Cybersecurity

Expanding Disclosure Policy To Drive Better Cybersecurity

Companies should disclose instances of cyber-enabled intellectual property theft. Disclosure requirements would give companies greater incentives to protect their intellectual property and allow investors to make better-informed decisions.

disclosure.jpg
Mark Begor, left, CEO of Equifax, and Arne Sorenson, CEO of Marriott International, are sworn in during a Senate Homeland Security and Governmental Affairs Committee hearing on data breaches on 7 March 2019.
Credit: Mark Wilson/Getty Images.

Threats to national and economic security emanating from cyberspace are all too real, but public disclosure of incidents of the theft of intellectual property is exceedingly rare. Former National Security Agency Director and the first Commander of Cyber Command Keith Alexander has labeled China’s theft of US intellectual property through cyber means “the greatest transfer of wealth in history.” Few experts in the field dispute that conclusion. In November 2015, National Counterintelligence Executive William Evanina estimated that cyber-enabled economic espionage cost the US economy $400 billion per year, with 90% of the theft originating in China.

Yet, given that few companies have ever disclosed their losses from cyber-enabled intellectual property theft, the public is left with a seeming paradox: Government officials cite the prospect of devastating consequences from intellectual property and trade secret theft, but there are few public examples of companies that have been the victims of such actions. Why companies want to keep these incidents from the public is unclear. The rationale for disclosure, however, is strong. Rapid disclosure can inform defensive actions at other companies, allow the discovery of larger campaigns, and, fearing public backlash and market losses, lead to increased investment in security. The ability of companies to withhold this information reduces the incentive for companies to make adequate investments to protect it. With greater disclosure of incidents should come higher levels of investment to protect those incidents from occurring in the first place.

The Securities and Exchange Commission (SEC), the president, and Congress should all move swiftly to bring the true state of cybersecurity in the United States out into the light. The SEC should require disclosures of intellectual property thefts, allowing markets to determine their impact and incentivizing better security. For his part, the president should expand current policies on notifying victims to include sharing such incidents with the SEC and monitoring for public disclosure by the company.

Read the full story here.