The Fund Director Selection Process

4 October 2016

Pavilion has been particularly interested to hear the results of The NED Magazine’s recent survey of those involved in the selection process of non-executive fund...


Cyber Security

6 May 2016

The hot topic of the year, Cyber Security, just got hotter. In fact the cyber fallout from the hacking of Mossack Fonseca has yet to descend as the world is still...


Board Oversight of FSB/CIF Regulated Entities

1 October 2015

Sitting on the board of a Fund Services Business (“FSB”) or a certified Collective Investment Fund (“CIF”) regulated entity, as a director who is independent...


Cyber Security

The hot topic of the year, Cyber Security, just got hotter. In fact the cyber fallout from the hacking of Mossack Fonseca has yet to descend as the world is still experiencing the media shock waves arising from the information that was stolen and delivered to the international investigative journalists. 

Those of us that have been involved with corporate structuring during our long careers sit in wonder at the naïve ill-informed commentary flowing throughout the press. Reporters seeming to have no grasp of the difference between a straight forward public investment fund established in a jurisdiction with a sophisticated, robust legal and fiscal environment, compared to an arcane private, multiple layered asset ownership scheme designed to hide away the ill-gotten gains of corrupt potentates by using entities in jurisdictions where secrecy is second nature and the rule of law somewhat underdeveloped.

But the issue no-one seems to be focussing on is who targeted and hacked the Mossack Fonseca servers and how were they able to do so?

This should be extremely worrying for all of us both personally and professionally. The right to confidentiality about our individual and professional affairs of a personal and financial nature is enshrined in most cultures, with the first world governments legislating to protect the data of their citizens. The recent US court battle between the FBI and Apple illustrates just how seriously the personal right to privacy is taken. 

As directors, we have a responsibility to consider all the risks to the companies we act for and take measures to mitigate against them. In ranking those risks, the norm is to consider the potential impact on the business and the likelihood of them arising so that appropriate resources are directed to those with the highest score. I would suggest that all boards should now review their assessment of cyber security, risk rate the likelihood of an attack at the highest level and initiate a management shake-up of their IT security procedures.

The UK Government advice on cyber risk management suggests the following key questions need to be asked by boards.

How confident are we that our company’s most important information is being properly managed and is safe from cyber threats?   

Are we clear that the board are likely to be key targets?

Do we have a full and accurate picture of:

  • The impact on our company’s reputation, share price or existence if sensitive internal or customer information held by the company was to be lost or stolen?
  • The impact on the business if our online services were disrupted for a short or sustained period?

Do we receive regular intelligence from the Chief Information Officer / Head of Security on who may be targeting our company, their methods and their motivations?

Do we encourage our technical staff to enter into information-sharing exchanges with other companies in our sector and/or across the economy in order to benchmark, learn from others and help identify emerging threats?

The cyber security risk impacts share value, mergers, pricing, reputation, culture, staff, information, process control, brand, technology, and finance. Are we confident that:

  • We have identified our key information assets and thoroughly assessed their vulnerability to attack?
  • Responsibility for the cyber risk has been allocated appropriately? Is it on the risk register?
  • We have a written information security policy in place, which is championed by us and supported through regular staff training? Are we confident that the entire workforce understands and follows it?

Clearly, as independent directors without executive responsibility, it is not our role to become hands on with the operational aspects, which normally sit in the hands of the administration firms engaged by our client companies. So what might we do to answer the above questions for ourselves?

It would seem prudent for client company boards to request details of the IT and cyber security environment in place at the administration firms they use and look for good and poor practices that will either elicit the confidence being sought or flag areas that you can task the executive management to improve.

The following extract from a recent KPMG presentation provides a useful foundation on which to base an assessment of the maturity of a firm’s cyber environment.

Cyber Maturity Area

Good practice

Poor practice

Leadership & Governance

Good awareness of cyber issues at executive committee level

Security is seen as an IT issue and one that adds cost rather than as a business enabler

Human Factors

Information security training programme in place

Poor remote working practices with staff using their own devices

Information Risk Management

Good use of confidentiality agreements and NDAs to protect sensitive information

No understanding of information assets and owners

Business Continuity & Crisis Management

The business continuity plan is tested annually

The business continuity scenario planning does not include cyber attack

Operation & Technology

Vulnerability assessments / penetration tests carried out with remediation plans

Most staff have “administrator” rights on their laptops / desktops

Legal & Compliance

Have insurance to cover a cyber event

Little assurance as to where regulatory compliance is happening and where not

Boards need to develop an understanding of the practices in place and form a view on whether they warrant further investigation. How questions are framed and raised to provide them with the necessary insight will depend on the nature and situation of each company and the relationship with the administrator and the client.

Should any director be provided with a more detailed document on an administrator’s IT / Cyber Security Policies & Procedures, then test it against the following 10 steps of cyber security published by the UK Government. If all are clear, present and appear to be properly addressed by the document then that will be a great comfort but if there are any that are absent or have been glossed over, or received only superficial attention then that could indicate an area worthy of further board interrogation.

  1. Information Risk Management Regime
  2. Secure Configuration
  3. Network Security
  4. Manage User Privileges
  5. User Education & Awareness
  6. Incident Management
  7. Malware Prevention
  8. Monitoring
  9. Removable Media Controls
  10. Home & Mobile Working

A useful summary of the issues underlying each step can be found via the link below but to indicate why you might want to click on it, I will quote from its introduction.

“In GCHQ we continue to see real threats to the UK on a daily basis, and the scale and rate of these attacks shows little sign of abating. The BIS 2014 Information Security Breaches Survey reported that 81% of large organisations had experienced a security breach of some sort. This costs each organisation, on average, between £600,000 and £1.5 million.”

Early in 2015 further warnings and guidance were published on common cyber-attacks to further raise awareness to the nation of the threat. The graphic below provides a useful at-a-glance briefing.

Common Cyber Attacks

Click to enlarge

At present we can only speculate at what the motivations and goals of those who breached Mossack Fonseca’s cyber security are or who their sponsors might be and we may never find out. There can now be no doubt, however, that financial services firms in the offshore world are under attack by politically driven ‘hacktivists’ and boards need to provide the correct level of strategic focus to facilitate the raising of the cyber defences of their companies.


Stephen Kearns