Category: Insights

Expert opinion and insight from our experienced consultants.

Three lessons from the Amec Foster Wheeler DPA

Posted on by Admin Admin

It was the SFO’s tenth Deferred Prosecution Agreement (DPA) since the DPA regime was introduced in February 2014. The Statement of Facts was released following confirmation by the SFO that it would not be proceeding with prosecutions against any individuals connected to the investigation.

The conduct set out in the Statement of Facts is egregious and endemic. The judge, in approving the DPA, was scathing in his assessment of the conduct of senior leaders at Amec. He noted that, but for the fact that the company had been acquired by an innocent party, the John Wood Group, he would not have granted the DPA. The Statement of Facts offers some valuable insights and lessons for corporates who may find themselves entangled in a law enforcement investigation of a similar nature.

1. Have a clear strategy for dealing with material that is covered by legal professional privilege (LPP)

While the material may properly be cloaked by LPP and does not require disclosure for cooperation credit, it is important to consider whether a limited waiver of LPP is appropriate in the circumstances of the investigation and the alleged offending.

If the company has decided that it will cooperate with the investigation, then it may require a degree of pragmatism over privileged material in its possession that will enable the investigation to proceed at pace and assist the authorities to reach a conclusion.

In Amec, there was a limited waiver of LPP over legal advice that had been received by the company in relation to its dealings with agents and public officials. This waiver was regarded by the SFO as part of the extensive cooperation of the company.

However, the parameters of a limited waiver of LPP should be clearly documented and sufficiently detailed to avoid any misunderstandings as to the extent of the waiver.

2. Policies and procedures don’t effect change, people do

Who is responsible for the effective implementation? Do they have the required visibility into frontline operations? The lack of visibility and access to information can be a major impediment to ensuring that the policies and procedures have the desired effect of managing behaviour and mitigating risk.

In Amec, an Employee Handbook was issued in 2001 which contained a Code of Ethics and set out procedures on the use of agents. In 2004, the company issued a Code of Business Ethics & Conduct and subsequent policies and procedures followed over the years. All were circumvented and disregarded by employees who were determined to continue corrupt practices, without the knowledge of the compliance department. They appeared to have been blind to the “culture of disregard” or powerless to stop it.

Those responsible for implementation of policies and procedures must have the visibility into highest risk operations and the authority to effect change.

3. Avoid ‘paper’ internal investigations and reviews

The simplified essence of an internal investigation is to identify the issue, resolve it and mitigate the risk of reoccurrence.

The collection of factual information that alludes to corporate misconduct and potential criminal offending should be a call to action and not to carry on regardless. Senior leaders should be committed to taking the steps needed to resolve the identified issues and implement measures to stop such conduct from reoccurring.

Amec instructed the same law firm to conduct four separate internal investigations, between 2007 and 2010, into suspicions of bribery in India, Malaysia, Saudi Arabia and Nigeria. Each investigation uncovered evidence of corruption and yet senior employees at Amec did the bare minimum to tackle these issues.

Those who are instructed as an external resource should ensure that they have requisite independence and impartiality, otherwise the investigation is undermined and is an expensive exercise in futility.

Advice and support from ESA Risk

For advice and support on fraud prevention and investigations, please contact Lloydette Bai-Marrow, Serious Fraud and Economic Crime Consultant at lloydette.bai-marrow@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

 

First published in the Parametric Global Consulting newsletter.

Boris Becker’s bankruptcy: An unusual case?

Posted on by Admin Admin

The six-time grand slam winner and 1992 Olympic champion now potentially faces prison time when he is sentenced at the end of this month.

Becker was made bankrupt in June 2017, when he was unable to repay a debt of more than £3 million owed to Arbuthnot Latham & Co, a private bank. He “was legally obliged to disclose all of his assets so that his trustee could distribute available funds to his creditors.”

However, he has now been found guilty of:

  • Removing property worth more than £350,000
  • Failing to disclose ownership of a property in Germany
  • Concealing a bank loan of nearly £700,000
  • Failing to disclose ownership of 75,000 shares in Breaking Data Corp, a tech firm.

Insolvency investigations in the spotlight

Unsurprisingly, the news of Becker’s 2017 bankruptcy and this three-week trial have received a huge amount of mainstream media coverage. The vast amounts of money involved, unique story elements such as Becker’s assertion that he has lost some of his tennis trophies, and the fact he has been a regular commentator and pundit on UK TV coverage of Wimbledon, have made this a classic celebrity ‘fall from grace’ story. The Guardian’s headline on Friday afternoon was ‘Boris Becker: from tennis greatness to financial disaster’.

From an insolvency investigator’s point of view, this has been a rare occasion where the work we are involved in day-to-day has been outlined for the public in so much detail.

The tangled network of six-figure loans, payments to friends and family, multiple companies, worldwide properties, and discussions about unusual movable assets may appear to be peculiar to this extravagant celebrity’s case. But it isn’t.

We often work on cases like Becker’s, with individuals and companies spinning complex webs of transactions and layers of companies to hide their wealth.

This can make a successful prosecution hard (but not impossible) to achieve. The key, as with all legal cases, is finding the evidence.

This process is known as intelligence gathering and is the basis of asset tracing. As investigators, by conducting thorough forensic research and using techniques such as surveillance, we identify assets such as property, vehicles and valuables owned by the subjects or purchased by the subjects for their family members and close associates.

