Month: August 2018

Even as many lawyers continue to display “a curious ambivalence” toward technology, compliance officers and counsel responsible for cybersecurity need to overcome that ambivalence and commit to acquiring and maintaining technological competence.  But there is exceptionally little guidance for compliance officers and compliance counsel on what constitutes technological competence in the context of cybersecurity.  Even the best cybersecurity frameworks do not indicate what kinds of technological knowledge compliance officers and counsel need to perform their functions effectively.

While they do not need to know the niceties of programming in Python or filtering bogons, compliance officers at a minimum should remain informed, even at a fairly basic level, about major trends in cyberthreats and cybercrime that are likely to affect their companies.  One highly reliable source of periodic reporting on such threats is the APWG (formerly the Anti-Phishing Working Group).  Now in its fifteenth year, the APWG is an international coalition with more than 1,800 organizational memberships in the industry, government, and law-enforcement sectors and non-governmental organization communities.

One of the APWG’s most useful resources for compliance officers and information-security officers alike is its quarterly phishing activity trends report.  The most recent quarterly report, for the first quarter of 2018 (issued July 31), included a number of findings on phishing trends in 1Q 2018:

• The total number of phish detected was 263,538 — a 46 percent increase from the 180,577 observed in 4Q 2017, and a 38 percent increase from the 190,942 observed in 3Q 2017.
• 113,897 unique phishing Web sites were detected in March 2018 – an 87 percent increase from the 60,887 unique sites detected in January.
• The most targeted industry sectors were payment (39.4 percent), Software as a Service/Webmail (18.7 percent), financial institution (14.2 percent), and cloud storage/file hosting (11.3 percent).
• 13,594 unique domains were used in phishing attacks.
• More than a third of phishing attacks were hosted on Web sites that had HTTPS and SSL certificates, which could deceive Internet users into believing that those sites were secure.

Such data could provide compliance offices and counsel with a more informed basis to discuss with their information security teams whether their companies’ cybersecurity measures and internal controls are keeping pace with these trends.

On June 28, a Singapore court fined a Singapore-incorporated shipping company, Getax Ocean Trades, SG$80,000 (US$58,711) for paying SG$27,000 in bribes to Ryke Solomon, a Member of Parliament of the Republic of Nauru.  Nauru reportedly derives its main revenue from phosphate mining, and a government corporation, the Republic of Nauru Phosphate Corporation (Corporation), controlled phosphate mining, sales, and exports.  In 2010, according to representations made to the court, Amit Gupta, an executive of phosphate exporter Getax Australia (for which Getax Ocean Trades serves as the logistics arm), emailed Solomon to express Gupta’s interest in advancing his family’s business interests with the Corporation. On February 4, 2010, Solomon responded, requesting at least SG$30,000 to fund his re-election campaign in Nauru.  On February 18, 2010, Gupta asked a Getax Ocean manager to transfer SG$20,000 to Solomon’s bank account in Australia.  The court-imposed fine split the difference between Getax Ocean Trades’ request for a SG$60,000 fine and the prosecutor’s request for a SG$100,000 fine.

Compared to various recent Foreign Corrupt Practices Act resolutions involving eight- and nine-figure penalties and multiyear bribery of foreign officials, such as Credit Suisse and Société Générale, the Getax Ocean Trades resolution is wholly unremarkable.  Compliance officials, however, should regard it as a test case for reviewing their country risk ratings and methodology.  While companies often use Transparency International’s Corruption Perceptions Index (CPI),  which currently covers 180 countries and territories, or the TRACE Bribery Risk Matrix, which covers 200 countries, they need to remember that neither the CPI nor the TRACE Matrix covers all recognized countries and territories (including Nauru).  Thus, companies doing business in smaller countries may need to double-check their risk assessment methodologies to confirm that it covers all of those countries.

In those rare cases in which a country with which a company is doing or seeking to do business is in neither the CPI nor the TRACE Matrix, that company will need to resort to other due-diligence measures to conduct a meaningful risk assessment.  Although the public record does not indicate whether Getax Australia or Getax Ocean Trades conducted any risk-assessment process for its dealings with Nauruan officials in 2010, a mining company conducting a negative-news search today on Nauru, for example, would find multiple indications of corruption risk, such as stories reporting on alleged bribery of the Nauruan President and Justice Minister by Getax and the Australian Federal Police’s investigation of Getax and Nauruan bribery.  The essential point is that companies must ensure that their risk-assessment process, however structured, will timely capture information on bribery and corruption risks pertinent to the companies’ current and projected business in all jurisdictions.

