What bankers can learn from public health
When we speak at conferences about protecting intellectual property and critical information – IPCI – there are two groups that we expect to have no interest in the subject. The first is people who work for PCAOB, who routinely tell us that since IPCI has no book value, there is no need to account for its loss, no matter what the SEC requires. While this will cause problems for corporations when shareholder lawsuits over improper disclosure of losses hit, even if they settle rather than going to court, we are not concerned here with them.
The second group is bankers who know that by the nature of their business they are simply not targets, and therefore do not need to take appropriate precautions to protect their IPCI. It is not as if they do not recognize that they have information that might be of potential value – such as their customer lists the sales records of their salespeople, or their marketing plans. The information contained in their customers’ records might be another example: After all, wouldn’t you like to know everyone to whom your competitor writes a check? It is merely that bankers know in their heart of hearts that nobody would go after such information.
This sort of denial is commonly seen in the world of dealing with public health issues. Sexually transmitted diseases, as an example, tend to spread because people believe that those with whom they are sleeping simply could not be infected. Public health statistics would beg to differ.
By the same token, the statistics on waste caused by unwillingness to deal with competitive intelligence, economic espionage, theft, and inappropriate disclosure are fairly compelling nationally: $300 billion lost annually, with the cost per incident being $50 million in manufacturing environments, and $500,000 in non-manufacturing environments, including banks. This translates to 7,500,000 American jobs lost each year.
Is the banking sector large enough to be a target? Well there are thirty commercial banks listed in the Fortune 500, and their combined revenues rounds to $635,472,000,000. Independent of our sure knowledge that banks are targets, the numbers should tell them that they must be very tempting targets indeed.
On the other hand, a strong case can be made that if your company takes a write-down of somewhere between $3 and 25 billion because of enthusiasm for unsecured mortgages (a good investment if you manage the portfolio, and, as we have seen, a bad investment if you don’t manage them), a $100 million loss doesn’t even hit the radar screen. So why would a senior manager care? Because while management might not care about $300 billion, or 7,500,000 jobs, shareholders do, and when shareholders care the SEC tends to be concerned. In addition, when customer data is the end target, rather than the bank as holder of the data, customers who are injured tend to get cranky and litigious.