Lloyd’s Announces University of Cambridge Centre for Risk Studies Report on Cyber Risks to Asia-Pacific Ports

On October 29, the global insurance market Lloyd’s announced that the University of Cambridge Centre for Risk Studies released a report showing that a single attack on major ports across the Asia-Pacific region “could cost $110 billion, which is roughly equivalent to half of all losses from natural catastrophes globally in 2018.”  The Centre produced the report – titled “Shen attack: Cyber risk in Asia Pacific ports”  — on behalf of the Cyber Risk Management (CyRiM) project, a Singapore-based public-private initiative that assesses cyber risks of which Lloyd’s is a founding member.

The report was based on a hypothetical scenario in which a computer virus infects 15 ports across Japan, Malaysia, Singapore, South Korea and China.”  Such a cyberattack, the report stated,

via a computer virus carried by ships could scramble the cargo database records at major ports and lead to severe disruption . . . . Although the virus only directly affects ports in Asia-Pacific, economic losses would be felt around the world due to the global interconnectivity of the maritime supply chain.

An attack of this scale targeted at ports would cause substantial economic damage to a wide range of businesses through reduced productivity and consumption, incident response costs, and supply chain disruption.

The report also estimated two categories of losses:

  • The transportation, aviation, and aerospace sectors would be the most affected (with total economic losses of $28.2 billion), followed by the manufacturing and retail sectors (with total losses of $23.6 billion and $18.5 billion, respectively).
  • “Productivity losses would affect each country that has bilateral trade with the attacked ports.” Asia would be the worst affected region (with total indirect losses of up to $27 billion), followed by Europe (indirect losses of $623 million) and North America ($266 million).

Other key findings in the report included the following:

  • “The transportation sector in Singapore would take the biggest economic hit, followed by the same sector in South Korea.
  • “‘Business interruption’ and ‘contingent business interruption’ insurance coverages would be the main drivers of the insured losses (60% of the loss in the most extreme version of the scenario).”
  • “Non-affirmative cyber, meaning cyber risk that is not explicitly mentioned in an insurance policy, would account for up to 57% of the total insured losses.”
  • “Insurance claims would arise from port operators (50% of insured losses), companies along the supply chain (21% of insured losses), and logistics and cargo handling companies (16% of insured losses).”
  • “There are opportunities for insurers and policyholders to expand their view of cyber risks ahead of the next event and the report helps to inform in a way to support new products, services and mitigation strategies that make businesses and communities more resilient.”

Finally, the report made clear that “the global economy is underprepared for such an attack, as 92 percent of the total economic costs would be uninsured, leaving an insurance gap of $101 billion.

N.B.:  While Lloyd’s termed the report’s scenario “an extreme scenario,” the number of instances over the last decade in which state actors or surrogates thereof have carried our devastating cyberattacks suggest that the scenario is, regrettably, entirely plausible.  Information-security, strategic-risk, and political-risk teams at companies doing business in the Asia-Pacific region should take the time to read the complete report, and to use its findings as a basis for reviewing the adequacy of their firms’ current cyber-risk insurance coverage.

CSSF Director General Warns About Money Laundering Risks for Private Banks in Luxembourg

On October 29, the Luxembourg Times reported that Claude Marx, the Director General of the Luxembourg Commission de Surveillance du Secteur Financier (CSSF), warned in a recent interview “that the risk of money laundering in Luxembourg’s private banks is increasing.”  Marx attributed the increased risk to two factors.

The first is the continuing increase in ultra-high net worth clients in Luxembourg private banks.   The Luxembourg Times stated that such clients “bring in more than half of the money managed in Luxembourg, and those clients’ deposits increased by 4 percent (€32 billion) last year, according to Association des Banques et Banquiers, Luxembourg (ABBL) (Luxembourg Bankers’ Association).  The second is the increasing number of non-European clients at private banks.  Although the year-on-year percentage of non-European clients has remained steady at 11 percent, that percentage translates to “real-term growth of €3.4 billion to €40 billion, given that the overall market expanded by 9%.”

