Month: September 2019

On September 29, an auction in Cheserex, Switzerland sold 25 “supercars” that had been confiscated from Equatorial Guinea Vice President Teodorin Obiang.  The origin of this auction was a criminal investigation that the Geneva Public Prosecutor’s Office had opened in October 2016 against Obiang and two others for money laundering and unfaithful management of public interests.  In the fall of 2016, Swiss authorities seized 25 exotic cars belonging to Obiang that were located in Switzerland, and in December 2016, Dutch authorities, at Swiss authorities’ request, seized a yacht belonging to Obiang.

In February 2019, the Geneva Public Prosecutor announced that the 25 vehicles would be confiscated and sold and the net proceeds would be dedicated to a program of a social character to be conducted in Equatorial Guinea for the benefit of its people, on the basis of an agreement to be negotiated by the Swiss Federal Department of Foreign Affairs.  In addition, the seizure of Obiang’s yacht was lifted and the Equatorial Guinea government agreed to pay the State of Geneva CHF 1.3 million for “procedural costs” associated with the investigation.

The auction reportedly included a “rare and remarkable” 2014 Lamborghini Veneno, which was sold for $8.3 million (a world record-setting price for a Lamborghini sold at auction); an Aston Martin One-77 Coupe, which was sold for $1.5 million; and other exotic cars that included Ferraris, Bentleys, and Rolls Royces.  In total, the sales generated approximately $27 million or CHF 26 million.

Note: Now that the auction has taken place, the critical question remains whether the Swiss government can craft an agreement that will ensure that the auction proceeds are not diverted to the pockets of the ruling Obiang family.  The odds of doing so are vanishingly small, given the country’s low ranking in the Corruption Perceptions Index and President Teodoro Obiang’s unrelenting grip on power.

On September 18, global insurance broker Marsh and global technology company Microsoft jointly issued the 2019 Global Cyber Risk Perception Survey (Survey).  The Survey, which built on a related survey conducted in 2017, reflects responses from 1,500 business leaders, in all six inhabited regions of the world, in a variety of key functions that included risk management, information technology/information security, finance, legal/compliance, C-suite officers, and boards of directors.

The Survey’s results fall into six principal categories:

• Priority and Confidence. Over the past two years, even as cyber risk “became even more firmly entrenched as an organizational priority, . . .  organizations’ confidence in their ability to manage the risk declined.”  For example, 79 percent of respondents ranked cyber risk as a “top five” concern for their organizations – increase from 62 percent in 2017.  Yet firms’ confidence “declined in each of three critical areas of cyber resilience “.  In particular, those who responded that they had “no confidence” increased (1) from 9 percent to 18 percent for understanding and assessing cyber risks; (2) from 12 percent to 19 percent for preventing cyber threats; and (3) from 15 percent to 22 percent for responding to and recovering from cyber events.
• New Technology. In this category, 77 percent of 2019 respondents cited at least one innovative operational technology that they have adopted or are considering.  Half (50 percent) responded that cyber risk “is almost never a barrier to the adoption of new technology,” but 23 percent (including many smaller firms) responded that “for most new technologies, the risk outweighs potential business benefits.”  Nearly three-fourths (74 percent) reported that they “evaluate technology risks prior to adoption,” but only 5 percent said that they “evaluate risk throughout the technology lifecycle, and 11 percent said that they do not perform any evaluation.
• Supply Chain. Although “[t]he increasing interdependence and digitization of supply chains brings increased cyber risk to all parties,” many firms apparently “perceive the risks as one-sided.”  Nearly two-fifths (39 percent) responded that the cyber risk that their supply chain partners and vendors posed to their organization was high or somewhat high., but only 16 percent responded the cyber risk that they themselves pose to their supply chain was high or somewhat high.
• Government Role. Respondents generally credited industry standards more than government regulation for having high effectiveness in helping to manage cyber risk.  Only 28 percent viewed government regulations or laws as being very effective in improving cybersecurity, while 37 percent viewed soft industry standards as being very effective in improving cybersecurity.  At the same time,  54 percent responded that they “are highly concerned about nation-state cyber-attacks,” and 55 percent said that “government needs to do more to protect organizations against nation-state cyber-attacks.”
• Cybersecurity Culture and Resilience. The Survey reported that “[m]any organizations focus on technology defenses and investments to prevent cyber risk, to the neglect of assessment, risk transfer, response planning, and other risk management areas that build cyber resilience.”  The vast majority of respondents (88 percent) responded that information technology/information security (IT/InfoSec) “is one of the three main owners of cyber risk management” – the other two being executive leadership/ board (65 percent) and risk management (49 percent).  Only 17 percent of respondents said that they “spent more than a few days on cyber risk over the past year.  Nearly two-thirds (64 percent) said that a cyber-attack on their organization “would be the biggest driver of increased cyber risk spending.”   More respondents (30 percent) this year reported that their companies are using quantitative methods to express cyber risk exposures (an increase from 17 percent in 2017).  The vast majority (83 percent) also reported that their firms “have strengthened computer and system security over the past two years,” but fewer than 30 percent “have conducted management training or modelled cyber loss scenarios.”
• Cyber Insurance. As cyber insurance coverage “is expanding to meet evolving threats,” companies’ attitudes toward policies are reportedly also changing.  Nearly half of respondents (47 percent) replied that they have cyber insurance (an increase from 34 percent in 2017), and larger firms were more likely to have cyber insurance.  More than half (57 percent) of those with annual revenues above $1 billion reportedly had a cyber insurance policy, compared to 36 percent of companies with revenue under $100 million.  Respondents also indicated lessening uncertainty about whether available cyber insurance could meet their firms’ needs, as 31 percent reported such uncertainty (compared to 44 percent in 2017).  Finally, 89 percent of respondents in companies with cyber insurance “were highly confident or fairly confident their policies would cover the cost of a cyber event.”

