AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

News round-up A&R magazine Sep Oct 22

Law Commission proposes stronger corporate crime laws

The UK may make it easier for executives and senior managers to be held directly accountable for corporate crimes, including fraud and human rights abuses.

In November 2020 the UK government asked the Law Commission to explore ways to reform corporate crime laws to make it easier to prosecute companies and senior officers.

On 10 June the Law Commission submitted ten options. These included allowing conduct to be attributed to a corporation if a member of its senior management engaged in, consented to, or connived in the offence. This could be drafted so that chief executive officers and chief financial officers are always considered to be part of an organisation’s senior management.

Other possibilities include introducing an offence of failure to prevent fraud by an employee or agent, as well as offences of failure to prevent human rights abuses, ill-treatment or neglect, and computer misuse.

The Law Commission has also proposed that there should be a reporting requirement for large corporations to report on anti-fraud procedures, and for companies to publish details of any convictions. 


Expect a rise in AI and legal disputes

Companies plan to invest more in artificial intelligence (AI) and other technologies in the next few years, but most fear that legal disputes over its use and implementation will increase.

According to a survey of over 500 corporate counsel, risk managers, IT specialists and compliance professionals conducted by law firm CMS, 50 per cent of respondents believe that the use of AI technologies will create risks and disputes that cannot be foreseen now. More than half (56 per cent) expect AI to be a leading source of increased disputes.

Technology Transformation: Managing Risks in a Changing Landscape found that the main sources of disputes in the past three years were compliance and regulatory issues (cited by 65 per cent of respondents), performance/service level and outsourcing disputes (61 per cent); intellectual property and trade secrets (52 per cent); and software licensing disputes (51 per cent).

However, over the next three years, 76 per cent of respondents said they expect compliance and regulatory disputes to decrease, while two-thirds (67 per cent) expect cyber breach disputes to decline and 62 per cent expect IT performance or service levels disputes to decrease. 

Macroeconomic problems top emerging risks

Concern about a macroeconomic downturn has rapidly become the foremost emerging risk facing organisations, according to Gartner’s latest global Emerging Risks Report.

The survey, based on responses from 306 executives and risk management professionals and conducted in the second quarter of 2022, named the other emerging risks as escalation of conflict in Europe, state-sponsored cyber attacks, energy price inflation and material shortages. 


New guide to proposed Resilience Statement

Accountancy body the ICAEW has issued guidance to help the UK’s largest companies prepare the annual “resilience statement” proposed by the UK government to improve corporate governance after a series of high-profile corporate collapses.

The government is expected to publish a draft bill on the reforms later this year and new legislation is likely to be published in 2023.

The resilience statement will probably subsume existing going concern and viability statements. Company directors will have to report on matters that they believe to be material and explain how they have arrived at this judgment.

Directors will have to disclose how the company is addressing risks or resilience issues, including threats to business continuity, supply chain and cyber security.

The new legislation will include the requirement for at least one reverse stress test, according to the nature, size and complexity of each business, to be chosen by the company and outlined within the statement.


Data breaches add to inflationary pressures

A rise in data breach costs of nearly 13 per cent over the past two years may be contributing to rapidly increasing costs of goods and services, according to IT specialist IBM Security’s Cost of a Data Breach Report.

IBM found that 60 per cent of the organisations studied had raised their product or services prices because of the costs of a breach. It said that 83 per cent of these organisations had experienced more than one data breach. The after effects of the breaches escalated over time – nearly 50 per cent of breach costs were incurred more than a year after the breach occurred.

The research also emphasised that paying ransomware hackers does not save money. Ransomware victims in the study who paid ransoms lost only US$610,000 less in average breach costs than those who did not pay – but that did not include the cost of the ransom itself. 


World unprepared for magnitude of climate risks

Governments and businesses are not preparing effectively for changing environmental risks, according to a new report from risk specialists Verisk Maplecroft. The Environmental Risk Outlook 2022 report says that “civil unrest, political instability, food insecurity, mass migration and worsening human rights are the baked-in secondary impacts of climate change, but you wouldn’t know that from the undercooked approach of governments and business.”

While Africa’s and Asia’s developing economies will bear the brunt of the impacts, economically and geopolitically strategic nations such as Brazil, Mexico, Vietnam and Russia are also in a dangerous position. China could also come under pressure if climate change continues to accelerate. If countries like these succumb to extreme bouts of climate-induced instability, the report
warns, the knock-on impacts could overwhelm economies and populations across the globe.

Identifying where these impacts will become most prevalent – and which countries are most at risk – is vital to manage “cascading threats for organisations aiming to reinforce their long-term resilience and for governments looking at external factors threatening their own interests”, the report says.


Ransomware attacks fuelled by failure to report hacks

Risks from ransomware are increasing not only because attacks are successful, but also because few organisations report being hacked or paying to restore their data. This fuels further attempts, according to Europe’s main agency for countering cyber security threats, ENISA.

According to ENISA’s analysis of 623 ransomware incidents across the EU, the UK, and the US between May 2021 and June 2022, about 10 terabytes of data were stolen each month using ransomware, and nearly three-fifths of the stolen information included employees’ personal data. 

In 94.2 per cent of incidents, it is unclear whether the company paid the ransom. However, in over a third of cases, the attackers exposed data when negotiation failed. ENISA said the data is incomplete as many organisations do not make incidents public or report them to the authorities. It is exploring ways to improve reporting. 

The revised Network and Information Security Directive (NIS 2) is expected to change the way cyber security incidents are notified in the EU. The aim is to improve understanding of incidents.

To protect against, and respond to, ransomware attacks, ENISA advises organisations to: keep an updated back-up of business files and personal data, which is isolated from the network; apply the “3-2-1” rule of back-up (three copies, two different storage media, one copy offsite); run security software to detect most ransomware in endpoint devices; and restrict administrative privileges and password sharing. 

If organisations suffer a ransomware attack, they should quarantine the affected system, refuse to pay the ransom and report the incident to a national cyber security agency. 


Companies fail to act on app security risks

A third of organisations fear the risk of a security breach or incident arising from an incompatible application on the latest version of Windows, according to research of UK and US chief information officers commissioned by tech firm Cloudhouse.

In addition, a quarter of businesses said they were concerned about the risk of breaching regulatory compliance for the same reason.

Despite these fears, a third said they audit their IT assets for security and risk compliance only on a quarterly basis or less frequently. Only 30 per cent continually monitor the general security of their IT assets and a quarter review this quarterly or less frequently. 

This article was first published in September 2022.