One Luxembourg-based private bank, the Russian East-West United Bank, confirmed that Luxembourg is increasingly popular with its clients from Russia, Ukraine, Kazakhstan, and Belarus.  The Luxembourg Times article also speculated that “[t]he numbers for third-country clients could be even higher,” as ABBL data “include legal structures that are domiciled in Luxembourg, but whose beneficial owners are outside the [European Union].”

While the CSSF declined to name specific countries that prompt its concern, the Luxembourg Times reported that “industry participants speculated that China and Russia are in its crosshairs,” in part because “Luxembourg has especially close business ties to China,” with seven Chinese banks headquartered there.

N.B.: Bank regulators have long recognized that private banks are susceptible to money laundering.  As the European banking sector continues to reel from the effects of the Danske Bank scandal, financial institutions doing business in Europe need to recognize that criminal enterprises have an active interest in identifying and exploiting new channels for laundering.  Certainly those responsible for directing the $234 billion in potentially suspect transactions that flowed through Danske Bank’s Estonian branch did not wait to seek out those new channels, and the information in the Luxembourg Times provides sufficient cause for concern by European financial institutions and financial regulators like the CSSF.

Accordingly, anti-money laundering compliance officers at financial firms doing business in Europe should incorporate this information into their money laundering risk assessment processes.  They also need to be thinking now about how to refine their AML compliance programs to address private banking-related risks, and how best to respond when regulators over time expand their oversight of AML compliance to include private-banking concerns.

Spanish High Court Charges Spanish Construction Company FCC with €82 Million Bribery in Panama

On October 30, Spain’s National High Court, the Audiencia Nacional, formally charged Spanish construction company Fomento de Construcciones y Contratas, S.A. (FCC) with corruption and money laundering in connection with €82 million ($92 million) in payments that FCC allegedly made in Panama.  The charges, which are directed at three FCC entities, relate to allegations that FCC paid bribes to obtain metro and hospital contracts in Panama between 2010 and 2014.

An Audiencia Nacional release stated that its investigation began in 2017, after a complaint against a legal advisor of Brazilian construction company Odebrecht for possible violations of money laundering, bribery, and criminal organization committed between 2009 and 2015.  According to the release, Odebrecht used Spanish companies to launder amounts from bribes paid by various construction companies, in exchange for contract awards.  In particular, the Spanish Anti-Corruption Prosecutor’s Office asserted that the three FCC companies “constituted a consortium” with Odebrecht as its leader, to participate in public-contract awards in Panama.  That consortium succeeded in winning contracts for two Panamanian metro lines.

By “oversizing the supply of steel needed to build the Panama metro and billing it at double its price,” the release stated, the companies obtained funds “to pay gifts to employees and political leaders of Panama.” The diversion of these funds “was done through screen companies managed by FCC and Odebrecht executives.”

The release also stated that after analyzing the documentation in the case, Audencia Nacional Judge Ismael Moreno determined that there are indications that the three FCC companies were able to participate in events that may constituting crimes of corruption in international transactions (under article 286 ter of the Spanish Penal Code (CP) and money laundering (under PC articles 301 and 302.2).  Judge Moreno also noted that there are indications that several senior FCC executives (since dismissed) participated “in the alleged corruption agreements regarding 13 infrastructure works that tendered in Panama, Costa Rica, Salvador and Nicaragua.”

Judge Moreno also took note of the fact that in In May and June 2019, FCC filed two complaints with the Anti-Corruption Prosecutor about the commercial agreements relating to the facts under investigation.  In particular, FCC provided 38 invoices and transfers totaling €82,768,849 between 2010 and 2014 “for services not provided, according to the company, and to cover payments for alleged corruption.”  Nonetheless, Judge Moreno concluded that criminal responsibility should extend beyond the former FCC executives because FCC “did not activate or apply any protocol aimed at preventing the commission of criminal acts, nor effectively implemented appropriate control or reaction mechanisms to detect criminal actions committed within the company .”

In an October 31 statement, the Barcelona-based company reported that it was aware of the alleged corruption, which had occurred before the new controlling shareholders of FCC  took overt in 2015.  It stated that FCC has been cooperating with the authorities, and “ratifies its commitment and collaboration with the judicial authorities to clarify the facts.”  It also declared that “a total commitment to the principle of zero tolerance for corruption is established” throughout the enterprise.