Among other takeaways from the Survey, Joram Borenstein, General Manager of Microsoft Cybersecurity Solutions Group, identified five best practices

that the most cyber resilient firms employ and which all firms should consider adopting:

• Create a strong organizational cybersecurity culture with clear, shared standards for governance, accountability, resources, and actions.
• Quantify cyber risk to drive better informed capital allocation decisions, enable performance measurement, and frame cyber risk in the same economic terms as other enterprise risks.
• Evaluate the cyber risk implications of a new technology as a continual and forward-looking process throughout the lifecycle of the technology.
• Manage supply chain risk as a collective issue, recognizing the need for trust and shared security standards across the entire network, including the organization’s cyber impact on its partners.
• Pursue and support public-private partnerships around critical cyber risk issues that can deliver stronger protections and baseline best practice standards for all.

Note: Bernstein expressed optimism “that more organizations are now clearly recognizing the critical nature of the threat and beginning to seek out and embrace best practices.”  Another way of looking at the Survey results is to state that many companies around the world continue to lag in demonstrating that they have the cultural, as well as the technological, capacity to meet the constantly changing array of cyber risks.  Cybersecurity, legal, and compliance officers in every industry should read the Survey closely, compare the Survey results with the state of their companies’ own cybersecurity programs, and discuss with their senior leadership where their companies are doing well or poorly in contending with cyber risk.

Two recent reports over the past two weeks show the intensity of efforts by criminal to recruit young people, especially students, in Scotland and Ireland to serve as “money mules” by allowing their bank accounts to be used for money laundering.  First, on September 13, The Journal.ie reported that dozens of young women “have unwittingly been recruited by criminal gangs at [Irish] musical festivals to launder money through online applications as well as through their own bank accounts.”

The Gardaí (Irish Police) stated that students “are often targeted by the practice.” According to The Journal.ie, “Experts in the field believe that the recruiters use music festivals as a way to access bank accounts from vulnerable women, often times taking advantage of someone who is in an intoxicated state.”

Irish banks are reporting an average of 1,600 cases of money muling per year.  The Journal.ie cited sources who

explained how young teenage women are commonly targeted in person, while it is men who are usually recruited online.

Multiple sources have told TheJournal.ie that events such as Longitude in the Marlay Park, All Together Now and the Electric Picnic were infiltrated by a number of these criminals. Some of those attempting to recruit people have come from the UK, attempted to start a romantic relationship with the young women and then asked to use their accounts.

The Head of Fraud for the Banking and Payments Federation Ireland (BPFI), Niamh Davenport, told the Journal.ie that “[a] significant amount of the money which is moved through money mules in Ireland is done using a method called invoice redirect fraud.”  This form of fraud involves

criminals send[ing] emails to businesses purporting to be one of their legitimate suppliers. These emails contain an instruction to change the bank account details that the business has for a legitimate supplier, to bank account details that ultimately benefit the criminals. These requests can also come by way of letter or phone call so caution should attach to any request of this nature.

