2222222222

Foreign Corruption

Corruption Crack-Down

Governments around the globe step up efforts to wipe out corruption.
By: | October 15, 2013 • 7 min read

Around the world, social pressure against public corruption is resulting in huge demonstrations, investigations and legislation. And that is rebounding on multinationals that face their own pressure to keep business above board while trying to expand in countries where bribery is often necessary to get permits and permission.

A survey of CFOs and board members by Ernst & Young found that 95 percent of the respondents were “very” or “fairly” concerned about the potential liability resulting from fraud and corruption in Latin America — the area that offers the most concern.

Not far below were the Middle East and Africa, at 87 percent, and Central and Eastern Europe, at 84 percent.

While laws are almost universally clear — don’t do it — the risks are increasingly complex, as anti-corruption laws and their enforcement evolve both in the United States and overseas.

In the United States, investigators appear to be scouring industries that traditionally have not attracted notice, according to attorneys and experts in the field.

Retailers have been in the spotlight, for instance, ever since news surfaced in April 2012 of a probe into Wal-Mart. The retail giant is alleged to have paid bribes in Mexico to speed growth there.

Enforcement is intensifying in other countries as well, pushed along by public protests as well as by an anti-bribery convention overseen by the Paris-based Organisation for Economic Co-operation and Development. Forty countries, including Argentina, Russia and South Africa, have signed the OECD convention since it was drafted in 1997.

Today, more than 300 investigations are underway in 24 countries, according to Patrick Moulette, head of the OECD’s anti-corruption division. “It has not doubled from last year or the year before, but it’s 10 or 20 more every year, so maybe this is a positive sign,” said Moulette, who hopes greater attention will spur countries to crack down harder.

Advertisement




Other nations, notably China, are dusting off their own anti-bribery laws, exposing U.S. companies to potentially costly legal action on new fronts.

“It’s very hard to find a country anywhere where bribery is legal,” said Brian Loughman, Americas leader for Fraud Investigation and Dispute Services with Ernst & Young. “The challenge is always, what’s the enforcement like.”

To top it off, foreign prosecutors today are more likely to share information with their U.S. counterparts. “The world is smaller for prosecutors, too,” Loughman said.

For decades, U.S. companies only had to worry about the Foreign Corrupt Practices Act of 1977, or FCPA, which bans bribery of public officials in other countries. American executives often complain they are disadvantaged by the statute, as it does not apply to businesses based outside the United States.

Enforcement eventually prompted stronger controls and tougher policies, but investigators remain aggressive, according to Michael Himmel, an attorney and chair of the litigation and white-collar criminal defense departments at the law firm of Lowenstein Sandler.

“More and more cases are being investigated, and prosecutors are tending to take harder lines,” said Himmel. Over the last five years, he said, investigators have asked companies to open up more of their operations to review. “That’s obviously going to be a greater expense,” he said.

Equal Opportunity Scrutiny

Investigators also seem to be eyeing new sectors, expanding beyond defense, energy and mining to include pharmaceuticals and retail.

It’s a costly occurrence for the probed companies. The ongoing probe into Wal-Mart so far has cost the company more than $150 million, according to company filings with the U.S. Securities and Exchange Commission.

The SEC and the Department of Justice, which enforce the FCPA, do not explicitly target industries, said Timothy P. Peterson, a partner in the Washington, D.C., office of Murphy & McGonigle. But as investigators dig into one company’s operations, they may follow a trail to others in the same sector.

“The real danger for retailers is that when there are very large investigations, the government is going to start to get familiar with how that business works,” Peterson said. “They may, as they get more familiar with the business, decide they want to find more companies that operate in a similar way.”

It’s not just government investigators. Corporate rivals are another source of FCPA-related allegations, said Brett W. Johnson, a partner in the Phoenix office of law firm Snell & Wilmer. Companies may arouse suspicion if they are moving goods or opening stores more quickly than competitors, especially in countries where corruption is considered rife.

“The default is, ‘He’s paying somebody off,’ ” Johnson said.

For retailers, corruption risks extend throughout the supply chain, and they are compounded by the pressure to stock shelves in time to meet buyers’ needs. Bathing suits don’t sell well in November, at least in the northern hemisphere.

“Keeping the supply chain flowing is critical to a retailer, especially one that has any kind of seasonality,” said Randy Stephens, vice president of the Ethical Leadership Group of NAVEX Global Inc., a compliance technology firm based in Portland, Ore.

Foreign customs officials often recognize the time pressure — and the power it can give them to demand bribes, Stephens said.

“If you give them the sense that you’re going to participate in that scheme, at any level, you only open yourself up to more trouble, because you look like somebody who’s going to play that game,” Stephens said.

In addition to training employees and establishing clear policies, retailers need to examine internal incentives, Stephens said. If executives overseas are rewarded solely for growing revenue, opening more stores or hitting other bottom-line goals, they may overstep ethical boundaries.