Proof of ownership or of a beneficial interest in an asset is crucial, as, in most cases, the end goal is to recover assets to settle a debt or as part of litigation. Obtaining proof is not always easy, as assets can be moved from one entity and jurisdiction to another, but there is usually an audit trail that we can follow.

What next for Becker?

Becker, 54, was on trial at Southwark Crown Court, prosecuted by the Insolvency Service on 24 charges. While he was acquitted of 20 of those charges, he was found guilty of concealing, removing and (on two counts) failing to disclose assets.

He was released on bail with sentencing due to take place on 29th April. Each count carries a maximum prison sentence of seven years.

Becker is already subject to a 12-year Bankruptcy Restriction Undertaking until 2031 and his discharge from bankruptcy has been suspended indefinitely.

ESA Risk asset trace investigations

To instruct us on an investigation or for more information on our asset tracing services, contact Mike Wright, Risk Management & Investigations Consultant at mike.wright@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

 

Download our Asset Tracing brochure

 

Legislation update: Economic Crime Act 2022

Posted on by Admin Admin

The Economic Crime (Transparency and Enforcement) Bill became law on 15th March 2022. It was expedited due to recent UK sanctions announced against Russia. The Act is intended to bolster the UK’s response to economic crime threats and is set out in three main parts.

Key features of the Act are:

Part 1: Register of Overseas Entities and their Beneficial Owners

  • It requires overseas entities that own property in the UK to disclose details of their beneficial owners.
  • Companies House will manage the Register.
  • There is a duty to update the Register every 12 months; failure to do so will attract a daily default fine.
  • The overseas entity must take “reasonable steps” to identify registrable beneficial owners and share this information with Companies House.
  • ‘Registrable beneficial owners’ are those that hold 25% or more of the shares in the entity or of the voting rights in the entity, have the right to appoint or remove the majority of the entity’s board of directors, and have the right to exercise or actually exercise significant influence or control over the entity, or over a trust or other entity that meets these conditions.
  • The Act requires the overseas entity to serve an information notice on any possible registrable beneficial owners. A criminal penalty is attached to a failure to comply with the notice, or the provision of false information.
  • The deadline for registration is six months from Parts 1 and 2 of the Act coming into force. It applies retrospectively to property acquired (since 1st January 1999 in England and Wales, and 8th December 2014 in Scotland).
  • Non-compliance will result in criminal liability, with managing officers facing criminal sanctions. Penalties for breaches include fines for the entity and imprisonment for individuals.
  • Overseas entities that have not registered will face restrictions when trying to sell, lease, or deal with their property. This is to deter those who attempt to sell their property to avoid registration.

Part 2: Expanding the remit of the Unexplained Wealth Orders (UWO) regime

  • An enforcement authority will get extra time to review material received in response to a UWO, before discharging interim freezing orders over relevant assets.
  • UWOs are extended to assets ‘obtained through unlawful conduct’ and can be imposed on company directors, even if they do not personally own the assets.
  • The Act creates a new category of persons who can receive a UWO, including ‘responsible officers’ of the entity that owns the property.
  • The ‘responsible officer’ of an entity (that is the subject of a UWO) must provide information to authorities regarding the UWO. They can be directors, board members, general managers, company secretaries, and partners.
  • The Act caps the costs awarded against an enforcement authority if a UWO is challenged successfully.

Part 3: Strengthening the UK sanctions regime

  • The Act will make it easier for the government to impose sanctions on companies and individuals. The UK government can now make designations of sanctioned persons much more quickly, especially for those already sanctioned by other countries.
  • The Office of Financial Sanctions Implementation (OFSI) has new powers to publicly identify organisations and individuals that breach financial sanctions, even if they are not the subject of a penalty. They can also ‘name and shame’ companies or individuals that they consider likely to have breached compliance of obligations or financial sanction prohibitions. This enhances the risk of damage to reputation.
  • The Act makes it easier for OFSI to impose penalties for sanctions breaches on a strict liability basis, rather than having to demonstrate that an organisation had knowledge or reasonable grounds to suspect sanctions were being breached.
  • Lack of compliance with sanctions legislation already constitutes a criminal offence subject to fines and imprisonment.

What next?

Governance and controls should be examined thoroughly to ensure that they align with the Act. In particular, the risk of incurring a financial penalty for a sanctions breach is now much higher. The Act is far from perfect, but it is a step in the right direction. There are clear gaps present, and it is questionable whether enforcement authorities will be given the resources to utilise new powers effectively. The six-month period for registration also leaves room for disposing or transferring illegitimate assets. We should expect another Economic Crime Bill to follow soon to deal with the lacunas in this Act.

First published in the Parametric Global Consulting newsletter.

Advice and support from ESA Risk

For advice and support on economic crime issues, please contact Lloydette Bai-Marrow, Serious Fraud and Economic Crime Consultant at lloydette.bai-marrow@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

ESG criteria: Social metrics, the data deficit and the pursuit of a universal framework

Posted on by Admin Admin

Environmental, social and governance (ESG) policies allow customers, investors and other stakeholders to evaluate a company’s impact on its employees, local communities and the natural world.

Some studies show that high performance on ESG criteria correlates with greater profitability, customer satisfaction, investment and ability to attract and retain talent.

