Sarbanes-Oxley and shareholder lawsuits
The cost to American companies of victimization by competitive intelligence and economic espionage is high, estimated at $300 billion a year, with the average incident costing $50 million in a manufacturing environment and $500,000 in a non-manufacturing environment.
Nonetheless, companies did not, historically, like to admit these losses. It was, at best, embarrassing, and, at worst, a disaster that was difficult to explain. Even after the passage of the Economic Espionage Act of 1996 (18 U.S.C. §§1831-1839), few companies came forward. Besides the embarrassment, once you turned the problem over to the Feds you lost control of the process. For most, it was easier to simply write off the losses as undifferentiated operating expenses.
Sarbanes-Oxley changed that in two ways. The first was in the requirement to disclose material changes. This is a tricky issue. One manufacturer noted that his company had $35 billion in revenues. If a division lost $50 million – even if the loss closed the division – that was scarce a material change in his opinion.
However, the second way, which clearly obviates this view, lies in the SEC’s statement that, “the Sarbanes-Oxley Act of 2002 and the Commission’s rules promulgated under the Act seek to strengthen pre- existing standards for internal controls, thereby potentially improving the ability of companies to track the costs and impact of economic espionage and theft of intellectual property.” This indicates a requirement for internal controls dealing with competitive intelligence and economic espionage.
This may sound fairly unambiguous (unless you interpret “existing standards” to mean that if you don’t have pre-existing standards for internal controls – or internal controls, for that matter – you are exempt), but we assure you that virtually no American company – indeed, virtually no company anywhere – has pre- or post-existing significant internal controls to prevent these losses. Even companies who fund their own competitive intelligence groups – estimated at 75 percent of major corporations – have nobody charged with the identification and protection of information that would give competitors an advantage. You have information security teams protecting your networks, but unless you are an exception, you most probably have no system for the identification and protection of information that would give competitors an advantage. You most likely have no OPSEC program in place!
This puts companies in a bind if they discover they have these losses. If you report the losses, you face more than the embarrassment you faced previously. Now one of the questions that will be asked is about your internal controls: Do you have an OPSEC program? When the answer is no you face three unfortunate possibilities.
• You will have to deal with the consequences of being in non-compliance with Sarbanes-Oxley because you did not have the appropriate internal controls.
• If you end up in an economic espionage lawsuit, it is likely that a case will be made that by not having an OPSEC program you did not take reasonable efforts to protect the information, as required by Sarbanes- Oxley and the Economic Espionage Act of 1996.
• You face a shareholder suit because you knew, or should have known that, with annual losses of $300 billion, there was a risk that should have been addressed. PLUS you were non-compliant with Sarbanes-Oxley and the Economic Espionage Act of 1996, which were at least partly designed to force you to protect the shareholders from just this type of loss.
Since an OPSEC program is one of the few SOX compliance measures that will increase the bottom line more that it will cost, we are surprised that so many companies appear to be waiting for their management committees to be sued before taking action.