SBA

Paradise in the Boardroom

OK, I’m officially a bit miffed. I have felt like a bit of a Cassandra in recent years, writing repeatedly about the importance of data governance and cyber security - to the extent that over the past year I have sometimes avoided the topic in this column even when it’s been appropriate - so here’s something I wrote in July 2014 following the Kleinwort Benson Jersey leak:

“In the light of the latest leak in Jersey, which follows on from similar leaks in Switzerland, Singapore and the BVI's, it is obvious that offshore banks, CSPs, lawyers and accountants are being specifically targeted. The UK HMRC and the US IRS have both indicated their desire to receive stolen data which might help their tax investigations, and the International Consortium of Investigative Journalists is similarly keen to receive confidential data about offshore accounts. The Isle of Man has been fortunate so far in that little confidential data has reached the public domain, but it is clearly an attractive target for the snoopers.

A leak of confidential data from an Isle of Man bank or fiduciary service provider would be very damaging for both the source company and the island as a whole; it would inevitably undo recent good work by the financial services community and the government, and re-establish a widespread perception of island as a tax haven.”

As most of us who work in IT leadership and Information Security on the island can attest; despite Jersey, Panama and assorted other high profile leaks, the island’s boardrooms have failed to grasp the reality of the risk or the severity of the consequences of a major loss of confidential data. Some companies are taking GDPR compliance seriously, but too many boardrooms remain focused on IFRS, FATCA, CRS, KYC and other regulatory requirements without facing up to the clear and ever-present danger which a major data leak represents for not only their business but also the rest of the Isle of Man’s primary business sectors. 

A rap on the knuckles or a fine from a regulator is one thing, but the loss of the company is quite another. It is a primary duty of directors to ensure the success of the company, and the reality of the risk taken by company boards who fail to recognise that protecting their confidential data is far more important than mere regulatory compliance has been brought into stark focus by the Paradise Papers. Michael Dunkley, who was Premier of Bermuda until July this year, has recently stated “this is an Appleby matter and sadly because of how badly they handled the hack I suggest that they will not be a viable entity going forward”. Sadly he may be correct, I hope he is not but realistically the brand looks like a dead duck walking, at best the business will likely see significant contraction.

For the rest of us - we’ll have to wait and see how the widespread opprobrium towards the Isle of Man and other offshores plays out. It’s already not looking good; the loss of Appleby, Estera and the decimation of some of the suppliers and partners in their value chains may prove to be small beer in the overall scale of damage to the Isle of Man economy. It is difficult to overstate just how serious the consequences of the Paradise Papers could be, but I’m hoping we will get off lightly.

Companies are controlled by Directors - as a Chartered Director I am personally acutely aware of my responsibilities and periodically attend Director’s Briefings presented by accountants, lawyers and compliance professionals. The latest thinking and requirements on financial reporting, KYC, money laundering, tax information exchange etc. are thrust down our throats by these advisory professionals, and some of them have been clambering, albeit generally inexpertly, onto the data protection bandwagon in the light of GDPR; but most boardrooms receive little guidance about and have meagre expertise in information security or IT. 

An independent global survey of over 4,500 companies by RezRez Research in 2012 established that the value of their digital information represented on average c. 49% of the value of those companies - i.e. the digital data asset base is basically half the value of a typical business. Global IT security company Symantec claims that digital intellectual property represents c. 70% of the value of the typical company in the USA. Data is the single most valuable asset in most businesses, and losing it is generally catastrophic. Losing confidential customer data to a hostile party who is going to publicise it or exploit it against the interests of the data loss victim is clearly even more damaging - the loss of customer confidence can of itself have a major impact on the viability of a business. 

In the light of the value of data, and the potential damage caused by loss or leakage of that data to a hostile party, it is clearly the duty of every board, and every director, to ensure that they are confident in their organisation’s ability and actions to protect that data. 

So, hands up please! Which of you directors reading this column regularly attends directorial briefings about the current state of play in information security and feels adequately equipped to challenge your IT managers or suppliers about the measures they take to protect your data? Which of you has commissioned independent expert external assessment and audit of your organisation’s information security measures, and engaged ethical hackers to “red team” your defences to expose vulnerabilities? Which of you has asked your IT management or suppliers if they have had these things done on behalf of the company? 

If I gathered together all of the island’s company directors and IT managers into a hall and asked these questions the show of hands would be pretty paltry - I know some companies on the Isle of Man have had independent infosec audits and penetration tests, but in reality very few, and generally not with sufficient frequency. The IT vulnerability landscape is constantly changing as the bad guys discover new techniques and IT weaknesses; it’s probably not unfair to say that information security auditing and external testing should be at least annual for any company holding confidential data, and at least quarterly for banks and other deposit takers. That may sound onerous, and we are accustomed to living in a very safe place on the Isle of Man, but most of us these days do ensure that our houses and offices are secure when unattended - some of us even lock our cars! Checking the security of information systems every few months is a sensible thing to do.

I expect that the directors of the organisations whose data was illicitly obtained to form the Paradise Papers were comfortable that they did not have known inadequacies in their information security measures, because if they had they would probably have told their IT people to get them fixed as a matter of urgency - and that comfortable belief is probably shared by most company boards on the island. A major part of the problem arises simply because most organisational leaders do not have sufficient knowledge or awareness of the nature of information risks to be able to provide adequate leadership to their organisations in respect of protecting their data. 

This has to change. Any board of an entity holding personal data where at least one director does not challenge management to evidence the adequacy of their information security on a regular basis, with independent expert verification, is probably negligent and failing in their duty of care. Lots of directors and risk management professionals have got quite tense in recent months about the implications of the supposedly large penalties associated with GDPR - but being realistic a regulatory fine of a few million Euros or up to 4% of global turnover is peanuts in comparison with the possible collapse of the business.  Boards of directors should not need regulatory pressure to ensure that their primary concern is the survival of the business, and protecting their organisations most valuable assets is integral to survival.