Unlike its now less fashionable predecessor, corporate social responsibility (CSR), ESG provides reporting frameworks for tracking compliance.

However, the ability to share best practices and benchmark ESG performance has so far been stymied by the absence of a gold-standard framework that enables like-for-like comparisons.

The issue is particularly acute for ‘social’ metrics, which one expert has argued are “10 years behind” the ‘environmental’ pillar in terms of sophistication and data gathering.

Mutually reinforcing ESG metrics

The growing urgency of climate change and biodiversity loss has seen sustainability – with metrics around carbon footprint, water consumption and air pollution – dominate the ESG conversation.

And the corporate exodus from Russia in the wake of the war in Ukraine, as well as evidence of corporate malfeasance emanating from leaks like the Pandora Papers, have given greater impetus to the ‘governance’ dimension, as measured by the rectitude of directors, regulatory compliance and so on.

But the conflict in Ukraine also demands attention to ‘social’ metrics, which refer to how a business manages relationships with its employees, customers, suppliers and partners.

And Covid-19 too, which raises additional governance questions over supply chain resilience, has highlighted the value of ESG social metrics around keeping employees safe and treating them ethically.

More generally, having a motivated, skilled workforce – a key goal of ESG social criteria – is pivotal to any business goal worth pursuing.

Further, environmental, social and governance metrics are often mutually reinforcing. Consider how, for instance, making industrial processes less air-polluting addresses social criteria around health and wellbeing as well as being an environmental benefit.

‘Objective standard’ for ESG social metrics

Writing in the Stanford Social Innovation Review in February 2022, Jason Saul, executive director for the Center for Impact Sciences at the University of Chicago, said “the ESG field needs an objective standard for reporting social outcomes”.

Promisingly, the World Economic Forum (WEF) has developed ESG metrics consolidated from the profusion of hundreds of existing frameworks and standards that it claims has shown signs of yielding positive social outcomes.

Developed in collaboration with corporate giants including IBM, Nestlé, and Sony, the ‘Stakeholder Capitalism’ criteria comprise four pillars – people, planet, prosperity and governance – and include 21 “well-established, universal, industry-agnostic” metrics and 34 expanded metrics and disclosures.

A white paper (PDF) published in September 2020 sets out the metrics, declaring “near-term objectives of accelerating convergence among the leading private standard-setters and bringing greater comparability and consistency to the reporting of ESG disclosures”.

The WEF reported in September 2021 that more than 50 companies had begun including the Stakeholder Capitalism Metrics in their mainstream reporting materials, and the first 45 reports showed “how companies are building skills for the future, with over $1.5 billion invested in training”, and “contributing to their communities and social vitality with nearly $140 billion in taxes”.

Early reporting has also apparently informed the IFRS Foundation’s International Sustainability Standards Board (ISSB), established in November 2021 to “deliver a comprehensive global baseline of sustainability-related disclosure standards”.

Dignity and equality

The WEF’s ‘people’ metrics comprise three subsections: dignity and equality, health and wellbeing, and skills for the future.

By ensuring “equitable opportunities” and “fair treatment” to employees regardless of “gender, race, age, ethnicity, ability and sexual orientation”, dignity and equality compliance on Stakeholder Capitalism Metrics means companies “become a better reflection of society and also deepen the pool of talent that a more diverse workforce can bring”, argues the white paper.

Health and wellbeing

Health and wellbeing compliance, meanwhile, is said to boost employee productivity and “is increasingly required by law”.

ESG criteria in this area cover the number and rate of fatalities resulting from work-related injuries; high-consequence work-related injuries (excluding fatalities); recordable work-related injuries; the main types of work-related injury; and number of hours worked.

The organisation must also score progress in facilitating workers’ access to non-occupational medical and healthcare services.

Skills for the future

Finally, the white paper says upskilling the workforce is given greater urgency by 2020 WEF findings that we need to reskill more than one billion people by 2030.

The ‘skills for the future’ metrics include average hours of training undertaken per employee over the reporting period by gender and employee categories, and average training and development expenditure per full-time employee.

Expanded ESG social metrics

The expanded metrics, which are suggested as a longer-term reporting goal, purportedly move beyond “reporting outputs alone to capturing the impacts of their operations on nature and society across the full value chain, in more tangible, sophisticated ways, including the monetary value of impacts”.

They will also apparently help “address urgent emerging issues – such as nature loss, resource circularity, and gender and ethnicity pay gaps – that are not yet well-represented in formal reporting standards”.

One expanded skills-for-the-future metric gauges investment in training as a percentage of payroll and the effectiveness of training and development through increased revenue, productivity gains, employee engagement and/or internal hire rates.

Addressing the data deficit

Jason Saul wrote that most of the few attempts made to create frameworks for reporting social impacts “have fallen short”.

He cited a 2021 ESG survey by BNP Paribas that revealed 51% of global institutions found social to be the most difficult to incorporate ESG element into investment strategies because “data is more difficult to come by and there is an acute lack of standardization around social metrics”.

He prescribes “three practical steps” to remedying the situation. “Most importantly, companies should start reporting S impact data consistently” and immediately, which will give them “a lot more influence over what standards are set”, he said.

“Second, ESG investors should start asking for S impact data and making it a requirement,” he added. “Finally, ESG rating agencies, standard-setting bodies, and data providers should align with a specialized S data provider to up-level the value of their data.”

