Fraud and fraud investigation

September 01, 2015

Published in World Commerce Review – September 2015

By Anna Chan, Membership Director – ISACA Bermuda

As a jurisdiction, Bermuda was an early adopter of e-commerce and electronic transactions legislation. To the many leading international organisations present on its shores, Bermuda provides a sophisticated technology infrastructure that includes several fibre optic cables connecting the Island to the rest of the world, a full complement of IT services and support, reliable redundancy capability, cloud and digital certificate services, and disaster recovery services. These ICT offerings are key to the country’s economy, providing it with the essential tools that allow business to be securely and successfully transacted locally and overseas.

Known as the ‘wired island,’ Bermuda has fostered a booming e-business environment, evidenced by its success stories. Bermuda is home to leaders in security and payment processing, with these local companies going on to become recognised front-runners who ably deliver services to global customer bases, including some European governments.

Bermuda is also home to a significant number of multi-billion dollar insurance, banking and other kinds of business ventures and so data protection and security are critical. The Bermuda Government takes security seriously and believes that privacy and security go hand in hand. It has developed a strong relationship with the Island’s private sector, working closely with the companies in the Island’s technology and professional services sectors to remain abreast of relevant progress, and active in ensuring that the Island remains a security- friendly jurisdiction.

On the security side, the Government has a digital certificate programme in place and manages its own digital certificate authority. It is also currently working on comprehensive privacy legislation designed to protect personal information. Such legislation is also intended to help to combat cybercrime and to protect personal information and data as it flows to, from and through the Island.

Work on data security is continuous within both the Government and the industry realms. The Island works to ensure that all parts of the local community are comfortable with technology and familiar with the importance of data security at home, at school, and at work.

Through the Department of E-Commerce, the Bermuda Government’s Ministry of Economic Development strives to, among others:

  • Provide opportunities for technology education, mentoring and training, as well as encourage opportunities for education through technological means.
  • Promote Bermuda as a sophisticated and security conscious technology and e-business jurisdiction, in order to continue to maintain and attract international business to Bermuda.

To further these objectives, the Department of E-Commerce supports the TechTalk initiative in conjunction with ISACA Bermuda and the Business Technology Division of the Bermuda Chamber of Commerce. This program is designed to create a forum for professionals to meet with industry leaders and exchange insights on topics that are relevant to technology governance, strategy, and risk management.

The initiative, now in its second year, has partnered with regulatory authorities, government agencies, leading global organizations, professional services firms and local businesses to enable leading experts and professionals to share their knowledge on a variety of topics. Quarterly panel discussions are held and recent topics have included:

  • Information/Cyber Security
  • Business Continuity and Disaster Recovery
  • Bring Your Own Device
  • Business Intelligence/Data Analytics

Fraud and fraud investigation

Worldwide, cybercriminals are successfully targeting organizations of all sizes across all industry sectors. Recent media reports make clear that attacks are becoming increasingly sophisticated, more frequent, and their consequences more dire. The average cost of the worst single breach suffered by organizations surveyed in 2015 was $2.28 million according to the Information Security Breaches Survey 2015.

The agreement is that it’s not enough to focus on defending an organisation’s digital perimeter with cyber technologies such as intrusion detection and data loss prevention. Efforts should be made to mitigate the consequences of inevitable breaches which likely affect infrastructure systems and compromise key data.

An incident-response (IR) plan guides the response to related breaches. The primary objective of an IR plan is to manage a cybersecurity event of incidents in a way that limits damage, increases the confidence of external stakeholders, and reduces recovery time and costs.

A recent TechTalk, entitled Fraud and Fraud Investigation, gathered several experts in the area to discuss the topic:

Mathew Clingerman (MC), Managing Director – KRyS Global

Brett Henshilwood (BH), Partner, Enterprise Risk Management – Deloitte Ltd.

Jeffrey Lawrence (JL), Detective Constable – Bermuda Police Services

Henry Komansky (HK), Group Head of Anti-Money Laundering – Clarien Bank Limited

Shan Senanayake (SS), President – ISACA Bermuda Chapter

Facilitating the event was Sheridan Smith, Director of Management Services and IT at the Bermuda Monetary Authority (the BMA). He kicked off the event by stating that computer fraud is a major threat to businesses, banks, government and individuals. Cybercrime impacts data security– and while we are fully aware that it cannot be ignored, it is always challenging to try to stay ahead of the ‘bad guys’.

How do you stay ahead of the game?

BH Through the lens of audit, staying ahead of the game means having a clear understanding of fraud risks and associated controls and analysis of the effectiveness of these controls – in particular, segregation of duties is key. For instance, changing environments -like the mergers and acquisitions activity we are currently seeing in the reinsurance sector on the Island may create challenges for employees. These challenges can increase the risk of fraud.

JL To prevent fraud, organizations must develop a culture of honesty. It is no secret that staff take their cues from how senior management behaves, which is why this has become known as ‘setting the tone at the top’.

How are we responding to fraud and related incidents?

