Intangible Assets are Driving Cyber Risk
- Intangible assets are increasingly important in total company value.
- Intangible assets are in the crosshairs of cyberattacks.
This one-two punch is driving cybersecurity into a more critical role in protecting company value.
The rise of intangible asset value
Intangible assets are a larger part of company value than most leaders realize.
According to the most recent Intangible Asset Market Value Study by Ocean Tomo1, intangible assets as a percentage of total S&P 500 value:
- Have been over half since 1995
- Have been 80% or more since 2005
- Are now 90%; only 10% of S&P 500 value comes from tangible assets
As shown in the graph, this trend has been building for nearly 50 years.
The curve is clear even to those who quibble with the exact numbers.
The market shift from an economy measured by things we see and touch to one where value is driven by intangibles has been called no less significant than the industrial revolution.
The market shift being seismic explains why the confluence with cybersecurity has gone unnoticed. We believe we are among the first, perhaps the first, to connect the dots.
This also explains the tendency to underestimate cybersecurity risk.
What evidence says the game has already changed?
Intangible assets have already changed the game. Evidence includes:
- Buyer’s remorse in Mergers and Acquisition (M&A) – 65% of buyers report regrets after the deal due to cybersecurity concerns as we have covered in previous posts here and here
- Cybersecurity insurance premium increases and lower available coverage are stabilizing in 2023 but at historic highs and only after rate increases not seen since the attacks of 9/11 in 2001
- “Cyber is a growing factor in credit risk. The increasing attention of cyber risk in credit analysis is at a point of no return.” FS-ISAC2
- “Brand value is often the trigger point for insurers to walk away. Regardless of the maturity of an organization and its security controls, the potential brand damage is simply too big and insurers refuse to cover it.”3
- Cybersecurity is consistently ranked among the top 5 businesses risks regardless of geography, industry, or company size
- Higher cybersecurity requirements are appearing in customer contracts with US Department of Defense and other government agencies leading the way, often with flow down of clauses to subcontractors from primes
Which intangible assets are affected by cyberattack?
The Oceans Tomo study1 says that Intellectual Property (IP) is a non-correlated asset, meaning other forms of intangible assets are driving this shift, so what are they?
We have been getting pieces of the puzzle for many years including:
- Business Disruption4,5,6
- Revenue Loss4,5,6,7
- Brand Value 3,4
- Reputational damage4,5,6
- Supplier Relationships8
- Business partnerships8
- Legal Engagements6,8
- Credit rating / cost of debt2
- Stock price6,9
- Employee layoffs5
- Mergers and acquisitions activity10,11
- Stock Price9
How often are intangible assets attacked?
Intangible assets of some kind are mentioned in every debrief of a significant cyber incident. It’s an obvious pattern in the evidence, whether we look through the lens of business or technology leaders.
A 2023 Deloitte survey3 shown in this table, ranked the top 10 impacts reported by 1,100 C-suite respondents, along with the percentage reporting each impact shows that these effects are widely felt.
Cybereason did a survey5 of 1,263 technology leaders with similar results
- 66% Revenue loss
- 53% Brand impact
- 32% Lost top leaders by dismissal or resignation
- 25% Forced period of closure
- 29% Forced to eliminate jobs
Is this a global trend?
The increasing value of intangible assets is a global trend, though it is slightly less dramatic in geographies outside the United States. The Ocean Tomo report1 says intangible assets as a percentage of total assets are currently
- 75% of the S&P Europe 350
- 57% of the KOSDAQ Composite Index in Korea
- 44% of the Shanghai Shenzhen CSI 300 in China
- 32% of the Nikkei 225 in Japan
What are intangible assets?
An intangible asset isn’t physical but still has monetary value. Even though you may not be able to touch or see an asset, as long as it can be identified and separated from other assets, it can be sold.
Well known examples are intellectual property, patents, copyrights, and trade names. Technology, including software and computer assets like data and databases, effectively anything other than hardware, are considered intangible assets.
Goodwill is a type of intangible asset which is recorded when a company acquires or merges with another company and pays above its fair value.
Other assets considered intangible include12
- Customer relationships, in some cases even where there is no contract
- Order backlog
- Supply contracts
- Contracts to service financial assets
- Assets used in research and development
- Assembled workforce (employee agreements that permit an acquirer to continue to operate from day one)
- Use rights (rights to use certain resources)
- Insurance contracts
- Favorable (or unfavorable) contracts
This list of assets matches nearly exactly a list called “Why would they attack us?” in the Cyber-Risk Oversight Handbook published by the National Association of Corporate Directors (NACD)11
- Mindset shift – We said above the market shift from an economy measured by things we see and touch to one where value is driven by intangibles has been called no less significant than the industrial revolution. As business leaders make the mindset shift to harness the value the marketplace has already put on intangible assets, they will recognize the risks intrinsic to those assets. This, in turn, drives cybersecurity to the short list of priorities.
