Sarbanes-Oxley and OPSEC
As regular readers of this journal are aware, loss of critical information from economic espionage and competitive intelligence are estimated to cost American companies about $300 billion a year.
In the past, companies that discovered their victimization – many never discovered that they had been ripped-off, attributing losses and even bankruptcies to other causes – tried to hide these incidents. (We ourselves are contractually forbidden to even mention our clients’ names). And, in fact, the traditional approach used to be to simply write off these losses as undifferentiated operating expenses, thus making them neatly disappear. This saved a great deal of embarrassment.
And then came Sarbanes-Oxley….
Under Sarbanes-Oxley (SOX) material changes must be reported and discussed, including those resulting from competitive intelligence and economic espionage. This means that those responsible for company
governance – senior managers and their boards of directors – now have the same negligent-action liability that they have had in other areas. And with $300 billion in losses, and an average cost of $50 million in manufacturing environments and half a million dollars in non-manufacturing environments, we are talking between 6,000 and 600,000 incidents a year, indicating a high probability of hitherto-unreported victimization.
Most companies don’t think of anti-espionage as a business activity. This should not come as a big surprise: Their MBAs are not taught about the problem. Their consulting firms have no expertise in it.
It follows that they also don’t think about losses from competitive intelligence and economic espionage as being covered by Sarbanes-Oxley. But, according to the letter of clarification we recently received from the SEC, they are covered by Sarbanes-Oxley!
The second part of the story is, of course, since there is an obligation to report and discuss these losses, there is, therefore, a reasonable expectation that, because of the high dollar volume and the large number of incidents, a firm’s governors knew – or should have known – that there was a very real, very addressable, problem. And that shareholders are likely to feel, through counsel, that this problem should have been addressed before the fact, rather than after. Thus, companies now have a set of obligations and liabilities that should lead them to want to prevent these incidents.
Prevention will save the company from direct financial loss, and the company’s governors both the embarrassment of public disclosure as well as the potential for resulting shareholder lawsuits. The proven way to reduce exposure is through the implementation of an OPSEC program. Who should take responsibility for this? Because of explicit governance liability under Sarbanes-Oxley, OPSEC needs to authorized and overseen by a senior executive with detailed knowledge of the company’s business functions. It is generally handled through a finance/operations team reporting to the CFO or COO, or to the Corporate Counsel.
Since LUBRINCO is the leading private sector provider of consulting in OPSEC, the identification and protection of critical information, we suggest that if your company does not yet have an OPSEC program, now is the time to call us.