In late 2018, the Gardaí reportedly conducted a three-month operation in Ireland, with support from Europol, that identified 420 money mule accounts that had been used to launder €14.6 million over the previous two to three years, as well as five so-called “herders” operating in Ireland to recruit money mules.

Second, on September 19, The Times reported that “[t]he number of young Scots falling prey to money laundering has tripled in two years, amid concerns that thousands of students do not know how to protect themselves from fraud.”

According to data from the United Kingdom-based bank Barclays, “Three times as many young Scots fell prey to the schemes last year” as in 2016.  In addition, in 2018, police addressed 9,636 cases of money muling across the United Kingdom, and in April 2019 Police Scotland charged 29 people in a “money mule” operation.

The Barclays data also showed that

[m]ore than 70 per cent of Scottish students said they were unaware of the consequences of money muling, which can include a prison sentence and difficulties getting bank accounts or student loans. Almost 60 per cent would be tempted by a “too good to be true” job advert from an unknown company, and 45 per cent would be interested in an offer to make quick cash from home — all terms used to recruit mules.

Note: These reports indicate that Barclays, Facebook, and government authorities have been seeking to publicize the risks that young people may unwittingly assume by agreeing to serve as money mules – including the potential for prison time.  Even so, social-media companies and financial institutions operating in Europe clearly need to increase their educational efforts on this issue.

The problem is by no means limited to European nations, but the vast concentration of students in the United Kingdom and other parts of Western Europe represent a vast and tempting target for money-laundering operations.  The public and private sectors need to do more to collaborate in reducing that threat.

On September 17, the U.S. Department of Justice announced that on the night of September 16, Spanish authorities arrested a Chinese woman “in connection with her role in using bribery and other forms of fraud to facilitate her son’s admission to the University of California at Los Angeles (UCLA) as a purported soccer recruit.”  This arrest is part of the investigation, led by the United States Attorney’s Office in Boston, into an alleged “nationwide conspiracy that facilitated cheating on college entrance exams and the admission of students to elite universities as purported athletic recruits.”

In an indictment unsealed on September 17 in the District of Massachusetts, Xiaoning Sui, a resident of Surrey, British Columbia, Canada, was charged with one count of conspiracy to commit mail fraud and honest services mail fraud.  The Department stated that Sui “is currently detained in Spain, and authorities will seek her extradition to Boston to face charges.”

The indictment alleges that Sui agreed with William “Rick” Singer, who has already pleaded guilty and agreed to cooperate with the government’s investigation,

to pay $400,000 to facilitate her son’s admission to UCLA as a purported soccer recruit. It is alleged that during a phone call in August 2018, Singer explained that Sui’s son could be “guaranteed” admission to UCLA, in exchange for $400,000. Between August and October 2018, Sui allegedly provided Singer with her son’s transcript and photographs of her son playing tennis.

A co-conspirator, Laura Janke, who has also pleaded guilty and is cooperating in the investigation,

then fabricated a soccer profile for Sui’s son, which described him as a top player for two private soccer clubs in Canada. On Oct. 24, 2018, Singer instructed Sui to wire Singer $100,000 which would be “paid to the coach at UCLA” in exchange for a letter of intent from the UCLA soccer coach. Two days later, Sui allegedly wired $100,000 to a bank account in Massachusetts in the name of Singer’s sham charitable organization, the Key Worldwide Foundation (KWF).

Thereafter, on November 5, 2018, UCLA admitted Sui’s son as a recruited soccer player, and awarded him a 25 percent scholarship.  Sui also allegedly wired an additional $300,000 to the KWF account In February 2018, “as final payment for her son’s fraudulent admission to UCLA.”

Note: This indictment is noteworthy for two reasons.  First, the Justice Department release stated that Sui is the 52^nd defendant charged in this investigation.  That number alone provides some indication of the scope and scale of the alleged cheating scandal.  Second, the fact that the Boston U.S. Attorney’s Office was willing to take the trouble to seek Sui’s arrest in and extradition from Spain indicates that that office is prepared to pursue the investigation for an extended period, as any extradition can take months, at a minimum, if the defendant opposes extradition through the requested country’s legal system.

In March 2019, former UCLA men’s soccer coach Jorge Salcedo was indicted and pleaded not guilty in connection with the investigation.  While a UCLA Daily Bruin article characterized Salcedo’s departure as “a blessing in disguise” because of the soccer team’s poor record during his tenure, this latest arrest and charge adds to the weight of reputational harm that UCLA must bear.

