Craig A. Newman and Daniel L. Stein are litigation partners with Richards Kibbe & Orbe, the New York-based law firm. Mr. Newman also serves as chief executive of the Freedom2Connection Foundation, a nonprofit group focused on promoting Internet freedom through the use of technology. Mr. Stein is a former federal prosecutor.
Recent news coverage of cybercrime reads like a modern spy novel, centered on antiestablishment hackers, sophisticated foreign espionage and threats of retaliation. While the intrigue continues, the endless news of cyberattacks has been greeted with not much more than a shrug by investors.
Underlying this is a little-known area of online theft aimed at stealing intellectual property. Prominent attacks of major banks, news organizations and technology giants garner headlines, but it’s the tech-driven start-ups and growth companies that are often far more vulnerable to an attack.
Hackers are aiming at these young, innovative companies with the goal of walking away with an entire business. Consider the innovative American companies that have revolutionized the way we live and work, like Google and Instagram. They were all built on a foundation of intellectual property rights: little more than a few great ideas, a unique business model and some computer code - all accessible with a few clicks of the mouse.
For start-ups, cybercrime is not an expensive annoyance, or part of geo-political gamesmanship, but a potentially devastating blow to their brand and their competitive position. A digital intrusion carries the risk that critically valuable intellectual property is compromised, leading to their next big idea showing up not on Wall Street, but on the streets of Shanghai.
In fact, a recent study by Kaspersky Lab, a technology security firm, revealed that a Chinese hacking ring infiltrated the servers of dozens of video gaming companies. One of them was Trion Worlds, a privately held company in the United States that develops and publishes video games and gaming platforms including Defiance, the game tied in to a new sci-fi television series. Trion hasn’t commented on the attack. The hackers reportedly stole valuable source code from the game developers and publishers, probably to sell pirated versions of its video games.
In the fast-moving, cash-devouring world of start-ups, investors can’t simply assume the executives running these private companies are spending on digital security. The venture capitalists, angel investors and others who invest in start-ups are certainly a savvy group and rightly focused on business plans and cash flow. But the truth is that some are behind the curve in demanding protections against cyber risks, and unwittingly adding significant risk to their own investments.
Public company investors have some protection, through government-required disclosures. In October 2011, the Securities and Exchange Commission issued guidelines reminding public companies to disclose to shareholders the costs and risks of cybercrime.
There have been only a handful of these disclosures so far, but the obligation to report cybercrime is clear. As public companies come to understand the material nature of cyber threats, public disclosures should begin to shed more light on how they are addressing the risk.
But the more alarming fact is that private companies - many of which are the incubators for the newest technology and intellectual property - are under no securities law obligation to report cyberattacks to their investors. And it’s these private companies that are often struggling and unable to spend more than the bare minimum to safeguard their intellectual property and to protect their critical infrastructure - making them the perfect target for hackers.
A cyber protection plan in place isn’t just good governance, it’s also good business. A 2012 study on the cost of cybercrime found that companies using good security governance practices saved more than $1 million a year, while those employing a high-level security leader saved an average of $1.8 million.
What’s clear is that cybercrime is a new dimension of risk that private equity and venture investors are only beginning to grasp. Professional investors - many of whom owe fiduciary duties to their own investors - have been too slow to recognize the threat. It’s time for them to start asking tough questions about cyber protection and governance.
Just some of the questions they should be asking include: Do management and the board have a well-considered cyber protection plan in place? Are the right personnel involved? Is there a sufficient budget for doing so? Does the company have cyber insurance? And, perhaps most important, what happens when the inevitable security breach occurs?
The excitement around a young, innovative company can create a false sense of security, tempting investors to assume that the risk of a cyberattack is under control. In fact, the assumption should be just the opposite. The hotter and more buzz-worthy a company becomes, the bigger the target on its back.
Given that a company’s entire worth can be walked out the virtual door in a matter of minutes, it’s hard to imagine a more critical issue for investors to tackle.
