Main risks concerning the IT-company assets protection


12 vulnerable spots regarding protection of the IT-company assets

Like any other business in Russia, IT-business faces a lot of internal and external risks that can affect the situation in the company substantially.

The risks relating to the loss of assets, operational management, takeover of a corporate control as well as to the inspecting authorities (for example, tax ones) are the most unpleasant and dangerous. 

The hallmark of the IT business is a desire to reveal and predict such risks in due time and possible negative consequences thereof and to have an idea of methods to control them.

Anyway, the main risks of IT-companies result from the relationship with:

a) persons creating intangibles – employees and freelancers,

b) partners/owners of the business –the company’s members and supervisors

c) counter agents – clients. 

Let’s talk about the most vulnerable spots (risks) in the above-mentioned relations and determine the main tools to reduce them to a minimum.

1. Vulnerable spots when creating intangibles. 

IT-companies differ from other businesses, first of all, by an intellectual component - the results of intellectual activity. The results of intellectual activity are objects of copyright – design elements, text, graphics, illustrations, video, computer programs, databases, music, sounds, etc. 

The results of intellectual activity can be produced both by employees and freelancers, for example, under a custom work contract or a contract to render services/perform works. 

In both cases the company can face with the following vulnerabilities:

1.  violation of non-property exclusive rights of third persons producing the results of intellectual activity – authors/right holders resulting in possible money loss because of civil liability (reimbursement from RUB 10,000 to RUB 5,000 000) or administrative liability.

2.  the company does not have an exclusive right for the results of intellectual activity, failure to prove it in relationship with third persons (clients, for example).

3.  using the results of intellectual activity by employees/freelancers for their own benefit, for doing competitive business. 

The following measures can be taken to reduce such risks:  

  • to prepare necessary documents governing the relationship with employees and freelancers: employment contracts or civil law contracts, job descriptions, order on production of the results of intellectual activity, tasks on production of the results of intellectual activity, acceptance certificates of the results of intellectual activity and exclusive rights for them. 
  • to include the provisions saying that an employee’s obligations imply production of the results of intellectual activity and the company-employer’s possession of exclusive rights for them into employment contracts and job descriptions.
  • to include the provisions on warranties and assurances relating to non-violation of third persons’ rights, transfer of an exclusive right to a customer in full into civil law contracts with freelancers.
  • to include remarks on non-competition both during collaboration with the company and within a certain term after termination of the collaboration into the documents governing the relationship with employees and freelancers.
  • if possible, to preserve the property rights for the results of intellectual activity produced on clients’ requests – an exclusive right for a license. Transferring of a non-exclusive license to a client is preferable and gives a company an opportunity to produce derivatives of the results of intellectual activity.

These recommendations should be followed not only with the documents governing relationship with employees who are directly related to production of the results of intellectual activity (for example, programmers, game designers, character designers) but also with those who take an indirect part in production of the results of intellectual activity of their separate elements (for example, concept artists, art producers).

2. Vulnerable spots concerning confidential information and personal data

Issues concerning keeping commercial information confidential and proper processing of personal data sill remain relative and topical for business including IT-business.

A greater liability for violation of the law on the personal data processing (see the Federal Law as of February 7, 2017 No. 13-FZ «On introducing amendments to the Administrative Offenses Code of the Russian Federation») is another reason for inside audit and assessment of any/no necessary internal local acts.  

Here the following vulnerable spots can be determined:

1.  disclosure of any information being commercially valuable (confidential information) for the company and third persons by employees resulting in negative consequences like loss of clients, projects, time, money and reputation.

2.  processing of personal data violating the rights of the subjects of the personal data (employees), possible administrative liability. 

We can offer the following main appropriate tools to reduce risks to a minimum:  

  • to include the terms on non-disclosure of the employer’s/customer’s confidential information into employment and/or civil law contracts with persons involved for the performance of obligations under the contract;
  • to develop and adopt internal rules governing work with confidential information, with the purpose of ensuring its safety, increasing the level of protection thereof and reducing the consequences of possible cases of unauthorized access to it;
  • to prepare and ask employees to give a written consent for processing of their personal data indicating the content of these data, purposes and methods of processing, methods of storage and protection, possibility of disclosure to third persons;
  • to develop and adopt a provision on personal data processing with the purpose of ensuring safety of the Company’s employees personal data processing and its counter agents, and establishing responsibility of authorized persons having access to personal data for failure to follow requirements of the provisions governing personal data processing and protection.