MC From the asset recovery perspective, a critical element of the response is to make sure that parties are capturing and preserving relevant electronic evidence as soon after the discovery of a fraud as is practical. That should help to avoid spoliation and to reduce potential loss of important artefacts.

When evidence from a third party is not provided voluntarily, particularly in an international case, it may be necessary to consider what legal avenues are available to compel the production of that information.

SS Practitioners look at timelines and electronic evidence. Increased attention is placed on detecting fraud, minimizing risks and monitoring areas of high risk. However, with so many technical controls, we cannot forget the people aspect to fraud.

What are the red flags that we should all look for?

MC People should be careful not to view any one flag as an indicator in and of itself. Often times, it is necessary to consider the picture that emerges when one examines an aggregate of indicators. Examples of this are negative results from background checks or searches of open-source intelligence, changes in key service providers, unexplained related-party transactions, and inconsistencies in information provided by a party.

BH People missing deadlines and delays in the delivery of requested data can be a red flag. Hotlines provide staff with an anonymous way of raising concerns and internal tips are still the most common source driving the discovery of fraud.

SS Subtle behaviours can also be a warning sign, like disgruntled employees and low morale.

HK Sudden changes in lifestyle eg. employees coming to work in expensive suits. Also, an unwillingness to cooperate is often a sign that something is wrong.

What can we do proactively to prevent incidences from happening?

BH Appropriate user provisioning and providing least privilege is a good starting point. Segregation of duties must also be monitored and frequently tested.

JL Internal controls are an effective tool in preventing fraud, but when these controls make it too difficult for staff to complete their work, they will develop a workaround. These workarounds are extremely susceptible to fraud and it’s usually through them that fraud is committed.

Therefore, organizations need to identify where staff members are developing workarounds – and why. It is usually more productive to re-design the internal controls than to try and enforce a control that is too cumbersome.

SS Treat IT employees as regular staff with normal access. If someone has elevated privileges, they must login with the proper access ID. No group accounts should be normalized.

How do you monitor and test the effectiveness of controls?

MC Internal auditing is key. If you are not checking, then you don’t know. Actual walk-throughs are necessary to get enough assurance that what is supposed to be happening is actually happening.

BH Appropriate ownership of controls must be with the right people. Often, this is a combination of the business and IT functions. Management is ultimately responsible for controls.  The second line of defence would be the risk management and compliance functions, followed by internal audit.

What should small local firms be aware of?

MC Local firms should keep in mind that when it comes to fraud and cyber-crime, protecting Bermuda’s reputation is the business community’s collective responsibility. An incident affecting one local firm could affect the reputation of the island as a whole. If existing or potential business don’t feel that their assets and information are safe in Bermuda, they may go elsewhere.

JL From a legal perspective, firms should be aware of the difference between civil and criminal law. Criminal Law is used to punish offenders by putting them in jail or issuing fines that are paid to the government. Civil law is used by companies and individuals to recover financial losses and be compensated for damages suffered. This raises two points:

1) In order for the police to become involved in a fraud incident, a crime -as defined in law- must have been committed, and

2) The role of the Bermuda Police Service is limited to the criminal justice system. This means that our primary objective is to put offenders before the courts with an eye towards imprisonment and/or a fine; not to recover your lost assets.

BH Prevention starts from within. You cannot understate education: staff awareness programs are critical.

HK Current Bermuda laws are continuously reviewed to ensure that they provide a good framework for regulators to work with. It is better to have laws and not need to use them than to not have them when you need them.

MC Processes, controls and technology can be great assets in fraud prevention. However, exercising professional skepticism and applying common sense should not be overlooked. If something seems out of the ordinary, it is important to ask why and to obtain a fuller understanding.

SS be mindful of senior management members who abuse their position in the organization by bypassing controls. I’ve seen situations where IT will not question management based on intimidation and lack of an appropriate reporting chain.

BH Management is also responsible for ensuring that third parties (trading partners, for instance, whether locally or overseas) are in line with the organization’s culture.

How do you bridge the gap between business and IT controls?

BH Management needs to ensure that there is appropriate ownership, oversight and monitoring of systems in addition to IT controls. For example, database administrators can easily make major changes to data and these changes could include account numbers and passwords. It is therefore crucial that robust change management controls are in place to enable an organization to have visibility and control over changes.

SS Monitoring changes, access, and shared accounts are all essential. So it putting in place dual approvals for anything that is material. Last but not least, it is essential for an organisation to follow an appropriate chain of command between business and IT.

Closing remarks

BH Take time to thoroughly understand risks and associated controls. Test your systems frequently. Stay current and assess how environmental factors are impacting your fraud risk ie. the economy, any mergers and acquisitions activity, any job insecurity.

HK Ask questions often. Always be sceptical. Be mindful if people are relentless.

MC Culture and training are key. Individuals cannot assume that someone else will say something. Everyone needs to take responsibility for raising concerns to the appropriate reporting officers and/or authorities if they notice suspicious behaviour.

JL Timeliness is key; accuracy gets blurred with each passing second.

SS Cutting corners will often cost an organisation dearly in the long run. Organisations must set priorities on the valuable properties and protect them appropriately.