Compensation should be tied, in part, to actions that avoid fines, penalties or stains on a company’s global reputation, Stephens said.

“You’ve got to be willing to let people make decisions that could negatively impact your supply chain, yet comply with the law.”

Another risk arises from the use of third-party agents, a requirement for doing business in some nations. When those agents pay bribes to expedite deals, the U.S. business is on the hook for any FCPA violations.

As a result, companies seeking overseas growth must know their foreign business partners and regularly audit their operations, as well as know the country’s laws and norms.

“You’ve got to be willing to let people make decisions that could negatively impact your supply chain, yet comply with the law.” —Randy Stephens, vice president, Ethical Leadership Group of NAVEX Global Inc.

What’s legal in one country may not be legal in another. And companies can no longer focus on the FCPA alone, attorneys said.

A Tangled Web of Compliance

The United Kingdom adopted a tough anti-bribery statute in 2011. And Brazil enacted a stringent new law this year, following public protests that coalesced around government corruption. In addition to increased penalties, the law allows companies to be found guilty of bribing public officials. Previously, only individuals could be found guilty of that crime.

Advertisement




“Very few companies today can comply, or attempt to comply, with just one home jurisdiction,” said Michel Léonard, chief economist and senior vice president of Emerging Markets for Alliant. “It’s a bit like antitrust laws. These days, mergers need to be approved in the U.S. and Europe as well.”

Experts said U.S. companies should partner with local attorneys who can can train employees, navigate the nuances of a country’s laws, and react quickly to problems.

“You’re not going to have the same processes; you’re not going to have the same protections,” said Joe Martini, co-chair of the White-Collar Defense, Investigations and Corporate Compliance Practice Group at the law firm of Wiggin and Dana.

Given the potential costs of an investigation, specialized insurance coverage is the next step in corporate compliance, said Machua Millett, a senior vice president with Marsh USA Inc. The brokerage firm introduced a specialized product in 2011.

In the past, Millett said, companies sought coverage for FCPA-related expenses under D&O policies. But underwriters and carriers hesitated, due to the size of the potential exposure.

Cooperation with the government does not necessarily lessen the expense. Although Ralph Lauren Corp. voluntarily disclosed bribes made by a subsidiary in Argentina, it still faced a penalty of $882,000.

Companies should focus first on compliance, with insurance as a backstop, Millett said. “At the end of the day, you might be able to show that you acted well.”

Joel Berg is a freelance writer and adjunct writing teacher based in York, Pa. He has covered business and regulatory issues. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Cyber Resilience

No, Seriously. You Need a Comprehensive Cyber Incident Response Plan Before It’s Too Late.

Awareness of cyber risk is increasing, but some companies may be neglecting to prepare adequate response plans that could save them millions. 
By: | June 1, 2018 • 7 min read

To minimize the financial and reputational damage from a cyber attack, it is absolutely critical that businesses have a cyber incident response plan.

“Sadly, not all yet do,” said David Legassick, head of life sciences, tech and cyber, CNA Hardy.

Advertisement




In the event of a breach, a company must be able to quickly identify and contain the problem, assess the level of impact, communicate internally and externally, recover where possible any lost data or functionality needed to resume business operations and act quickly to manage potential reputational risk.

This can only be achieved with help from the right external experts and the design and practice of a well-honed internal response.

The first step a company must take, said Legassick, is to understand its cyber exposures through asset identification, classification, risk assessment and protection measures, both technological and human.

According to Raf Sanchez, international breach response manager, Beazley, cyber-response plans should be flexible and applicable to a wide range of incidents, “not just a list of consecutive steps.”

They also should bring together key stakeholders and specify end goals.

Jason J. Hogg, CEO, Aon Cyber Solutions

With bad actors becoming increasingly sophisticated and often acting in groups, attack vectors can hit companies from multiple angles simultaneously, meaning a holistic approach is essential, agreed Jason J. Hogg, CEO, Aon Cyber Solutions.

“Collaboration is key — you have to take silos down and work in a cross-functional manner.”

This means assembling a response team including individuals from IT, legal, operations, risk management, HR, finance and the board — each of whom must be well drilled in their responsibilities in the event of a breach.

“You can’t pick your players on the day of the game,” said Hogg. “Response times are critical, so speed and timing are of the essence. You should also have a very clear communication plan to keep the CEO and board of directors informed of recommended courses of action and timing expectations.”

People on the incident response team must have sufficient technical skills and access to critical third parties to be able to make decisions and move to contain incidents fast. Knowledge of the company’s data and network topology is also key, said Legassick.

“Perhaps most important of all,” he added, “is to capture in detail how, when, where and why an incident occurred so there is a feedback loop that ensures each threat makes the cyber defense stronger.”

Cyber insurance can play a key role by providing a range of experts such as forensic analysts to help manage a cyber breach quickly and effectively (as well as PR and legal help). However, the learning process should begin before a breach occurs.