N.B.:  This case provides yet another indication of how far the ripple effects of the Odebrecht scandal continue to be felt.  Under the Audencia Nacional’s procedures, FCC was given five days to appoint a representative and an attorney to represent the defendant companies.  It seems likely that FCC will now seek to reach some kind of criminal resolution with the Spanish prosecutors and the court, as the fact that current management reportedly had no hand in the alleged Panamanian bribery scheme will not be dispositive of the charges.

Tech Companies, Kuwaiti Authorities Respond to BBC Investigation of Modern Slavery in Kuwait Via Apps

On October 31, BBC News reported that an undercover investigation by BBC News Arabic found that domestic workers in Kuwait “are being illegally bought and sold online in a booming black market”  through readily available apps.  Some of the trafficking of domestic workers reportedly “has been carried out on Facebook-owned Instagram, where posts have been promoted via algorithm-boosted hashtags, and sales negotiated via private messages.”  Similar listings “have been promoted in apps approved and provided by Google Play and Apple’s App Store, as well as the e-commerce platforms’ own websites.”

Despite the fact that Kuwait has laws to help protect domestic workers in the country, BBC News reported that various apps, such as 4Sale and Instagram, “enable employers to sell the sponsorship of their domestic workers to other employers, for a profit.”  This practice bypasses the agencies that ordinarily bring domestic workers into the country, and “creates an unregulated black market which leaves women more vulnerable to abuse and exploitation.”

According to the BBC, nine out of 10 Kuwaiti homes have a domestic worker.  In the BBC Arabic investigation, two members of the investigative team posed as a couple who was newly arrived in Kuwait.  They reportedly “spoke to 57 app users and visited more than a dozen people who were trying to sell them their domestic worker via a popular commodity app called 4Sale.”  That app “allowed you to filter by race, with different price brackets clearly on offer, according to category.”  One “seller”, a policeman seeking to sell his domestic worker, told the couple that “You will find someone buying a maid for 600 KD ($2,000), and selling her on for 1,000 KD ($3,300).”

Various “sellers” “almost all advocated confiscating the women’s passports, confining them to the house, denying them any time off and giving them little or no access to a phone.”  The undercover team were told by app users, “who acted as if they were the ‘owners’ of these women, to deny them other basic human rights, such as giving them a ‘day or a minute or a second’ off.”

In addition to the apps being used in Kuwait, the investigation found hundreds of women being sold on Haraj, a popular commodity app In Saudi Arabia and “hundreds more” on Instagram.

After the BBC team “contacted the apps and tech companies about their findings,” multiple companies took various actions:

  • 4Sale “removed the domestic worker section of its platform.”
  • Facebook, which owns Instagram, said that it had banned the Arabic hashtag that translates as “#maidsfortransfer,” and pledged to “continue to work with law enforcement, expert organisations and industry to prevent this behaviour on our platforms.”
  • Google stated that it was “deeply troubled by the allegations,” and that it had asked the BBC “to share additional details so we can conduct a more in-depth investigation.”
  • Apple stated that it “’strictly prohibited’ the promotion of human trafficking and child exploitation in apps made available on its marketplace,” adding that app developers “are responsible for policing the user-generated content on their platforms.”
  • Haraj reportedly had no comment.

As of October 31, certain firms had continued to distribute the 4Sale and Haraj apps, “on the basis that their primary purpose is to sell legitimate goods and services.”  Consequently, hundreds of domestic workers were still being traded on Haraj, Instagram, and other apps.

The next day, however, the BBC reported that Kuwaiti authorities had “officially summoned the owners of several social media accounts used to sell domestic workers as slaves, ordered those responsible to take down their ads, and compelled them “to sign a legal commitment, promising no longer to participate in this activity.”  In addition, Instagram stated that “it had removed further content across Facebook and Instagram, and would prevent the creation of new accounts designed to be used for the online slave market.”  Google and Apple also stated that “they were working with app developers to prevent illegal activity on their platforms.”

