Or ask St. Jude. This summer, the medical device maker saw its stock price drop when a security report was released claiming vulnerabilities in the company's pacemakers -- while the company that released the report made money short-selling the stock.
"When this report hit the wire, St. Jude's stock went down 5 percent in the same day," Rothrock said.
"And there are rumors that sometimes companies are attacked by nation states that are playing a financial game," he added. "Or what if oil companies got after each other and started putting out bad cyberrumors as a competitive weapon n a contract negotiation or a supply chain negotiation -- that would be huge."
There's a lot of money that could potentially be made here.
"It's probably going to get worse before it gets better," he said.
Another recent example is that of the Dark Overlord hackers, who used the threat of disclosing private information to try to extort money from companies.
They made the threats in connection with a ransomware attack, said Sean Mason, director of threat management and incident response at Cisco Systems.
"They went through and locked up all of the critical assets and data -- after ensuring that they copied everything," he said.
When one of the victims, investment firm WestPark Capital, refused to pay, the hackers released non-disclosure agreements, contracts and other documents.
The hackers also published a note claiming that the firm's CEO "spat in our face after making our signature and quite frankly, handsome, business proposal."
"It is becoming a growth industry on the criminal side of things," said Mason. And while some companies take a hard-line stance and will not be blackmailed, others will consider the price a drop in the bucket and pay up.
The current season of USA Network's Mr. Robot had it as a plot device, he added. "It's become mainstream enough that it's in TV shows."
But paying the ransom is no guarantee that the data won't come out.
Sure, releasing the data right away will harm their reputations and make other victims less likely to comply. But there's also no reason for them to delete something that they might use at some point down the line."
"Data can have a long half-life depending on whom it affects," said Wendy Nather, advisory board member to RSA Conference and research director at the Washington, DC-based Retail Cyber Intelligence Sharing Center.
A wider view of risk
Public leaks of proprietary information is changing the way that some companies look at core data protection.
"Most enterprises have focused their efforts on PII," said Kennet Westby, president at security firm Coalfire Systems. "Executive emails, human resources, communications about deal structures -- that kind of information has not traditionally been incorporated into the risk assessment for most enterprises."
Sign up for CIO Asia eNewsletters.