It’s clear that, despite becoming the dominant model for measuring organisations’ impact on society and the environment, ESG – and the ‘S’ part in particular – still has some maturing to do.

Thankfully, evidence is growing that academics and ESG strategists are grappling with the need for universal, effective ESG standards and to elevate social metrics to the sophistication of their sustainability counterparts.

Advice and support from ESA Risk

For futher advice and support on all areas of ESG, particularly compliance and making ESG part of your risk management strategy, contact Mike Wright, Risk Management and Investigations Consultant at mike.wright@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Superyachts: Tracing a moving target

Posted on by Admin Admin

CNBC suggested data it had reviewed showed “at least four massive yachts owned by Russian business leaders have been moving toward Montenegro and the Maldives in recent days.” While that’s not categorical proof that the owners are attempting to hide their assets or remove them from the reach of sanctioning countries (the Maldives is a popular destination for wealthy Russians), the report raises interesting questions about how asset freezing and confiscation orders are implemented.

Property – a common asset looked for in such situations – is relatively easy to identify and locate, superyachts pose a unique challenge, not least because they are a moving target.

Sanctions against Russian individuals have been brought by the UK, the US and the EU, among others, with a view to freezing their assets and, in some cases, seizing them. American President Joe Biden announced on Twitter that the US was “joining with our European allies to find an seize their [Russian oligarchs’] yachts, their luxury apartments, their private jets.” France has already announced the seizure of a yacht worth around £90m moored near Marseille.

It’s all well and good seizing assets that are in plain sight in your own boatyard, and the job is made easier when an international task force is working towards the same goal. But what happens when the whereabouts of an asset is unknown and in lower-profile cases with fewer resources?

How does asset tracing work?

In these cases, the first step is to determine the asset profile of the subject of the order – identifying assets owned by the subject and by their close associates. In many cases, when an individual is trying to hide their wealth, they will distribute assets among their network, but these may still be seized if a link between the subject and the assets can be proven.

The process of identifying assets and estimating the value of those assets is known as asset tracing. Investigators – such as those at ESA Risk – use databases, deep web tools, open-source intelligence (OSINT) and human intelligence (HUMINT) to build a picture of an individual’s lifestyle and behaviours, and the assets they own or potentially own.

Superyacht tracing is no different, but it requires specialist knowledge and can rely heavily on industry connections. It’s an area where we have deep expertise and experience, with access to superyacht-specific tools and databases along with connections in the world of superyachts. Our industry knowledge enables us to identify yachts from intelligence sources such as social media posts and to provide a valuation for a yacht at the current market rate. We also have access to tools that can track the location of a registered vessel anywhere in the world and give information about the status of the yacht (anchored, berthed or under way).

Linking an asset to a subject is not always that simple, though, as is being shown in the case of one of the world’s largest superyachts (at 156m long, the fifth longest), the Dilbar, valued at nearly £450m. Widely ‘known’ to be owned by Russian businessman Alisher Usmanov, the yacht is actually owned through a holding company and it is registered in the Cayman Islands, “making it difficult to tie directly to Usmanov for the purpose of sanctions.” Forbes reported that the Dilbar superyacht had been seized by German authorities, but the outlet quickly published a correction clarifying that this was not the case. Instead, the German federal customs agency states that “no yacht leaves port that is not allowed to do so.”

It is in these cases that industry connections can be particularly useful in helping to ascertain who the ultimate beneficial owner of a vessel is.

Asset tracing services including superyacht tracing from ESA Risk

When it comes to tracing assets, we are the experts. ESA Risk’s team will deliver concise but comprehensive results which will enable you to make the decision on which way to proceed. With a network of trusted partners covering every part of the world, our investigation capability – and therefore yours – is truly international.

We have specialist knowledge of superyacht tracing, too. This can be particularly useful when investigating high-net-worth individuals.

To instruct us on an investigation or for more information on our asset tracing services, contact Mike Wright, Risk Management & Investigations Consultant at mike.wright@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

The Pandora Papers and the challenges of multijurisdictional investigations

Posted on by Admin Admin

Based on almost 12 million documents leaked by whistleblowers in 2021, the journalist-led investigation resulting in the Pandora Papers exposed the opaque financial practices deployed by the rich and powerful to avoid tax and, in some instances, mask criminal wrongdoing.

Painstaking process

However, the Pandora Papers is a misleading case study when it comes to the myriad challenges around conducting multijurisdictional investigations.

The legal, consulting or investigatory firms that typically conduct cross-border investigations don’t usually have millions of documents, images, emails and spreadsheets serendipitously land in their lap, as was the case with the International Consortium of Investigative Journalists (ICIJ) and the Pandora Papers.

Rather, ordinarily they must surmount regulatory, cultural and geopolitical barriers that vary between jurisdictions to painstakingly unearth relevant data themselves.

As investigators we are first and foremost finders of fact.

Some investigators place great emphasis on the interviews conducted with relevant parties to ascertain these facts; others say the data will tell you everything you need to know. But most of us recognise we need a dual approach in order to establish the facts of a case as fully and accurately as possible.

Cross-border expertise

Finance and big business operate transnationally, meaning investigations can involve dealing with multiple corporate units in various countries as well as navigating the treacherous terrain of cooperating with law enforcement in those jurisdictions.

