Disclosing trade secrets increases risk of cyberattack, study finds

U.S. firms that disclosed the existence of trade secrets have a significantly higher probability of becoming targets of hackers, according to a new study led by a University of Kansas accounting professor.

"When companies disclose sensitive information, there usually is a tradeoff," said Michael Ettredge, the Crown-Sherr Distinguished Professor of Business. "More disclosure pleases investors, but also helps competitors, or in our context, helps cyberattackers. We think managers need to weigh the benefits against the costs of disclosure."

Ettredge was the lead author of a forthcoming study accepted by the Journal of Accounting and Public Policy. His co-authors are KU alumnus Feng Guo, assistant professor of business at Iowa State University, and Yijun Li, a KU doctoral student in accounting. The researchers will also present their findings during the American Accounting Association annual meeting which is Aug. 3-8 at National Harbor, Maryland.

U.S. companies continue to face cyberattacks that continue to grow in frequency and also severity, according to the Federal Bureau of Investigation and a 2015 study from the Ponemon Institute. The 2013 Target cyberbreach affected more than 41 million of the company's customer payment card accounts, and the 2017 Equifax breach potentially compromised information of 147.9 million consumers.

But little previous research has studied potential explanations for breaches, and no earlier study had focused specifically on breaches that likely targeted trade secrets.

The researchers examined cyberbreaches identified from public sources between 2007 to 2015. The total sample covered 39,992 firm-year observations and 7,462 individual firms. There were 591 reported breach incidents, disclosed by 318 unique attacked firms. They found that occurrences of cyberbreaches are positively associated with U.S. firms' disclosures of the existence of trade secrets—without divulging specifics of the actual secrets—in Form 10-K filings with the U.S. Securities and Exchange Commission.

On average, they found the disclosure of the existence of trade secrets increased the probability of a breach by more than 30 percent.

The findings also indicate that younger firms, firms with fewer employees and firms operating in less-concentrated industries are more vulnerable to breaches.

"Younger companies often are formed to develop novel technology. We speculate that managers of younger companies focus more on growth and survival, whereas managers of mature firms have more resources and time to devote to protection against cyberattacks," Ettredge said. "We think our results suggest that managers of younger firms, those having fewer employees and those operating in less concentrated industries should be more careful with respect to their disclosure policies."

Managers might disclose the existence of trade secrets to persuade investors that their companies have novel products and competitive advantages. They likely expect that doing so will boost their stock market prices. There is no SEC rule that requires companies to disclose whether they have trade secrets, and the researchers don't believe they should be required to do so, he said, but their findings do give companies the ability to make a more informed decision on how to handle the disclosures.

"Our study results suggest that merely mentioning trade secrets can attract hackers' attention," Ettredge said. "Managers of companies should be allowed to assess the benefits and costs of trade secret disclosure. Both voluntary and mandatory disclosures can have unintended and undesirable results, as well as beneficial results."

The study's authors plan to investigate whether their results generalize to other types of voluntary and mandatory disclosures.