5 signs there could be IP theft in your supply chain

Intellectual property (IP) is a prime target for theft because it is so valuable and can often be stolen digitally from anywhere in the world. Nearly three-quarters of companies said guarding against IP theft is a priority, while 43% said it is a "high priority", according to the 2019/2020 Global Fraud and Risk Report by Kroll.

“It’s a significant portion of modern companies’ assets. Knowing whom you are doing business with and following systems and internal controls is critical,” said Chris Bakewell, managing director and global head of Intellectual Property Advisory Services at Duff & Phelps in Houston.

Developing IP is a significant financial investment, and protecting it is an important part of an organisation’s risk management strategy. Finance departments need to monitor and respond to IP theft to prevent financial losses and the reputational damage that may come from consumers purchasing counterfeit products.

Here are five red flags there could be IP theft in your supply chain:

Supplier’s inability to respond to security questionnaires

A large portion of IP theft in the supply chain is enabled through third parties. One red flag is a supplier’s inability to respond to or provide satisfactory responses on a questionnaire about supplier’s security practices, said Sharon Chand, principal at Deloitte Risk & Financial Advisory in Chicago.

Many sectors and organisations now use policies and questionnaires to determine how a supplier might protect IP such as patents, product designs, and trade secrets. For example, the US Department of Defense released the Cybersecurity Maturity Model Certification (CMCC) in early 2020, which implemented a unified standard for how all 300,000 companies in the defence industry supply chain should address cybersecurity and private information. North American Electric Reliability Corporation (NERC) also has guidance for supply chain risk management plans that address cybersecurity and intellectual property. The AICPA has also developed a Cybersecurity Framework to help organisations mitigate risk.

While suppliers may offer their own assurances, the waters can get murky when dealing with their own vendors. Second-tier providers should also ensure that data is being protected and shared securely and that there are robust access protocols between the companies. "It can get into nitty-gritty details, but the inability to provide clear assurance that, as a supplier, they are protecting the [IP] you provide is a real red flag,” Chand said.

Threat alerts and malicious code

Many companies now rely on internal and outsourced threat intelligence programmes to help identify when potential triggers are rising above a threshold or when something needs to be investigated, Chand said. Keeping an eye on industry sources, the dark web, and public threat intelligence services can help spot red flags that a supplier may be vulnerable.

“You might see information that an attack group is targeting a particular kind of asset, indicating it’s time to step up your monitoring controls and see what might be going on,” Chand said.

As manufacturers and tech companies now outsource components through third parties, they must also be on the lookout for malicious code, said Steven Snyder, board certified specialist in privacy and information security law at the law firm of Bradley Arant Boult Cummings LLP in Birmingham, Alabama. A large portion of IP theft is enabled by malware infiltration.

In one case in 2018, the FBI alleged that a Chinese hacking group called Advanced Persistent Threat 10 (APT 10) attacked the computers of managed service providers (MSPs) with malware to steal information from more than 45 government agencies and tech companies. "Third parties can potentially introduce malware into code that a company is using and allow them access to some IP," Snyder said.

Abnormal employee behaviours and user privileges

Employees, contractors, and third parties are responsible for 54% of all IP data theft experienced by organisations, according to the Kroll report on global fraud and risk. Employees also account for the majority of all internal fraud and leaks of internal information. In one example, an engineer at GE downloaded thousands of files from the company system containing trade secrets then used them to incorporate his own company in Canada, according to the FBI.

Organisations must be careful in defining acceptable activities and ensure they’re adhered to by parties related to IP and sensitive information, Chand saids.

For example, while a user may typically exchange a gigabyte of data in and out per day, it could be a red flag for IP theft if they are suddenly exchanging 15 GBs of data on a particular day. “If you see that and they’re visiting sites you are not familiar with, it’s a red flag that should immediately trigger an investigation,” Chand said.

One best practice is to isolate access to only the information the individual needs. Organisations should also retain the ability to turn on and off access during service periods quickly, Chand says.

Well-run security programmes will have mechanisms to expedite oversight over individuals in certain circumstances, Snyder said. Employers should pay especially close attention to employees who are unhappy or potentially leaving the company. “It could be a big concern where someone downloads all the plans to a personal drive and then shops them around,” Snyder said. “You may be able to limit their ability to send certain files or to their personal email.”

Outdated controls

Many organisations fail to update and strengthen their controls as they grow. They often establish relationships with suppliers and third parties but then drop the ball on compliance after performing initial due diligence, Chand says. Without a periodic review of controls, organisations may not be aware that their once-secure vendor’s practices have fallen by the wayside. "The focus upfront on setting up the control environment is critical, but just as important is the ongoing monitoring and operations of those controls,” Chand said.

While most organisations conduct appropriate due diligence at onboarding, the growth in mergers and acquisitions in recent years means many companies may have changed hands. That can reduce the transparency of business relationships in the supply chain, especially when it comes to security practices, Bakewell says. "Knowing whom you are doing business with and their ownership is critical. Asking questions of your suppliers as to where they are receiving goods and what their relationships are to their suppliers is a legitimate business practice," Bakewell said.

Lack of jurisdiction in foreign countries

A lack of clear jurisdiction over IP can be a problem, especially with suppliers in China. In 2019, one in five North American companies on the CNBC Global CFO Council had experienced IP theft by a Chinese company in the past year, while nearly a third had experienced theft in the past decade, according to the survey.

Organisations working with contract manufacturers should share only the IP relevant to the job at hand, Snyder says. One way to mitigate the risk is to have foreign entities manufacture 90% of the product, then have a different entity in the home country finish the critical part that makes the product useful.

“Don’t give them all the keys to the kingdom. If they want you to turn over more information than they need to do the job, that could be a red flag,” Snyder said.

The CIMA fraud and financial crime hub offers more resources for management accountants, as well as a toolkit to fight financial crime.

— Craig Guillot is a freelance writer based in the US. To comment on this article or to suggest an idea for another article, contact Drew Adamek, an FM magazine senior editor, at Andrew.Adamek@aicpa-cima.com.