially the first-party loss (diminished valuation or revenue) due to theft. Ceding this risk exposure via expanded cyber risk coverage is challenging for most insurers right now, primarily because of a lack of actuarial data on losses, and because of concerns about proactive valuation methods such as those outlined by Mr. Chiang. Another important topic here, of course, is developing an upfront safeguarding and protection strategy for the IP, which is crucial. For this topic, we urge you to read the July 2013 related Junto blog interview with Marshall Heilman of Mandiant.

Protecting IP

A Q&A with James Giszczak of McDonald Hopkins, LLC
The loss of trade secrets through a data breach can have major implications both financially and legally for an organization. I asked attorney James Giszczak to share his insight about the threats today’s companies are facing and how they can better fortify their intellectual property protections.

Can you explain in layperson terms the issues facing organizations when it comes to safeguarding their IP?
Organizations have external threats—hackers that are either trying to steal information or disrupt business. They have a greater threat internally, whether it is an intentional bad act or simply human error. An employee might lose a laptop while traveling, for instance, and the information on it is lost or stolen. Finally, we are starting to see more bad actors from within, rogue employees that are misusing or stealing information and holding it hostage in exchange for something from the organization.

What are some of the blind spots facing businesses that might lead to a loss/theft of their IP?
All companies must manage these issues, irrespective of the resources of the organization.  Yet there are still many companies who assume this only happens to the Sonys of the world. However, even a small company has substantial risk and exposure, yet in most cases a smaller budget than a Fortune 500 Company to deal with it. Big or small, we find that far too often companies fail to be proactive—they are only reactive. An extraordinary number of data breaches and losses are preventable. What’s sad is that companies will spend millions of dollars, an extremely large percentage of revenue, to generate more revenue but they do very little to protect their assets. Most organizations will leave security up to the IT folks, assuming that they have it covered with firewalls. That is certainly one piece of the pie, if you will, but I always tell my clients that they have to take a holistic view of the issue. Human resources, risk management, in-house counsel, and IT all have to be stakeholders in the process. The first step in being proactive is to educate employees about safeguarding data and why it’s important. For instance, certain information should not be physically removed from the office unless it’s encrypted.

What are some of the legal ramifications involving the protection of IP?
There are 47 states that have adopted the Uniform Trade Secret Act. The UTSA provides a statutory level of protection. Even if the organization doesn’t have its individual employees sign a confidentiality agreement, they may have recourse against former employees through a UTSA. At a basic level, in order to have recourse through a UTSA, you must show that the information has independent economic value and that it has taken reasonable steps to protect the IP. By the same token, if you haven’t been proactive then the law won’t provide you with the sword to protect your assets. Depending on the facts of a theft, an organization may also be able to rely on the Computer Fraud and Abuse Act

What might a risk manager do to proactively mitigate exposure here?
When we counsel organizations we talk about assets and the importance of creating an asset protection program. Assets that typically need to be protected usually fall into three buckets: trade secrets, customer relationships and the knowledge base of personnel. All three need to be protected. One of the things we do first is conduct a review, providing clients with a questionnaire to determine what assets they have, what safeguards they already have and what particular risks and exposure they face. Often organizations don’t even realize what trade secrets they have. We look at what protections are already in place and what things they might not be implementing appropriately, and do a gap analysis to see where there’s exposure. Then we help them determine what policies and procedures can help protect them, making sure they’re robust from both an IT and an HR perspective. Finally, we make sure they have an incident response plan. A fairly basic thing is how people react when there’s an incident—they should not be sending around emails before they retain counsel because those emails are usually discoverable in litigation. I think the most critical thing on the front end is to talk with a data breach expert who understands the issues and the law, which can be dramatically different state to state, and can really explain the nuances of protection, specific to your company’s needs.

In summary…
Counselor Giszczak does an excellent job describing the problems facing the many organizations whose lifeblood is their IP. Given the recent problems highlighted in the press such as the report by Mandiant (see Junto post: Fighting Against IP Espionage), and the APT threats outlined by security vendors such as McAfee (see Junto post: Fighting Advanced Malware), this exposure should be the top priority for risk managers charged with protecting the company’s bottom-line from e-perils such as cyber espionage.

Protecting Intellectual Property from Internal and External Theft

A Q&A with Tim Ryan of Kroll
The second in our ongoing series on IP theft, this Q&A with Tim Ryan of Kroll explores the current situation companies are facing vis à vis data security and intellectual property, and what they can do to better arm against growing threats. A former FBI supervisor for the largest cyber squad in the United States, Ryan is currently the head of Kroll’s cyber practice which handles incident response, breach investigations and risk assessment.

Can you explain the current situation of international IP theft in corporate America? What do companies need to know? Are there any misconceptions or myths that need to be addressed?
The problems we see fall into one of two main buckets. Companies are getting hacked externally by competitors looking for anything from product designs to marketing information or other data. The other threat is from insiders, contractors or employees who move on and take key data such as proprietary algorithms with them. Adding to the complexity of the situation is the fact that a lot of knowledge workers are foreign nationals residing here strictly for employment purposes so all of the legal constraints against taking data—non-compete and nondisclosure agreements–may not apply to them. As we move toward a knowledge-based economy, this poses a real problem. The biggest myth out there is that this is an IT issue—the thief downloaded the information from an IT system so that’s the department that will handle it. Sometimes vendors play into that myth by offering data loss prevention hardware or software with the promise that it will keep theft from happening but we all know that’s just not true. The truth is that for both external and internal threats you need a comprehensive team approach.

