Why the Privacy Crisis is Just the Tip of the Knowledge Asset Crisis

Source: Grant Thornton LLP 2014 Corporate General Counsel Survey, conducted by American Lawyer Media

1.  Privacy is a much bigger deal now than Scott McNealy ever thought it would be.

Privacy literally went from the basement to the boardroom over the last few years, and is now reportedly the top regulatory concern for general counsels (and boards).  Even more importantly, regulatory and compliance issues do not even rise to the top of the privacy and cybersecurity worries, with customer privacy, “unknown and unidentified risks” and “undetected breaches” among the top concerns:

CGC-survey-top-cybersecurity-concerns-300x253

Source: Grant Thornton LLP 2014 Corporate General Counsel Survey, conducted by American Lawyer Media

2.  But privacy will soon be the least of your information risk management worries.

In this post, you will come to see why the apparent privacy crisis is really just the tip of the information risk iceberg. The elevation of privacy concerns parallels and draw on a bigger and longer-term trend: the ever-increasing valuation of databases, trade secrets and IP.  We call those knowledge assets.

As you may know, intangible assets generally represent about 3/4 of corporate market value, and knowledge assets generally represent about 2/3 of the value of intangible assets now.   Another way to look at that is you have the first quarter of organizational value that is tangible assets, then the intangibles that are brand and employee competencies make up a third of the rest, and that leaves knowledge assets as about 1/2 of the value of all corporate assets:

Knowledge-Assets-300x198

For many organizations, knowledge assets are already a bigger overall business issue than privacy and cybersecurity are a risk issue.  Knowledge assets as a percentage of market value have always varied substantially by industry:

Industry Knowledge Assets($Billions) Market Value($Billions) Knowledge Assets as a Share of Market Value
Energy $773 $2,027 38.12%
Software & Services $749 $1,408 53.24%
Insurance & Other Finance $745 $1,914 38.93%
Capital Goods $632 $1,313 48.18%
Pharmaceuticals, Biotech, Life Sci. $532 $1,019 52.17%
Technology: Hardware, Equipment $495 $1,053 47.00%
Food, Beverage & Tobacco $443 $764 57.94%
Media $378 $504 75.07%
Materials $349 $737 47.42%
Healthcare Equipment & Services $348 $650 53.60%
Telecommunication Services $292 $406 71.92%
Retailing $267 $610 43.69%
Diversified Financials $212 $1,074 19.77%
Semiconductors & Equipment $191 $440 43.41%
Household & Personal Products $182 $300 60.82%
Consumer Services $170 $339 50.34%
Food & Staples Retailing $161 $383 41.97%
Transportation $142 $293 48.53%
Real Estate $139 $462 30.10%
Banks $133 $554 23.98%
Automobiles & Components $133 $213 62.26%
Consumer Durables & Apparels $104 $225 46.33%
Commercial & Professional Services $91 $162 56.15%
Utilities $4 $510 0.77%
TOTAL $7,665 $17,360 44.16%

Source:  Kevin A. Hassett and Robert J. Shapiro, “What Ideas Are Worth: The Value of Intellectual Capital and Intangible Assets in the American Economy,” Sonecon, September, 2011.  Based on 2009 industry data from the Bureau of Economic Analysis.  These numbers are of course dynamic; with smart grid, for example, utilities are rocketing upward in percentage of knowledge assets.

The arc of information security has been tracking the increasing focus on knowledge assets.  Gone are the days when organizations could treat data security as principally a compliance issue with a privacy regulatory structure such as HIPAA, GLBA, or EU data protection, or regard its principal focus as preventing the disclosure of personal information. Now cybersecurity is driven principally by global cyberthreats, commercial espionage and the lack of a secure internet, and focused on knowledge assets as well as sensitive (e.g., personal) information.  Moreover, because now all systems are vulnerable and most systems are infected, the focus must be on resilience and adaptability, detection and response in addition to the former focus on protection.   With the bad actors and agents now on the inside, cybersecurity is much more a subtle risk management challenge than a compliance challenge, an area of limited control therefore more suitable than ever for risk transfer through insurance.

3.   [Marylin grabs the Massey prenup and tears it] “Darling, you’re exposed!”

Now here is the kicker:  Just as your organization begins to recognize the value and vulnerability of its knowledge assets and tries to protect them, your insurer — probably drawing on an exclusion the Insurance Services Office issued in 2013 — is in the process of excluding or narrowing all of your coverage of knowledge assets under your comprehensive general liability insurance policy.  To make up for that exclusion, they offer you a cyber-risk policy that only covers breaches of personal information, not theft or loss of knowledge assets.  Generously, in the chart below, personally-identifiable information (PII) is counted as 10% of corporate market value; that still leaves the vast majority of intangible assets uncovered.

Insurance-Crisis-300x198

This, friends, is the big bottom of the ‘berg, the big uncovered area of knowledge asset protection that you can now only address through suing your insurer before your policy gets the new exclusion (and it is a good time for that), your own work in information governance and knowledge asset protection (our stock in trade), and manuscripted coverage that will become more standard as demand builds.   In upcoming posts, we will share many ideas and lessons learned.  But wait, is he going to end for now with one of those stock iceberg images that so dominate big data posts even now, as big data floats, becalmed, in the Trough of Disillusionment of the Hype Cycle?   No, it’s, it’s…..

Moby_Dick_p510_illustration-1