Apart from development and adoption of internal local acts, it is necessary to take care of identifying the persons having access to confidential information and responsible for safety of confidential information and proper processing of personal data, as well as software and technical protection means.

3. Vulnerable spots when working with partners

Most of corporate risks result from a dishonest behavior of the company’s members and/or its leader. A corporate conflict can lead to illegal takeover of management with the purpose to obtain most valuable assets of the company, business reputation, etc. Unregulated intercompany behavior between its members can lead to an imperative interference of the government through application of conduct common rules, and abuse of rights by the members themselves, the company’s leader and third persons (creditors, investors, etc.). 

There are the following possible vulnerable spots in the corporate relationship:

1.  abuse of corporate rights by some members (for example, through corporate blackmail, blockage of deals, by avoiding taking part in meetings, etc.);

2.  uncontrollable and “bad” director (for example, withdrawal of assets, distortion of financial statements, disclosure of confidential information, etc.);

3.  work of a supervisor and his blocking the decisions of minority shareholders, taking decisions not favorable for the company and for other participants of decisions;

4.  a conflict of interests between the Company’s members/partners;

5.  legal and illegal (for example, by force) takeovers of management and withdrawal/control of the most valuable assets. 

A member or a group of members can get an actual control of management of the company including through direct/indirect financing of the company by this person, alienation of a share, a part of a share and/or company’s property to him, transfer of a share and/or company’s property to this person as collateral or for other reason, inheritance, reception and exercise of rights on the option. 

This can contribute to dilution of shares in a company or to the establishment of a supervisor or a group of supervisors. 

The latter is connected to a risk of third persons recognizing these subjects to be controlling with imposture of risks associated with subsidiary liability for the Company’s obligations. It should be noted that using off-shores won’t make life much easier especially due to the newly adopted Law on controlled foreign companies (see the Federal Law of November 24, 2014 No. 376-FZ). 

The above-mentioned risks can be reduced with the following means:

  • a detailed separation of competence of managing bodies in the Charter,
  • establishment of the board of directors,
  • conclusion of a corporate agreement between the members with separating spheres of influence restricting competition,
  • regular general meetings,
  • occasional inside audit of financial statements and reports,
  • comprehensive inspection of counteragents, avoiding cooperation with ephemeral firms,
  • introduction of restrictions for alienation, inheritance, pawning of shares and the company’s property. 

A detailed separation of competence of managing bodies, establishment of a supervising body with maximal competence (Board of directors), introduction of restrictions and bans on entering the company, disposal of shares, making of big deals, participation of heirs/successors in management process will substantially reduce negative effect and risks for the company in case of a corporate conflict.  

4. Vulnerable spots when working with counteragents

In services, as a rule, the main stumbling blocks are associated with the acceptance of a result and payment for serviced rendered and worked performed. Full or partial refusal of the client from a result and/or payment can be considered as a vulnerability for a contractor.   

What should a contractor do to reduce risks and speed settlement of disputes with a client?   

We can recommend you the following: 

  • to show and negotiate with a customer intermediate results of work,
  • to mention the actions taken, expenses occurred, persons involved into performance of works and their actions both in reports and in correspondence with a customer,
  • to mention quality assessment of works performed, criteria of assessment in correspondence with a customer, state that in case if there is no information specifying otherwise the results of the assessment shall be deemed correct, valid, full and consistent. 

Given that in the options proposed we mention correspondence it would be better to bring electronic correspondence with a client into force specifying this in the contract indicating specific e-mail addresses and contact persons of a contractor and a customer.   

The options mentioned make it obvious that a contractor being a professional in his field of services shall take an active position in relationship with a customer. The creation of additional secondary evidence of quality performance of works/provision of services and sufficient attempts made to get through to the client can become an additional positive effect. 

All these measures cannot only speed acceptance of the works performed but offset artificial customer’s complaints on quality of the works performed, but they will also show and reflect an image of a diligent contractor in the relationship with a client. This will be definitely useful in case of judicial disputes with a client.  

We hope the check-list mentioned above will be useful not only to develop a strategy to reduce existing or anticipated unfavorable consequences but also to manage risks reasonably in the short-to-medium term.

It should be noted the tools offered are not magical pills and their efficiency directly depends on timely complex introduction thereof into a regular business practice of a company. 


October 30, 2018

David G.