Exclusive Q&A on Fraud and White Collar Crime with Jeremy Scott-Mackenzie

Have There Been Any Recent Regulatory Changes Or Interesting Developments?

Whilst cyber-crime, such as the theft of personal data, is badly under-reported across Asia Pacific, there is slow legislative movement to address how companies handle these incidents.
 
As an example, the Australian government has just issued an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015.  This would require notification to the regulator and potentially affected individuals where there has been a more serious data breach.  In many cyber fraud incidences, there is not only the loss of corporate assets, but customer or employee data is often compromised, and so we expect that not only will we see an increase in awareness of these frauds but many companies are reviewing and formalising processes to handle such incidents.

Can You Outline The Key Fraud And White Collar Crime Trends In Your Jurisdiction?

We are seeing cyber-crime as the emerging trend that causes us the most concern.

It would appear that cyber-crime is badly under-reported and much of the analysis is focused upon cases such as the theft of personal data at major companies, such as the 2014 cyber-attack of Target.  However, it is SMEs that are often the most at risk as they are unlikely to have the infrastructure or personnel to respond.  A recent incident that we have seen has highlighted this.  In this matter a staff member opened an email with ‘crypto-locker’.  This software encrypted all of the business’ data unless certain payment was made.  The result is that the SME was unable to trade until the crypto-lock was dealt with.
 
The key learning in this case was that the SME had a relationship with their insurer that provided the relevant IT expertise to advise on how to deal with the crypto-locker and to meet the costs associated with the business interruption.

Can You Explain How Whistleblowing Works In Your Jurisdiction With Reference To Incentives And Protection?

Asia Pacific has not advanced on the use of whistleblowing at the same rate as many other regions.  In a recent survey, almost half of respondents said they were not prepared to use a whistleblower hotline as many employees in the region are concerned whether any report will be confidential and whether the legal protections available are sufficient.
 
Not only is there reticence from employees, but companies within Asia Pacific have been slow to adopt whistleblower hotlines, with almost half of companies in the region not yet implementing them.

How Can Data And Analytics Be Utilised For A More Effective Risk Management Procedure? What Else Should Be Included In A Company’s Risk Management Framework?

Risk management should really begin at board level and not just be considered an IT or compliance issue.  Once the board has embraced the importance of managing cyber risk, then this can be driven across all parts of the business through a holistic approach to risk management, including risk mitigation and loss response.  Whilst we often work with our clients on reviewing detection and procedures to prevent fraud, it is all too often that too little focus is placed on response plans for when fraud occurs. 
 
The response that many fraud experts offer when asked about the possibility of a major fraud occurring is “it is not if, but when”.  Given this bleak view, companies should consider implementing a response plan to deal with a major fraud.  Key to this will be what legal, forensic accounting, public relations and insurance advisors will be engaged.
 
Once in place, such response planning should be tested annually through the use of table top exercises to identify gaps in the plan.

What Advice Would You Give To An Organisation Undertaking An Internal Investigation When Serious Misconduct Is Suspected?

There is often a complex mix of legal, employee and other commercial considerations that may need to be considered in balancing how the company conducts the investigation.  In most cases, the company should engage external advisers, including legal, forensic accounting, public relations and insurance advisors.
 
However, ownership must be retained and driven by the company’s executive.  Far too often, it would appear that there is not sufficient executive ownership where there is serious misconduct suspected and, all too often, the company’s executive only become involved when the matter has become public.

Can You Talk Us Through The Process Of Damage Limitation For An Organisation Whose Cybersecurity Has Been Breached?

When discussing response, the key to success is to rapidly engage professionals to determine whether a breach has occurred and to complete a preliminary assessment so that a loss control process can be quickly mapped out.  For those businesses that have purchased cyber insurance, their insurer should be able to provide professionals that can offer quick solutions and rectification, often meaning the damage can be mitigated.
 
The preliminary assessment should be completed as quickly as possible, particularly if there may have been a data theft.  Key questions include:

• What is the data, and does it contain third party and/or personal data?
• What is the likelihood of disclosure?
• If the data is disclosed, what are the potential commercial and legal damages?
• What other losses, such as business interruption, reputational damage or potential extortion, could be incurred?
• Are there legal obligations to notify regulators or third parties that need to be considered?

Only at this point can a company formulate a full strategy to limit damage.  In a number of examples we have seen, the damage to the company has not necessarily been legal, but rather the reputational damage caused by not being forthright with third parties whose data has been compromised.
 
In terms of the legal requirements, the latest Australian exposure draft of the Privacy Amendment Bill has identified that affected third parties must be notified as soon as practicable and no longer than 30 days after discovery.
 
Once the organisation has established the scope of the loss, a review should be completed to improve the organisation’s cyber risk management and improve the company’s resilience in the event of future matters.  It is all too often that an organisation suffers further breaches, having not learned the lesson the first time.

How Can Understanding The Different Types Of Cyber-Criminal Profiles And Motives Help To Identify Which Resources And Assets Need The Most Protection, And How To Effectively Protect Them?

The motives and perpetrators are many and varied and thus understanding your own business and its risk management framework is often easier to grapple with rather than concentrating on understanding the potential perpetrators.
 
AIG’s experience is that losses are often due to staff error or rogue employees, but there is a growing concern that criminals are exploiting businesses’ reliance upon technology.
 
Businesses should be across the latest threats and attacks that are occurring, and we find educating employees can be a key differentiator in risk management.  An understanding of breaches that have occurred within the organisation’s industry is a good way of monitoring the important assets that may be vulnerable and to provide concrete examples when reviewing the organisations risk management framework.  

Jeremy Scott-Mackenzie is the Regional Commercial Institutions Manager – Financial Lines, at AIG Australia. He is a leading authority in his field and is responsible for the strategic development of AIG’s Commercial Crime and Directors & Officers Liability insurance portfolio across Australasia, having been with AIG for over 10 years in a variety of roles across the Asia Pacific region. He is a member of the Australian Institute of Company Directors and the National President of the Australian Professional Indemnity Group, Inc.

Jeremy can be contacted on +61 2 9240 1712 or by email at jeremy.scott-mackenzie@aig.com