- Overcoming inertia – Highly capitalized industry verticals and companies that are older than the Internet are often most focused on tangible assets and have the most inertia. They are also often facing bigger digital technology debt as an obstacle between where they are and what the new game requires.
- Build momentum – If your organization already has business and technology mission alignment on cybersecurity, then sharing this information with stakeholders may help the medicine go down that much easier to encourage and sustain that focus.
How can Securithink help?
- We provide role-specific support as you sort out competing priorities and develop your strategic roadmap; we don’t want to build a ten-dollar fence around a five-dollar horse. C-suite executives, asset owners, and Fortune 500 Board of Directors engage readily with our business case for cybersecurity, of which this post is a small sample.
- Step Zero™ is a unique cybersecurity tool for business decision makers; it shifts the cyber readiness cost estimate left, making a data-driven Go/No-Go investment decision possible in days rather than weeks or months, saving significantly on sunk costs for a gap analysis.
- The single biggest point of failure is execution. SecuriThink practitioners know what done looks like. Let us make getting there easier for you.
- Sign up to be notified of new SecuriThink Field Notes for more posts like this on the evolving business case for cybersecurity
- Engage in a discussion on this topic at the relevant LinkedIn post here: https://www.linkedin.com/in/lindarust/
- We invite you to contact us to explore how we support your unique challenges.
About the authors
Mike Warner was for 12 years the Chief Information Security Officer (CISO) at Oshkosh Corporation, a Fortune 500 critical infrastructure enterprise with $8 Billion in revenue, and 15,000 team members at 150 global locations. Having started from greenfield, the security program matured under Mike’s leadership into a program that won multiple awards from the U.S. Department of Defense and was ranked in the top 10% worldwide.
Linda Rust met Mike in year 2 of the journey described above and spent the next 10 years as an external advisor to him, guiding effective execution, facilitating the strategic roadmap, and providing support for the Board of Directors and C-suite asset owners.
- Ocean Tomo Intangible Asset Market Value Study 2020 https://www.oceantomo.com/intangible-asset-market-value-study/
- Financial Services Information Sharing and Analysis Center (FS-ISAC) Insight 2020 https://www.fsisac.com/insights/there-is-a-c-in-esg
- Panaseer. 2022 Cyber Insurance Market Trends Report https://panaseer.com/wp-content/uploads/2022/07/2022-Cyber-Insurance-Market-Trends-Report.pdf
- Deloitte. 2023 Global Future of Cyber Survey. https://www.deloitte.com/content/dam/assets-shared/legacy/docs/gx-deloitte_future_of_cyber_2023.pdf
- Cybereason. Ransomware: The true cost to business. June 2021. https://www.cybereason.com/hubfs/dam/collateral/ebooks/Cybereason_Ransomware_Research_2021.pdf
- Luis A. Aguilar, US Security and Exchange Commissioner speech to “Cyber Risks and the Boardroom” Conference, New York Stock Exchange, New York, NY, June 10, 2014. https://www.sec.gov/news/speech/2014-spch061014laa
- IBM Cost of Data Breach 2021 report https://newsroom.ibm.com/2021-07-28-IBM-Report-Cost-of-a-Data-Breach-Hits-Record-High-During-Pandemic
- Cisco. 2020 CISO Benchmark Report https://www.cisco.com/c/en/us/products/security/ciso-benchmark-report-2020.html
- Comparitech. How data breaches affect stock market share prices. 2021. https://www.comparitech.com/blog/information-security/data-breach-share-price-analysis/
- National Association of Corporate Directors (NACD), World Economic Forum (WEF), Internet Security Alliance (ISA) in collaboration with PwC. Principles for Board Governance of Cyber Risk. 2021. https://www.nacdonline.org/insights/publications.cfm?ItemNumber=71795
- National Association of Corporate Directors (NACD). Cyber-Risk Oversight. Director’s Handbook Series. 2017. https://www.nacdonline.org/files/FileDownloads/NACD%20Cyber-Risk%20Oversight%20Handbook%202017.pdf
- PwC. Types of identifiable intangible assets. https://viewpoint.pwc.com/dt/us/en/pwc/accounting_guides/business_combination/business_combination__28_US/chapter_4_intangible_US/43_types_of_identifi_US.html