Over the course of a year, an anonymous source working with the German newspaper Süddeutsche Zeitung and the International Consortium of Investigative Journalists (ICIJ) funneled 11.5 million private documents from Panama-based law firm Mossack Fonseca to the press. In April, coordinated coverage from dozens of news outlets unveiled the revelations in these “Panama Papers,” shining a light on the questionable dealings of the firm, which specializes in offshore holdings, and its high-profile, extremely wealthy clients.
The Panama Papers represent the biggest data leak in history, encompassing 2.6 terabytes of data—more than 1,500 times larger than the 1.7 gigabytes of data released in Wikileaks. The 11.5 million documents date from 1977 through December 2015. Most are emails (4.8 million), but the documents also include PDFs, text files and images of contracts and passports.
The files detail the ways the wealthy can and do exploit offshore tax regimes to launder money, dodge sanctions and avoid taxes. Many of the documents identify the firm’s customers and their respective shell corporations, including 143 politicians or their close associates, celebrities, more than 400 banks and, casting further light on an entity already mired in corruption problems, world soccer governing body FIFA. As the world’s fourth-largest provider of offshore services, or as the ICIJ put it, “one of the world’s five biggest wholesalers of offshore secrecy,” Mossack Fonseca has more than 40 offices around the world, has managed more than 300,000 companies over the years and billed more than $42 million in 2013. The source of the leaks—who remains anonymous even to the journalists involved and whose connection to the firm has not been established—cited income inequality and the scale of social injustice detailed in the documents as the motivation for the breach.
While many of the offshore structures Mossack Fonseca created for its clients are legal, a number of them are highly suspect, whether because of the means used, the unclear sources of the funds, or the ultimate beneficiaries themselves. According to ICIJ, a 2015 audit found that Mossack Fonseca knew the identities of the beneficial owners of just 204 of 14,086 companies it had incorporated in one tax shelter alone, the Seychelles. The firm has repeatedly defended its conduct, stating it complies with anti-money-laundering laws and carries out appropriate due diligence on its clients, claiming the blame for any such failures rests with intermediaries, most notably banks, law firms and accountants.
A review of the documents appears to offer significant proof to the contrary. Internal documents detail collusion on all forms of compliance violations, from concealing documentation to charging clients a fee to backdate official documents, or even hiring actors to pose as ultimate beneficiaries to clean out offshore accounts and redomesticate their funds.
While offshore vehicles are certainly not inherently any sign of wrongdoing, they can be used to skirt economic sanctions, evade taxes and launder money, and the lax oversight over beneficial ownership dramatically increases those odds. Of the thousands of offshore entities that the company has created, it is virtually impossible to say how many were engaged in such activity, but one thing is clear: appearing on the Mossack Fonseca client roster drawn from this data leak does no one’s reputation any favors. As Gerard Ryle, the director of ICIJ, told CNN’s Christiane Amanpour: “These documents, if nothing else, raise an awful lot of questions.”
Beyond the reputational consequences of shady activity or massive data exposure, there are key lessons in the Panama Papers case that all businesses should be examining in light of how the scandal has unfolded and the underlying issues that exposed Mossack Fonseca and all of its clients to a public relations and regulatory disaster.
DATA INSECURITY: Third Parties and Professional Services
The precise method used to access and exfiltrate all of the documents in the Panama Papers is not presently known. Mossack Fonseca claims it was hacked by servers based abroad, but many experts speculate the source of the leak must have been an internal actor due to the sheer range of data accessed and the amount that was exfiltrated. The firm appears to have provided a considerable number of options for prospective hackers. Reviews of the breach have led security experts to report technical failures on Mossack Fonseca’s part that may well have contributed to the massive data leak, or had the potential to facilitate other intrusions into the firm’s systems. Mossack Fonseca had failed to update its Outlook Web Access login since 2009 and had not updated its client login portal since 2013. That portal also used a version of the content management system Drupal that was significantly out of date, with at least 25 known vulnerabilities that went unpatched. Areas of the portal’s back end could even be accessed by simply guessing the URL structure. The firm’s main site runs an outdated version of WordPress with a number of known vulnerabilities, including one that makes it possible to easily access privileged files. Servers were configured without regard for the best security practices. What’s more, security researchers found, Mossack Fonseca did not even encrypt its emails with Transport Layer Security protocols.