Why is this happening? Why now?
This is just a measure of how our economy has changed. We are constantly looking for efficiency through technology and we seamlessly share data across broad geographic areas in the blink of an eye. Those same systems, if not properly controlled, can allow access to that sensitive data. I also think it has something to do with the transient nature of our workplace. We no longer work at a single organization for twenty years. It’s often employees that are further down the food chain that are taking the info from job to job. People in the government know this practice is illegal but in the private sector it can be more amorphous as to what data is proprietary. Often we will get a call from a company when they realize that they unwittingly have another company’s data.

How might a company go about protecting their IP data and systems?
You need to have an integrated team that can deal with a threat. From an external point of view, it’s about IT architecture, governance, response training and risk assessment. Sometimes companies won’t do anything about external hacking because the problem doesn’t escalate from the lower level employees to the C-suite level. We find that there might be a conflict of interest, because IT employees feel it’s their job to prevent leaks so when something happens they don’t want to ring alarm bells. But that’s where a small problem can become a big one.

When you’re talking about internal issues, you need a team with IT, legal, human resources and the chief security officer. Too often companies are surprised to find out that an employee is doing something wrong, so it starts in the very beginning, with hiring practices, vetting every individual with a background check. However, when someone is from a foreign country it can be difficult to access criminal records, so you look at the timeline, you look at their skills, you look at everything very closely. And once they are hired, you limit their access to data. In the FBI employees are re-vetted every five years, and it should be the same for corporations. There also needs to be accountability. We recently investigated a case where an individual started with relatively minor infractions and then progressively got worse. The company documented what was happening but never did anything about it and by the time he was fired he had done something really egregious.

There’s a bigger trend, especially in large defense corporations, to bring in in-house data security, but if you go to medical facilities, financial trading firms and companies in the R&D space, they sometimes haven’t gone far enough and that’s when they get hit. Any organization should think about security solutions, whether it’s hiring someone internally or buying an off-the-shelf product, because the threat is out there and it’s real.

In summary…
Mr. Ryan mentioned the importance of IP in this new knowledge-based economy, making security paramount for companies whose data is their lifeblood. The recent study by Mandiant, available in the eRisk Hub, underscores the reality of this problem impacting corporate America every day. Many businesses still don’t have an inventory of their IP that needs protection. Having this in place is crucial for strategically protecting these assets. One possibility companies should consider, for example, is whether every system that houses IP needs to be connected to the public internet.

Fighting Against IP Espionage

A Q&A with Marshall Heilman of Mandiant
IP espionage is a real and growing concern for business, and a recent report from Mandiant, APT1: Exposing One of China’s Cyber Espionage Units, details the malicious activity coming out of China from one organization. To find out more about the specific attacks and what companies can do to protect their data, we spoke to Mandiant director of consulting Marshall Heilman.

What are some key themes from your recent report, APT1: Exposing One of China’s Cyber Espionage Units?
Most important is that this type of activity is real, and it’s a real threat. Almost any company out there that makes any technology of interest should pay attention—and the line I say jokingly is that if you’re not making anything that makes you a target, then you should probably pack it up and go home. The report focused on one specific group that targets the Fortune 500 companies we work with, but this threat is also real for smaller companies as well.

One of the most common espionage attack methods is low sophistication spear phishing. How can we mitigate this exposure, beyond employee training?
The basic concept behind spear phishing is that the user receives a legitimate-looking email that asks them to do something that reveals data, such as opening a link. Preventing spear phishing comes down to preventing the user from opening any links or preventing that email in the first place. There are a lot of antispam solutions out there but I would argue that emails can and will get through those solutions, so we have to focus on making sure the user doesn’t compromise data security when it happens. One way is to make certain that all of the applications on a system are patched—not just things like Microsoft Windows but also Shockwave, Quicktime and Java. Another solution, which is extremely difficult for most companies, is to limit what users can install on the system, usually by reducing privileges, and thus reduce exposure to malware. Another option is to run application whitelisting on critical servers, so that attackers that gain access to an environment cannot execute malicious code on those servers.. Finally, using an internal web proxy for users, and denying access to “uncategorized” web sites, is also effective against stopping malware.

What tactics would you recommend for guarding a highly valuable trade secret, such as 10 years of R&D for a pharmaceutical drug?
Because I’m in the security business my recommendations would be far more draconian than most people’s. I would take all the research and make certain it was housed in a certain part of the server environment with good controls and segmentation that would disallow anyone from touching the data outside of that environment. I would use software such as Citrix Solutions, which requires two-factor identification for anyone who wants to interact with the data and only exposes data that is authorized for use. The important thing is to put the sensitive information in one location that ensures extremely limited access. However, many firms balk at this sort of solution and I have only implemented it at smaller organizations because it can be very frustrating for users. I find that companies that have already suffered a breach are more amenable to implementing stricter measures. Companies that haven’t often say “we will add that to our road map” but likely won’t get around to it. Honestly, I think it’s just an awareness issue. Five years ago, no one in the mainstream recognized this problem. This is slowly changing but the more aware we are, the better we can protect ourselves from these threats and the more willing companies will be to adopt measures to do so.

In summary…
Many companies, brokers and insurers are focused on the privacy liability and class action lawsuits associated with cyber risk (which, granted, are major reasons for concern).What Mr. Heilman highlights here is often THE biggest liability for businesses that own and depend upon their intellectual property assets. Theft of this property can be catastrophic, and this cyber risk exposure may only increase with the use of outside business partner systems, or third party (cloud) infrastructure or apps. Moreover, studies such as Mandiant’s have shown that bad guys still revert to exploiting human error and tricking employees into helping them gain unauthorized access to private networks that might house IP. Comparatively low-tech attack methods like phishing can nevertheless pose a significant risk unless companies are properly educating their employees and anticipating this tactic.

No more posts.