On September 18, the United Kingdom’s independent governmental authority on cybersecurity, the National Cyber Security Centre (NCSC) issued a threat assessment of “the current cyber security threat to UK universities and academia.”  The NCSC report noted that “[t]he threat posed to the university sector sits within the broader context of the threat to the UK as a whole,” including the threat of state-sponsored malicious cyber activity, as well as “a serious and sustained threat to the UK from organised cyber crime.”

The report presented four key judgments about the threat to universities:

1. The key cyber threats to UK universities are highly likely to be (1) “Criminals seeking financial gain”; and (2) “Nation states looking to steal personal data and intellectual property, for strategic advantage.”
2. Cybercrime “will probably present the most evident and disruptive difficulties for universities,” although state-sponsored espionage “is likely [to] cause greater long-term damage.” The report stated that the latter finding “is particularly true for those universities which prize innovation and research partnerships.”
3. Likely effects of state espionage include (1) “Damage to the value of research, notably in STEM subjects”; (2) “A fall in investment by public or private sector in affected universities”; and (3) “Damage to the UK’s knowledge advantage.”
4. “If foreign direct investment were to come under greater scrutiny or restriction, it is a realistic possibility that the cyber threat to universities would increase, as nation states sought alternative ways to gain access to sensitive research and intellectual property.”

The report also identified four potential categories of data and information of interest to a nation-state: (1) emails; (2) “bulk personal information on staff and students”; (3) “technical resources (e.g. documentation and standards)”; and (4) “sensitive research and intellectual property.”  Use of these data “will meet a wide range of state requirements,” such as “commercial advantage for the nation’s companies, advancing equivalent research efforts, military or security apparatus.”  The report also stated that sensitive research

may be targeted for its defence or commercial value, and its loss is likely the most detrimental of all to both the affected university and to the UK as a whole. Likely effects include damage to the value of impacted research and intellectual property for both individual researchers and the institution. The attractiveness, relevance and value of an impacted university as an investment partner will also be negatively affected. And at a wider scale, the knowledge advantage of the UK will suffer.

With regard to cybercriminals, the report observed that they “are likely to impact universities most often through untargeted attacks,” such as ransomware, which “brought significant loss-of-service to multiple UK universities in June 2018.”  It also noted that “[t]he use of spoofed or compromised email accounts to impersonate a university’s partners or suppliers is rising, and has led to the passing of sensitive information or funds to criminals.”

To defend against cyberattacks, the report cited widely recognized approaches, such as “good security awareness among staff and students”; “[s]ecurity-conscious policies, strict access controls and partitioning of high-value research”; and segregation within a university network of smaller, private networks, which “offers an opportunity to separate high-value or sensitive data and information, and apply a higher level of protection, without impacting the openness of the wider network.”

The report concluded with four main predictions:

1. “State-sponsored activity will continue whilst it remains successful and the repercussions are limited.”
2. “[S]tate espionage will continue to pose the most significant threat to the long-term health of both universities and the UK itself. There’s a realistic possibility that the threat will increase in-line with increased scrutiny of foreign direct investment and the minimising of other avenues to gain insight and advantage.”
3. “Cyber crime too will almost certainly continue to impact universities, either as a direct target or as collateral, regardless of the reputation and success of those universities targeted.”
4. “[S]pear-phishing and social engineering are highly likely to remain the main attack vectors,” but ransomware “is likely to be the greatest single cause of disruption to staff, students and the universities themselves.”

Note:  The NCSC report stated that its information “will be of interest to all academic and non-academic staff. It will be particularly relevant to senior leaders in universities and research institutions, members of university councils and those engaged in research.”  It should also be required reading for legal, cybersecurity, and compliance officers in United Kingdom universities and research institutions.

Because universities are accustomed to regarding themselves as bastions of academic freedom that “nurtur[e] a culture of openness, tolerance and dialogue,” it can be difficult for some university administrators to accept that their institutions can be treated simply as targets of opportunity by “state-sponsored actors . . . looking to steal data and information for strategic gain” or “cyber criminals seek[ing] to commit fraud, or monetise stolen material through sale or ransom.”

For those reasons, University legal, cybersecurity, and compliance officers should coordinate their efforts to inform university administrators about the report’s findings, and use it as an opportunity to reassess the state of their own institutions’ cybersecurity programs.