This kind of lax security is unfortunately quite common, especially among professional services providers and other third parties. In a recent study by the Ponemon Institute and Shared Assessments, researchers found that, in the past 12 months, organizations spent an average of $10 million to respond to a security incident as a result of negligent or malicious third parties. Despite the notable price tag on this exposure, only 8% of respondents said improvement of their organization’s relationship with business partners is a top risk management objective, and only 31% of respondents have metrics to measure the effectiveness of related risk management activities.
“After 30 years in the field of security research, the number one cause of third-party risk I’ve seen is a lack of governance and ownership,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Everyone just says, ‘Hey, third-party risk is really important,’ but when you ask where risk management is, the answer is no one person owns it.”
Ponemon believes this stems from a fundamental lack of understanding from the C-suite that creates an acute trickle-down vulnerability. “Some risks are viewed as more substantial among C-level executives, and some might not even be aware of the potential for problems because of insecure, vulnerable third parties,” he said. “They’re out of the loop on cyber. They are one of the main reasons you see a lot of organizations not really tackling third-party risk in the way that they should given the real risk that it presents to the company. It’s a governance issue, that ownership of third-party risk.”
A lack of visibility and lax oversight regarding third parties further contributes to ignorance of even the sheer scale of risk exposure, Ponemon said. While many say they will comply with leading standards like ISO or NIST, for example, they may not be doing so or may not be doing it well. Some third parties offer the right to visit and audit periodically, but many companies fail to exercise that power and it may be impractical for others.
The third contributing factor to third-party risk may be the most relevant to Mossack Fonseca: the issue of culture, values and tone at the top regarding security. “A third party might have different expectations in terms of security and privacy than people at the company that is outsourcing the activity,” Ponemon explained. “For example, we basically know that in certain third-party relationships where the third party is located in an emerging economy, the whole concept of due diligence around privacy may not be the same—even though the terms and words are the same, the general handling of the issue can be very different because of cultural differences. It’s not because the third party is evil or sloppy, but they don’t necessarily have the right procedures in place so they don’t emphasize or perhaps even understand the security risk in the data they receive and use.”
Given the nature of that data, this may also create significant regulatory exposure as the contracting entity, which is ultimately responsible for the data, does not have the visibility to monitor whether the partner is managing it in a way that complies with relevant regulations, but it remains on the hook for compliance failures.
The vulnerability introduced by insecure third parties is also increasing as the nature of cyber threats shifts. Security by obscurity no longer works—small companies are not safe by virtue of their size or profile. What’s more, as hackers lodge more targeted attacks, they recognize the weakness third parties pose and have increasingly taken advantage. “A lot of small companies believed that they were safe because they were small and the bad guys didn’t even know they existed, so they would just not worry as much as a large company about security issues or privacy,” Ponemon said. “That’s not true—a lot of bad guys have targeted smaller companies because they don’t have the right security infrastructure. These smaller companies also include third parties such as law firms, accounting firms and others that may be small but have a lot of very sensitive, very valuable pieces of information.”
Indeed, this weakness is something of an epidemic among professional services providers, particularly law firms. According to the American Bar Association’s 2015 Legal Technology Survey Report, 15% of the 880 lawyers polled said their firms had experienced a security breach, and 23% of them said they did not know if they had. More than four in 10 said their computers had been affected by a virus, while 23% said they did not know. The larger the law firm, the greater the increase in breaches. Only 11% of respondents said their firm had cyber insurance.
Sometimes sub-par technology infrastructure and information security investment, a lack of awareness of the full range of risks, and notably insufficient training and practices all contribute to this problem, and not all are easy to address as quickly as one might like. Social engineering and phishing are the most common attack vectors used to target law firms. Unfortunately, as these tactics prey upon every enterprise’s weakest link—humans—no firm can defend against them entirely.
According to a study by Experian and the Ponemon Institute, security professionals report their top concern is the risk of a breach caused by having sensitive information exposed due to employee mistakes or negligence. Employees succumbing to a targeted phishing attack ranked a close second. They have good reason to be concerned, the study found, as 55% of organizations polled had experienced a security incident or data breach due to a malicious or negligent employee. Yet, across the range of industries from which respondents were surveyed, less than half of companies make training mandatory for all employees, and 60% of companies do not require employees to retake training after a security incident, even at the 43% of entities where training consists of a single basic course. Less than half of respondents said their training covers phishing and social engineering attacks, only 38% said it includes mobile device security, and only 29% said it addresses the secure use of cloud services. The number of attack vectors left open introduces a tremendous amount of cyberrisk, and companies are simply not tackling their biggest liability, even though it may be seated right down the hall.