Practice Makes Perfect

“Any incident response plan is only as strong as the practice that goes into it,” explained Mike Peters, vice president, IT, RIMS — who also conducts stress testing through his firm Sentinel Cyber Defense Advisors.

Advertisement




Unless companies have an ethical hacker or certified information security officer on board who can conduct sophisticated simulated attacks, Peters recommended they hire third-party experts to test their networks for weaknesses, remediate these issues and retest again for vulnerabilities that haven’t been patched or have newly appeared.

“You need to plan for every type of threat that’s out there,” he added.

Hogg agreed that bringing third parties in to conduct tests brings “fresh thinking, best practice and cross-pollination of learnings from testing plans across a multitude of industries and enterprises.”

“Collaboration is key — you have to take silos down and work in a cross-functional manner.” — Jason J. Hogg, CEO, Aon Cyber Solutions

Legassick added that companies should test their plans at least annually, updating procedures whenever there is a significant change in business activity, technology or location.

“As companies expand, cyber security is not always front of mind, but new operations and territories all expose a company to new risks.”

For smaller companies that might not have the resources or the expertise to develop an internal cyber response plan from whole cloth, some carriers offer their own cyber risk resources online.

Evan Fenaroli, an underwriting product manager with the Philadelphia Insurance Companies (PHLY), said his company hosts an eRiskHub, which gives PHLY clients a place to start looking for cyber event response answers.

That includes access to a pool of attorneys who can guide company executives in creating a plan.

“It’s something at the highest level that needs to be a priority,” Fenaroli said. For those just getting started, Fenaroli provided a checklist for consideration:

  • Purchase cyber insurance, read the policy and understand its notice requirements.
  • Work with an attorney to develop a cyber event response plan that you can customize to your business.
  • Identify stakeholders within the company who will own the plan and its execution.
  • Find outside forensics experts that the company can call in an emergency.
  • Identify a public relations expert who can be called in the case of an event that could be leaked to the press or otherwise become newsworthy.

“When all of these things fall into place, the outcome is far better in that there isn’t a panic,” said Fenaroli, who, like others, recommends the plan be tested at least annually.

Cyber’s Physical Threat

With the digital and physical worlds converging due to the rise of the Internet of Things, Hogg reminded companies: “You can’t just test in the virtual world — testing physical end-point security is critical too.”

Advertisement




How that testing is communicated to underwriters should also be a key focus, said Rich DePiero, head of cyber, North America, Swiss Re Corporate Solutions.

Don’t just report on what went well; it’s far more believable for an underwriter to hear what didn’t go well, he said.

“If I hear a client say it is perfect and then I look at some of the results of the responses to breaches last year, there is a disconnect. Help us understand what you learned and what you worked out. You want things to fail during these incident response tests, because that is how we learn,” he explained.

“Bringing in these outside firms, detailing what they learned and defining roles and responsibilities in the event of an incident is really the best practice, and we are seeing more and more companies do that.”

Support from the Board

Good cyber protection is built around a combination of process, technology, learning and people. While not every cyber incident needs to be reported to the boardroom, senior management has a key role in creating a culture of planning and risk awareness.

David Legassick, head of life sciences, tech and cyber, CNA Hardy

“Cyber is a boardroom risk. If it is not taken seriously at boardroom level, you are more than likely to suffer a network breach,” Legassick said.

However, getting board buy-in or buy-in from the C-suite is not always easy.

“C-suite executives often put off testing crisis plans as they get in the way of the day job. The irony here is obvious given how disruptive an incident can be,” said Sanchez.

“The C-suite must demonstrate its support for incident response planning and that it expects staff at all levels of the organization to play their part in recovering from serious incidents.”

“What these people need from the board is support,” said Jill Salmon, New York-based vice president, head of cyber/tech/MPL, Berkshire Hathaway Specialty Insurance.

“I don’t know that the information security folks are looking for direction from the board as much as they are looking for support from a resources standpoint and a visibility standpoint.

“They’ve got to be aware of what they need and they need to have the money to be able to build it up to that level,” she said.

Without that support, according to Legassick, failure to empower and encourage the IT team to manage cyber threats holistically through integration with the rest of the organization, particularly risk managers, becomes a common mistake.

He also warned that “blame culture” can prevent staff from escalating problems to management in a timely manner.

Collaboration and Communication

Given that cyber incident response truly is a team effort, it is therefore essential that a culture of collaboration, preparation and practice is embedded from the top down.

Advertisement




One of the biggest tripping points for companies — and an area that has done the most damage from a reputational perspective — is in how quickly and effectively the company communicates to the public in the aftermath of a cyber event.

Salmon said of all the cyber incident response plans she has seen, the companies that have impressed her most are those that have written mock press releases and rehearsed how they are going to respond to the media in the aftermath of an event.

“We have seen so many companies trip up in that regard,” she said. “There have been examples of companies taking too long and then not explaining why it took them so long. It’s like any other crisis — the way that you are communicating it to the public is really important.” &

Antony Ireland is a London-based financial journalist. He can be reached at [email protected] Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]