As such, we need a deep understanding of the laws and cultural environment of the countries our investigation encompasses, assisted by local legal and other experts.

Moreover, we must keep track of regulatory, geopolitical and other changes that make information easier or harder to obtain.

This helps us distinguish between outright illegality and practices that might be legal in some jurisdictions (albeit sometimes ethically dubious). Setting up shell companies in tax havens usually falls into the latter category, but could, in rare cases, be a means to cloak criminal activity.

Whitewash hazard

We must also be mindful that our role can be undermined at the very outset. There have been multiple instances where investigators have been brought in to effectively create cover for illegal activities and stonewalled or given misleadingly partial data or outright disinformation. This gives the company the credibility to say to the world: “Look! We had investigators in and there’s nothing to see here.”

Therefore, it is important that investigators have the requisite independence to obtain the information required and establish the facts of the case at hand.

Have we been instructed as an investigator in good faith? Do our engagement instructions allow us to do the job we were ostensibly brought on to do?

Data access policies and regulations

Some multinational corporations make our job easier by having a shared server and consistent systems and policies across their global operations.

Conversely, there are subsidiaries that are only loosely integrated with their parent organisation and effectively function as independent companies. This means you need a strategy for accessing information they hold and corralling on-the-ground resources to support data access.

Divergent data protection regimes, and even differences between how the General Data Protection Regulation (GDPR) is enforced across the EU, also create obstacles to obtaining, sharing and using information.

‘Low trust’ jurisdictions

When you enter a jurisdiction with low levels of ‘trust’ and high levels of economic crime there are several questions to address.

How do you manage people you recruited in this jurisdiction? Are they aligned with the values and culture of your wider organisation? Do you have training, controls and processes in place to ensure people stay on the straight and narrow? Do you conduct regular audits and visit their premises (Covid-19-permitting)?

People can be wary of speaking to investigators for a variety of understandable reasons.

For instance, they might live in low-trust countries with dysfunctional institutions, be female in a patriarchal culture, or be a member of a marginalised socioeconomic group (such as a low caste in India).

Therefore, investigators must have an eye on cultural context and sensitivities and have a plan for navigating those challenges.

How, for instance, can you empower people to speak up mid-investigation if their boss has told them not to speak to anyone?

We can assuage their misgivings by guaranteeing anonymity and a safe location to conduct an interview, such as by arranging to meet in a nearby hotel rather than their office.

Covert and Covid-19 challenges

Gathering data becomes tougher still if your investigation is operating covertly.

Covid-19 has complicated matters too, forcing investigators to do their work remotely when in normal times they might board a plane to retrieve material themselves.

With travel restrictions still onerous in many jurisdictions, we must in many cases still rely on employees and contacts based in the countries in question. But are those individuals trustworthy and reliable? Can you count on them to observe confidentiality and not tip off potential subjects of the investigation?

Data as disinfectant

Bribery and corruption are not isolated to one jurisdiction or region, or the global north or south – but pervasive in every part of the world.

While they fall into a different category of investigation, journalist-led investigations like the Pandora, Panama, and Paradise Papers leaks demonstrate how the disclosure of incriminating  data can spark meaningful action by lawmakers, regulators and courts.

Consider how, for instance, the 2016 Panama Papers revelations have precipitated ongoing money laundering investigations involving a Peruvian presidential candidate and a former Maltese chief of staff, while US lawmakers have cited the coverage in advocating for the Stop Tax Haven Abuse Act (PDF).

Sunlight really can be an effective disinfectant in these scenarios.

ESA Risk investigations

If you have the need for experienced investigators (including for multijurisdictional / cross-border investigations), please contact us. We can support you with an internal investigation or provide a full external investigation to meet your needs.

Contact Lloydette Bai-Marrow, Serious Fraud and Economic Crime Consultant, at lloydette.bai-marrow@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Market conditions creating a perfect storm for businesses

Posted on by Admin Admin

This unprecedented set of market conditions looked to have claimed its first high-profile victim when Studio Retail Group plc called in administrators, after failing to secure a £25m short-term loan. The company has been bought out of administration quickly, with Frasers Group paying £26.8m for the ailing business at the end of last week.

Perhaps the most concerning aspect of Studio’s story is that the company posted excellent trading results throughout the most challenging periods of the Covid-19 pandemic and was optimistic about its future position in updates made as recently as 5 weeks ago. On 31st January 2022, the Group CEO commented: “The trading performance over Christmas, with sales up 18% over two years, shows our offer is resonating with a customer base of 2.3m. We will continue to drive the long-term profitability and success of the group.”

A set of long-term problems bubbling under the surface appear to have come to the boil all at once to create a short-term cash flow issue that required a formal insolvency process to achieve a positive resolution.

The challenges faced by Studio Retail Group are being faced by a huge number of businesses in the UK, especially those in the retail sector.

Supply chain disruption

Supply chain disruption is probably the most widespread and most damaging of those issues. The current reasons for supply chain disruption are varied, with higher container costs, longer times on the water, delays at UK ports due to extra paperwork and HGV drive shortages all contributing to time delays and increased costs. Alongside facing increased transport and logistics costs (mentioned in every Studio trading update for the past 8 months – in hindsight, a red flag being waved repeatedly), many companies are holding excess stock to avoid future disruptions and therefore increasing costs without a guarantee of increasing sales.