CORRUPTION: Law Enforcement and Regulatory Scrutiny
Law enforcement and regulatory bodies will likely be handling the fallout from Panama Papers revelations for months or years to come. Beyond Mossack Fonseca’s client base, all companies should take the scandal as a reminder to focus on Foreign Corrupt Practices Act (FCPA) compliance. In somewhat fortuitous timing, the FBI recently created three dedicated international corruption squads to, in conjunction with the Department of Justice’s Fraud Section, investigate and prosecute FCPA violations and kleptocracy.
“Across the world, anti-corruption enforcement is reaching unprecedented levels, driven by regulations such as the FCPA, FATCA [Foreign Account Tax Compliance Act], and most recently the U.K. Bribery Act,” according to Joel Lange, managing director of Dow Jones Risk and Compliance. “We’re seeing large-scale anti-corruption investigations and record fines targeted not only at companies, but also at individual executives. In this heightened regulatory climate, a company’s success, reputation and very survival is largely dependent on the effectiveness of their anti-corruption programs.”
Indeed, the Department of Justice has sent signals about its intentions regarding compliance, particularly with FCPA, by appointing Hui Chen as its first-ever compliance counsel and releasing the Yates Memo, which outlined a plan to prosecute individual corporate employees and incentivize reforms through its enforcement action and prosecution decisions.
The Panama Papers will undoubtedly be a goldmine for these efforts, and the process of chasing down leads and pursuing cases will continue over the next few years. The Department of Justice, particularly the U.S. Attorney’s Office for the Southern District of New York, has launched official criminal investigations into tax avoidance schemes detailed in the Mossack Fonseca documents. International large-scale criminal investigations are also underway, including those by authorities in Canada, France, Austria, the Netherlands, Japan, India and Australia.
These investigations are likely to be one of the primary drivers of concrete costs for businesses, as protracted investigations and potentially significant fines may be handed down for those that used the firm to avoid tax responsibilities. Simply being mentioned in the data dump may be enough to prompt this. What’s more, as the government attempts to crack down on FCPA violations, greater scrutiny is being paid to past transactions detailed in the papers, and future scrutiny is inevitable, authorities say.
“I think it will be a treasure trove in terms of potential third parties that have set up offshore accounts,” said Charles Duross, head of the global anti-corruption practice at Morrison and Foerster and former deputy chief in the DOJ’s Fraud Section, where he led the FCPA unit. “Ninety percent of the litigations you see with FCPA cases involve third parties. One of the biggest red flags, beside familial connection, is this idea that it’s an offshore company. It should be a red flag and, if it isn’t already, a part of your due diligence process for any third parties.
“If you’re a prosecutor or an agent, you’re going to assume the worst until proved otherwise,” he added. “The Panama Papers show that, if you’re going to have a company like that, you better be prepared for an incredible amount of scrutiny depending on what happens down the road.”
For those companies that choose to own and operate offshore entities, Duross emphasized that documentation is essential, as is preparation for the inevitable disclosure. “The Panama Papers show a lack of security and when these things come out, you better be prepared with all of the documents to show why it is you have that entity, that it’s operating legally and appropriately, that it exists for a legitimate reason and the like, because if you don’t have those explanations, I think it’s going to have kind of a cascading effect and it can be very devastating very quickly,” he said.
For compliance officers, this also presents a powerful reminder—and a real opportunity. Seizing on the considerable attention and justifiable concern the breach has generated, compliance professionals should be emphasizing the critical nature of their work and evaluating ways to improve. Further, they should prioritize ensuring security is being handled appropriately and refining and implementing significant due diligence procedures regarding third parties.
“On one hand, the Panama Papers are a new ‘oh, look at that’ and there’s a tendency to run to those, but on the other hand, it reminds us of things that we could have addressed before and need to go back and take a good second look at,” said Daryl Kreml, compliance officer at biotechnology firm Biogen. “Those things include: What third parties are we using and why are they incorporated in the British Virgin Islands, Cyprus or the Isle of Wight? It may be that there’s a tax efficiency argument that, when we sit down and have that conversation with them, we understand, but it may also be that, if their services are being provided to us in Eastern Europe and there are three different tax shelters between Eastern Europe and whoever we’re signing the document with, we’ve got a reason to pause and ask questions.”
While some potential issues may not be possible to mitigate entirely, this renewed rigor should not be a fleeting interest. “There is a reminder here to look at the traditional things, like third parties, and then I think there’s an opportunity here to say, ‘In this changing landscape, how do we take that to the next level?’” Kreml said. “We can’t chase every development with all of our resources, but this is something that’s probably not going to wear off. In some ways, I think the playing field has changed.”