N.B.: These BBC reports not only show another dimension of how modern slavery is conducted, but also provide evidence that tech companies need to incorporate into improving their Modern Slavery Act compliance programs.  App developers should also take note of these reports, and take action to see that their apps are not used for such repellent practices.

International Cricket Council Bans Bangladesh Captain from All Cricket for Two Years for Failure to Disclosure Corrupt Overtures

On October 29, the International Cricket Council (ICC) announced that it had banned Bangladesh cricket captain Shakib Al Hasan from all cricket for two years (with one of those years suspended), after he accepted three charges of breaching the ICC Anti-Corruption Code for Participants.  Under Article 2.4.4 of the Code, it is an offense for a player to fail to disclose to the ICC Anti-Corruption Unit (ACU), without unnecessary delay, “full details of any approaches or invitations received by the Participant to engage in Corrupt Conduct under the Anti-Corruption Code.”

Al Hasan was presented with three charges under Article 2.4.4: (1) Failure to disclose to the ACU “full details of any approaches or invitations he received to engage in Corrupt Conduct – in relation to the Bangladesh, Sri Lanka and Zimbabwe Tri-Series in January 2018 and/or the 2018 [Indian Premier League (IPL)]”; (2) Failure to disclose to the ACU “full details of any approaches or invitations he received to engage in Corrupt Conduct – in relation to a second approach in respect of the Tri-Series in January 2018”; and (3) Failure to disclose to the ACU “full details of any approaches or invitations he received to engage in Corrupt Conduct – in relation to an IPL 2018 match between Sunrisers Hyderabad v Kings XI Punjab on 26 April 2018.”

The ICC decision in this case made clear that the charges pertained to Al Hasan’s failure to report overtures he had received from “an individual known to the ACU and suspected of involvement in corruption in cricket, Deepak Aggarwal,” via WhatsApp to provide Aggarwal with inside information for betting purposes.

Under Article 6 of the Code, a violation of Article 2.4.4 can result in a period of ineligibility from six months to five years.  In this case, the ICC weighed both aggravating and mitigating factors.  The aggravating factors included:

  1. Al Hasan’s failure to report “not one but three approaches” from Aggarwal to provide him with Inside Information;
  2. The occurrence of Aggarwal’s approaches and Al Hasan’s failures “over a period of several months”;
  3. The approaches to Al Hasan “were clear in their content and intent”;
  4. Al Hasan’s status as “an experienced international cricketer who, having participated in several anti-corruption education sessions, was fully aware of his responsibilities under the Code”; and
  5. Al Hasan’s “position of responsibility as captain of the Bangladesh national side.”

The mitigating factors included:

  1. “Al Hasan’s voluntary admission and cooperation during his interviews with the ACU”;
  2. “Al Hasan’s prompt admission of his breaches following receipt of the [ICC] Notice of Charge”;
  3. “Al Hasan’s remorse and contrition as expressed to the ACU”;
  4. Al Hasan’s “previous good disciplinary record”;
  5. “The fact that the offences did not substantially damage the commercial value and/or public interest in the relevant matches”; and
  6. “The fact that the offences did not affect the outcome of the relevant matches.”

The ICC concluded that a two-year ban, with 12 months of that being suspended, “is reasonable and proportionate.”

Although Al Hasan told the ACU that he did not accept or act upon any of the approaches he received from Aggarwal, and did not provide Aggarwal with any of the information requested, he chose to admit the charges and accept the ban.  Provided that he complies with the terms of the suspension—i.e., not committing any offence under the Code (or the anti-corruption rules of any National Cricket Federation) during the initial period of suspension, and participating “promptly and fully in any anti-corruption education and/or rehabilitation programmes as specified by the ICC” – Al Hasan will be eligible to resume international cricket on October 29, 2020.

N.B.: This ICC decision is significant in part because of the prominence of Al Hasan as an experienced cricketer, and in part because it sanctions Al Hasan specifically for failure to report corrupt overtures.  This sanction, coupled with the ICC’s recent charging of three United Arab Emirates cricketers on multiple charges that included alleged violations of Article 2.4.4, sends a strong signal that cricketers must take seriously their obligation to disclose promptly any and all corrupt overtures.