Other challenges that may lead to cash flow problems

Overstocking is not necessarily a problem, but the current squeeze on consumers’ disposable income – caused by high inflation, interest rates and fuel prices, and soon to be worsened by energy price rises – is starting to affect sales of non-essential goods. That leads to stock going unsold and costs not being recovered.

Many industries are also seeing high wage inflation, with growth in average total pay at 4.3% in the latest figures from the Office for National Statistics (ONS). While this is much lower than the recent high of 8.3% in June 2021, growth is still higher than it has been for more than 14 years. In some sectors, the rate is much higher – finance and business services saw a growth rate of 8.1% in the period from October to December 2021 – and all sectors are experiencing growth.

Wage inflation can be driven by the need to retain staff by offering more competitive salaries and by staff churn leading to the need to recalibrate starting salaries. In the age of the ‘great resignation’, it’s easy to see why wage inflation is so high.

Add to that the monthly repayments of Covid recovery loans, most notably under the Bounce Back Loan Scheme, which are now well underway for those companies that took a loan and the outlook for UK businesses is a perfect storm which threatens their short-term cash flow. For some (as in the case of Studio), it also threatens their existence.

While the £25m requested by Studio to manage its cash flow problems may seem high, the company had an existing revolving credit facility of £50m, and the decision by HSBC not to extend this funding line was a surprise to investors and the City. Considering Studio’s strong position in the last 2 years, this will rightly give other businesses cause for concern.

What is the outlook for UK corporates?

Studio predicted that “the disruption to supply chains will continue throughout calendar 2022”. The Bank of England expects the rate of inflation to rise even further from 5.5%, currently, to “over 7%” in the coming months – way above its 2% target, which the Bank “expect[s]…to be much closer to…in 2 years’ time.” In short, the challenges being faced by the UK market aren’t going away any time soon.

While it might sound like it’s all doom and gloom, it doesn’t have to be. There are many ways for a company to take control of its cash flow management and overall financial situation before it worsens and to pre-empt any formal insolvency process.

How can ESA Risk help with cash flow issues in business?

At times like these, seeking advice from professionals who are experienced in these financial and supply chain issues can make the difference needed to move your business from facing financial problems to financial security and profitability.

At ESA Risk, our expert consultants have a wealth of experience advising and supporting businesses. We can help with cash flow forecasting, financial risk management, debt recovery strategies and more.

Contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form to find out more about how we can support your business.

The fallout of a major data breach

Posted on by Admin Admin

A few weeks on from the suspected ransomware cyber attack on Optionis Group – Parasol’s parent company, contractors have found their personal data for sale on the dark web.

The discovery is the latest in a series of misfortunes to affect contractors employed through Parasol following the cyber attack in the second week of January.

As an umbrella company, Parasol employs temporary workers, often on behalf of employment agencies. Umbrella companies provide convenience for contractors and agency workers, and the companies who use the services of those workers, by managing contracts, timesheets and payroll, etc.

The role of an umbrella company also means it’s necessary for them to hold a large amount of personal and sensitive data. The introduction of the IR35 regulation in the UK, which relates to contractor / client relationships, has led to an increased use of umbrella companies by contractors and, consequently, an increased number of financial (payroll) transactions being made through those companies. As a result, companies such as Parasol now process and store a vast amount of sensitive financial data, making them attractive targets for cyber criminals.

The Optionis Group incident is the second major attack (that we know of) on an umbrella company in less than four months. Giant Group was the victim of a “sophisticated cyber attack” at the end of September 2021, which took the company’s communications and server network out of operation, and left some contractors without pay.

Timeline of the Optionis Group cyber attack and consequences

14th January 2022

Parasol initially advised its contractors that there was no access to the company’s operational and communication portals used to submit timesheets, view payslips, process contract extensions and so on.

Rumours began to circulate on social media that Parasol was experiencing a cyber attack, which was later confirmed by Optionis Group.

15th January 2022

Some of Parasol’s contractors started to report missing payroll payments or payments that were significantly lower than expected. When this was questioned, the company confirmed that payments were having to be made manually, implying that their bank accounts had been compromised.

21st January 2022

Parasol’s portals were restored. However, other companies within the Optionis Group had to move to rebuilt platforms. For example, an accountancy firm within the group reopened their portal with data migrated from their last back up – from November 2021, meaning 2 months’ worth of data was missing and needed to be manually re-entered.

4th February 2022

Social media reports confirmed that personal data from Optionis Group had been found on the dark web.

7th February 2022

An email from Optionis Group confirmed that their data had been found on the dark web and individuals would be advised if they had been directly impacted.

28th February 2022

At the time of writing, the contractor we spoke to had heard nothing further from Parasol / Optionis Group, despite finding their own personal data on the dark web.

Taking action

As someone who works in the cyber security and fraud industry, they have quickly taken matters into their own hands and put in place controls to mitigate the personal impact of this data breach.

They’ve paid to set up monitoring alerts with Experian and CIFAS to try to protect themselves from identity fraud. The platforms will alert them if their personal details are used to apply for financial products.

As the director of a limited company, they’ve also had to register with the Companies House protection scheme to protect their company and receive alerts if anyone tries to change, or conduct business using, their details.

There’s still no guarantee that the individual’s leaked details won’t be sold or used maliciously in the future.