In mid-July, multiple English-language Japanese news sites reported on the guilty plea by Mitsubishi Hitachi Power Systems (MHPS) to violating the Unfair Competition Prevention Act (Act), in connection with a foreign-bribery case relating to transport work under a power plant contract awarded to Mitsubishi Heavy Industries Ltd. in 2013 (and later taken over by MHPS).  Those reports focused primarily on the fact that the plea was the first of its kind under new law allowing plea bargains in cases involving organized crime and bribery, and that there previously had been only four cases in Japan in which companies or individuals have been prosecuted on bribery charges involving foreign public officials since 1998.

Initial reports, however, offered conflicting information about the scope of the alleged bribery.  The Japan Times cited unnamed “sources” in reporting that the case  involved “one of its employees and a civil servant in Thailand,” and further stated that prosecutors won’t indict Mitsubishi Hitachi Power Systems “in exchange for information on the employee involved.”  In contrast, the Asahi Shimbun reported that according to the Special Investigation Unit of the Tokyo District Public Prosecutors Office, MHPS employees overseeing the project “gave Thai public servants a large bribe in connection with the project.”

Although MHPS initially declined to comment on the case or the plea, less than a week later, on July 20 it issued a detailed public statement about both issues.  In particular, it stated that it had been notified that two former MHPS officers – one a Director, Executive Vice President, and Head of MHPS Engineering Headquarters, the other a Senior Vice President and Senior General Manager of MHPS’s Procurement & Sourcing Division — and the former General Manager of the then-existing MHPS Logistics Division had been charged on suspicion of violating the Act, specifically for offering a bribe to a foreign public officer.

The MHPS statement is noteworthy in three respects.  First, it included the most detailed statement of facts yet available concerning the nature and scope of the bribery.  Presumably based on the results of its own internal investigation, MHPS reported that the charges are related

to the construction of a thermal power plant undertaken by MHPS in the Khanom District of Nakhon Si Thammarat Province, Thailand. In February 2015, an employee of MHPS in charge of material transport received word that, when subcontractor carriers of the transport services provider entrusted by MHPS with the marine transport of plant parts attempted to unload the parts at the jetty constructed near the plant construction site, local residents, including what was believed to be a public officer of the local port authority, blocked off the jetty and demanded payment of 20 million Thai baht.

The jetty was blocked off due to the unexpected failure by the transport services provider in undertaking the necessary procedures to acquire authorization to use the jetty. It was expected that any delay in unloading the parts as a result of this blockade would cause delay to the plant construction schedule, and thereby obligate MHPS to incur significant costs and expenses, such as the payment of delay damages. In order to avoid such circumstances, relevant MHPS individuals provided the abovementioned subcontractor carriers with funds in the amount of 20 million Thai baht in response to the demand that had been made, as a result of which the blockade of the jetty was resolved.

MHPS was not able to confirm whether the subcontractor carriers did indeed deliver the 20 million Thai baht to the public official.

The 20 million Thai baht was generated by individuals affiliated with MHPS at that time by way of issuing an additional order to a local contractor for fictitious work.”

Second, it publicly reported that to prevent recurrence of such conduct by MHPS employees, MHPS was currently implementing the following measures:

1. Issuance of top management messages concerning prevention of bribery;
2. Diversification of methods for reporting compliance incidents, including new online and toll-free telephone access points;
3. Requiring more thorough checks to detect bribery risk both before and after the receiving of an order;
4. Strengthening of audits on expenditures made from overseas construction sites;
5. Renewed acquisition of compliance pledges from all managerial personnel; and
6. Training, including those conducted by external instructors concerning prevention of bribery.

Third, it made a public declaration unusual for companies resolving foreign-bribery charges with prosecutors in other countries.  It stated not only that MHPS had taken internal disciplinary action against the individuals involved in making the bribe, but that “in order to clarify responsibility at the managerial level, the [MHPS] President and officers overseeing sales and compliance as of February 2015” returned a portion of their compensation as follows: (1) the President and CEO – 30% of remuneration for 3 months; (2) the Senior Executive Vice President (officer in charge of sales) – 20% of remuneration for 3 months; (3) the Head of Business & Strategic Planning Headquarters (officer in charge of sales) – 20% of remuneration for 3 months; and (4) the Senior General Manager of Management & Administration Division (officer in charge of compliance) – 10% of remuneration, for 3 months.