Board Matters Quarterly, June 2014
Cybersecurity and IP theft in China
Protecting your corporate assets
China’s rapid transformation from an agrarian society into an industrialized, high-tech economy created a fertile environment for hackers seeking to steal IP and other types of sensitive corporate data.
Many corporations were so focused on growth that they failed to develop adequate controls and safeguards to protect corporate assets and IP against cyber attacks. More companies are putting those controls in place, however, as China’s economy matures.
The benefits of doing business in China continue to outweigh the risks. However, the corporate boards of companies seeking to expand in China need to take the lead in setting the right tone for vigilance and protection throughout the organization.
China’s leaders are also taking ongoing steps to confront cybersecurity and IP theft. As China’s economy evolves from a low-cost center for manufacturing into a more diversified knowledge economy, the country’s leaders realize that innovation and economic growth can only be sustained by a legal and enforcement system that protects and respects IP rights.
Under President Xi Jinping’s leadership, China has made addressing cybersecurity issues a top priority, personally heading a new government body devoted to the issue: the Central Internet Security and Informatization Leading Group.
This change won’t happen overnight. Cybersecurity, illegal IT and IP theft will continue to be an issue, and all multinational organizations seeking to expand operations in China will need to pay close attention in the years ahead.
Cyber threats in China
With more than 600 million internet users and growing, China offers significant opportunities for hackers. Cybersecurity breaches continue to increase, with some 438 million of those users claiming to have experienced security incidents within the last six months. Another 20 million e-commerce users reported security fraud.
China’s banks and financial institutions are also frequent targets of hackers and other cyber attacks.
The ongoing threat posed by cyber attacks in China means that many corporate boards need to prioritize cybersecurity as a key risk that should be assessed regularly.
In addition to a global security management framework, companies also need to adapt to and address local risks, which include the legal system, cultural differences, level of security awareness and technology differences.
Any board with significant operations in China needs to routinely ask its in-country leadership team if the local management teams are demonstrating an awareness and attention to security. They should also insist on education efforts that raise awareness about the risks of cyber attacks.?
IP theft and illegal IT: how should companies respond to these threats?
The need to protect IP rights is also gaining greater attention among Chinese companies. Police raids on shops that sell counterfeit software, electronic equipment and media and entertainment content are now commonplace in many Chinese cities.
Chinese authorities are making efforts to curtail IP theft and enforce IP protection laws. “The infrastructure is improving — the laws, rules and regulations are in place, but enforcement is still spotty as it works its way through the country,” says Edward Chang, Advisory Partner for EY Greater China. Corporate boards should also be concerned about the use of illegal IT on a number of levels, especially within their own companies.
Audit committee members and corporate boards should encourage their China operations to educate employees on the potential risks of using illegal IT. Unlicensed software also increases the organization’s exposure to cyber attacks because such software could include malware, and users would not receive software updates or patches.
The risks from cyber attacks and IP theft may decrease as China’s knowledge economy develops and more companies adopt accepted best practices for corporate governance. Until then, board members need to insist that their company — if it hasn’t already — develop global policies to address IP theft and cybersecurity and vigorously enforce those procedures.
Questions for the board to consider
- How often does the audit committee review cyber threats and potential IP theft? How long would it take for news of a serious breach to reach a C-level executive?
- Does the company have adequate global safeguards and protections and is it ready to hold the local corporate leadership accountable for enforcing those measures?
- Just how much risk is the board willing to accept in its China operations?
- Does anyone on the audit committee or board have hands-on experience in China, such as running a business unit in the country or Asia?