And the issues at Optionis Group are ongoing, with some systems still not restored in full since the cyber attack.

The contractor we spoke to is, unsurprisingly, frustrated and angry about the situation:

“I know how devastating an information security breach can be, so when I heard that my accountants and umbrella company that I work through for payroll had been breached, I was immediately very concerned. When it was confirmed that the personal data had been located on the dark web, I was extremely angry as you just assume that your accountants have the necessary protection in place for your data and information. Obviously not. It’s vital that other such firms review their systems and ensure they have the utmost protection as these attacks are becoming more and more commonplace.”

This viewpoint is clearly held by other affected parties. ComputerWeekly.com reported that some contractors had “tak[en] it upon themselves to investigate whether their personal data [was] compromised…after growing frustrated at the time…[taken by Parasol] to provide updates on the situation.”

The same article reports that “a group action is being prepared…to seek compensation for contractors caught up in the breach”.

Clearly, the main fault here lies with malicious actors who carried out a targeted cyber attack in order to breach a company’s systems and steal personal data. However, every company that holds personal data has a legal duty to keep data secure and to respond to potential data breaches in a specific way. In this case, there appear to be failings on both the security and the response side by Optionis Group.

Cyber security support from ESA Risk

At ESA Risk, we offer a broad range of cyber security services that can help you secure systems and data, become more cyber-aware, identify breaches, and prepare for and respond to attacks.

Our consultants have proven experience of working in some of the UK’s top financial institutions where they have implemented secure cyber controls and continue to provide remediation and preventative cyber security and data breach support.

For advice and support on making your business cyber-secure, or if you’ve been the victim of a cyber attack or data breach / leak, please contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

 

Free download: The Cyber Threat Landscape 2022 Special Report

The role of cyber attack war games in building cyber resilience

Posted on by Admin Admin

The reality is that penetration testing provides no guarantees of security and does not address the weaknesses in an organisation’s ability to detect and respond to a sophisticated attack; or its ability to manage a cyber crisis and take the timely decisions to enact cyber defence or system continuity plans. Consequently, there is a need for more sophisticated and technically based crisis exercises to identify causes of failure and to provide training, education and awareness.

To most firms, a real-world attack simulation is as much a ‘game changer’ as actually being targeted. In both cases, firms can expect to learn hard lessons, but the war game process ensures that the organisation is ready to absorb the lessons and identify the benefits without the pain or damage of an actual breach. This point cannot be underestimated. In a real event there is invariably a catalogue of human and management failures consistent with the inability to think clearly under pressure.

In reality, most lessons are only learnt after a real event, even when the overriding climate is negative or less orientated towards learning. A cyber attack war game, which simulates a prolonged attack, aims to provide lessons before a real event, and enables learning during an attack. In short, it can develop a firm’s ability to interpret and apply experience into real-time learning.

Cyber security war games derive significant learning across multiple levels of decision-makers, and can be structured specifically to bring together the C-suite, security leadership team, security operations centre and incident response, as well as the forensics, risk and crisis management teams. War gaming is an excellent and effective way for large organisations to identify the weaknesses in communications and coordination between these groups. In times of crisis, the cascading effects of an attack and the impacts are often exacerbated by the decisions taken, and the process of decision-making by these groups. Learning how these groups take certain decisions when faced with uncertainties, or adapt and enact response plans when tackling ‘unknowns’, is vital to a successful response and the successful building of cyber resilience within an organisation.

How do cyber attack war games work?

A well-crafted cyber security war game incorporates both a ‘fundamental surprise’ that the organisation had not anticipated and a number of ‘situational surprises’ – known cyber risks for which the organisation has little or no advanced warning. Much of the pre-exercise planning should aim at developing appropriate knowledge and intelligence in order to define the exercise in a manner that can be controlled and developed over time and tests the different capabilities.

The ‘storyline’ can commence with a technical event to kick off the assessment of initial implications, and the event would then be developed through situational feeds from the directorate. The initial objectives should be to test detection: by the systems; by the incident response team; and the analysis of the forensic team. More can then be provided by the directorate including intelligence, such as analysis of the threat community, IP information, and pieces of a malware. The exercise can then examine the fundamentals of communication and decision-making, specifically:

  • who is taking decisions and on what basis?
  • what is the process of taking alerts/indications and deriving useful information from then?
  • how is information then transformed into knowledge throughout this first technical phase?

At this point, a major new technical event may be introduced, or the original event may be taken in a new direction to trigger a new cycle of detection and decision-making. Evaluation may focus more on how the new event affects the decisions previously taken, the need for additional resources, and whether a new risk assessment should take place. With a second-phase escalation of the attack, the evaluation can examine who is assessing the risk throughout the event, who is involved in the process, what indicators are in place, and how they conduct a timely assessment of the possible implications from the new event.

Using this approach will allow escalation towards the involvement of the crisis management team, and an examination of their team, what stage they were involved and how they receive the relevant information. The exercise can also test the team’s communication effectiveness, who precisely was involved and how they supported the whole process.

Building cyber resilience

The more significant element in the learning process is the incorporation of observation, decision-logging, and mentoring as part of the war game process, while a full debrief and post-exercise workshop should establish lessons learnt, capability gaps and the modifications required in technology and processes.

The ‘learning by doing’ opportunity that war games provide identifies failures in breach incident response as well as failures in security. This should ensure a balance between security and implementing the appropriate response, but also offer a list of immediate tactical priorities for remediation, as well as short-term changes. It can also pick up previously peripheral issues that had not been addressed or prioritised specifically because they may have been proven to be more critical to the overall security apparatus than previously recognised. Often these are ‘human’ aspects known to be weaknesses, though not recognised and addressed at an organisational level.

By establishing the right cyber attack war game framework, the learning objectives are set at the top of the agenda if the organisation is astute enough to accept that a breach will occur, and the success is measured by how it deals with this.

The iterative process of this type of workshop can offer a forum for planning that integrates investment, and priorities between prevention, defence, and a shared understanding of the converged nature of cyber risk. This pre-emptive approach to developing effective cyber defence and identifying causes of future failure identifies priorities for response training, and the development of a response doctrine that can provide an organisation with agility and options.

Conduct a cyber war game

At ESA Risk, we can design and run a cyber war game specific to your business. If you would like to learn more about cyber security, war games and/or building cyber resilience within your organisation, please contact us.

The biggest threat

Posted on by Admin Admin

Graeme McGowan, Cyber Risk & Security Consultant at ESA Risk, reveals the biggest cyber security threat posed to businesses in the UK.

It’s the leading cause of reported data security breaches, according to the Information Commissioner’s Office (ICO), and arguably the largest enabler of malware infections and cyber attacks.

He also outlines ways the risks posed by this threat can be minimised.

What is the biggest cyber security threat?

While many people might expect the answer to be the latest malware in circulation or an organised group of hackers, the actual answer is more simple and closer to home…

Human error is arguably the largest enabler of cyber attacks and malware infections. Many people are not aware of the tell-tale signs or preventative measures to take when it comes to cyber security.

biggest security threat 95% human errorThe ICO has reported human error as the leading cause of reported data breaches, highlighting a need to amend this. In turn, it is now handing out fines to organisations following data breaches, as a reverse incentive to push companies to educate their staff and thereby avoid potential breaches in future.

Businesses are not fined if they have a sufficient protocol in place guarding against human error, but small companies are being particularly hit hard because of gross negligence and a lack of staff training leading to employee mistakes.

A simple example:

Firm X sent out personal data in respect of an individual and their family via email and post. A lack of security meant that unconnected third parties, who had no way of knowing the sensitivity of the content of the post and emails, then unintentionally had access to the sensitive personal data. The unconnected third parties were accidentally included on the email and therefore received the data, most likely by the fault of the sender who seemingly did not check the recipient/s they were sending the email to.

A complaint was made by the individual concerned following the unauthorised disclosures and an investigation into the incident revealed that repeated human error was to blame for the breach, resulting in a £10,000 fine being handed to the firm.

Why was the fine so large?

The ICO has noted that the fine is reflective of the firm’s disappointing response to the complaint and its failure to engage appropriately or show an understanding of the impact of the breach on the individual. The lesson here is that, in itself, a breach of data protection rules will not automatically incur a penalty. However, inadequate safeguarding measures followed by a delayed or obstructive (or even just negligent) response to a breach may lead to investigation and subsequent fines from the ICO.

Human error will always be a risk, but the response to that error is what is important both in terms of limiting any sanctions and maintaining a positive relationship between a business and the individuals with whom it deals.

Where does the risk lie?

Lack of understanding or awareness may mean:

  • A subject access request goes unanswered or is delayed.
  • Misuse of personal data, e.g. it is used to contact individuals without consent.
  • Personal data is used for purposes outside of the purpose for collection of that data.
  • Personal data is inadvertently provided to unconnected parties.
  • Delayed or no action following a security breach.
  • Failure to update records or delete records.

All of the above would be breaches of the General Data Protection Regulation (GDPR) and may require immediate action or even reporting, depending on the circumstances.

How do we prevent or minimise the ‘human error factor’?

In three words: training, education and awareness.

Compliance with GDPR cannot rely just on software systems and one data protection manager.

All individuals within organisations from the cleaner to the CEO need to be aware of how data protection compliance impacts on their role and what their responsibilities might be. In a few cases, there may legitimately be none, but it is important for the knowledge to be there and for staff to be alert and aware of cyber security protocol.

In order to combat this risk and employee lack of awareness, training should be provided to staff at induction and at regular intervals, especially if their role and responsibilities change. It is also crucial that staff know what to do if an error occurs and a cyber security threat appears. Communication at the earliest point is key in handling a breach, so creating a culture of trust is critical.

Once the training and understanding is in place, investment in the technology to support good data protection procedures will enhance those procedures and allow easy management of the various tasks and obligations.

Cyber security services from ESA Risk

We’re here when you need us. We provide both passive and reactive support services, which are scalable and quick to deploy in crisis situations, giving you precious additional time at critical moments. Contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form to find out more.

Develop your cyber security knowledge with 1 of our cyber security courses, provided by the Global Cyber Academy.

Deep dive for the answers you need
TAKE A DEEP DIVE
Or contact us on +44 (0)343 515 8686 or at advice@esarisk.com.

Deep dive for the
answers you need

Lawyers, accountants, advisors, investors, senior
management. You name them, we help them find the answers
they need. Ready to discover how we can help you?

Take a deep dive
Continue browsing