A Year in Review in the world of fraud, investigations and eDiscovery.

Every year I enjoy taking some time out to reflect and look back on the year that’s just gone and making some predictions about what the following year might bring. And what a year it’s been….

Despite all the frustrations (and heartache) so many of us have faced with Covid-19, it’s been a year like no other. For a start, we have all had to deal with a totally new way of working, juggling home schooling and work, but on top of this we have faced skills shortages across multiple sectors, we have started to see the Great Resignation really kick in and we have seen supply chain shortages and an energy crisis like never before.

In this article, I won’t be able to cover it all off by any means, but I will just take a look at what’s been happening in my world and give you a rundown of what I think it means for the future of disputes and investigations specifically.

Remote working

Let’s kick off with the obvious. Covid-19 has totally changed the way we all work, from going into the office daily to a whole new work from home environment. I think it’s fair to say that, in general, initiating home working at the start of the pandemic was done incredibly quickly and often with minimal adaptation of tools, processes, security controls or employee training. This meant that, for many firms, whilst being able to offer employees remote working pretty quickly, they took quite a bit of time to get everything in place to properly reduce the risks of home working. And of course, some still haven’t completely managed it, especially given how many firms started to get back to some form of hybrid/ office working in the Autumn only to be told they needed to work from home again in December.

In short, this whole back and forth process has proved to be very tricky (and costly) for those working in IT and tech and has meant that many organisations have had to remain incredibly agile and able to adapt alongside the ever-changing guidance.

And it’s not only been a strain for the IT and tech teams, there’s also a great deal at stake too for the companies themselves if remote or home working isn’t set up securely. After all, the nature of the work from home environment rarely facilitates the adoption of security and confidentiality measures that would typically be in an office, such as a secure network connection, secure printing, secure file exchange and so forth. The prolonged comfort of home-based operations has also led to the increased use of personal devices for work, often without adequate security measures, and shared with family members. All of these elements have increased the likelihood of information leakage, and the chances of employees falling victim to phishing schemes. It has also increased unauthorised remote access and meant that ransomware has spread through companies quickly. Not to mention the fact that any already malicious employees have (in general) felt less “watched”, meaning that they have had more chances to perform fraudulent activities.

All of the above has created a melting pot of threats and has certainly increased the likelihood of cyber incidents affecting companies across the globe. ?

Cyber skills shortage

2021 has seen skills shortages across many sectors, but one which is really suffering right now is cyber. The cyber skills shortage brings with it some very specific considerations though. For a start, people with more experience tend to look for work environments in which they can express themselves at their best, increasing their knowledge and having the right amount of autonomy. It has always been like this certainly, but now cyber talents prefer environments where companies really want to invest in cyber too. As such, in addition to having to pay these professionals generously, companies must also take into account having to invest in cyber considerably too. ?

Secondly, many IT people are reconverting, exploiting the need for cyber skills, to which they feel closer as skills. The greatest risk in this sense is having more and more cyber people closely linked to technology and fewer to the founding principles of the discipline. For example, very often the aspect of the availability of information is privileged, rather than its confidentiality and integrity. Even more often, it is thought to be able to solve everything with technology or with turnkey solutions, which just as often turns out to be useless if not properly managed and maintained.

Finally, and perhaps linked to the previous point,?many people think that cyber skills are just technical. But technology is just part of the skill. Rather the ability to identify risks, behavioural aspects, and even legal ones, are fundamental in the construction of a round cyber profile. And these attributes are hard to come by.

Increasing cyber risks

It’s been the case for a while now, but we cannot deny that cyber risks just keep increasing and will continue to do so as we move through 2022 too. This is predominantly because improvements in terms of avoidance and protection within organisations simply do not go at the same speed as the sophistication and increase of cyber-attacks. In short, the cyber-threats are advancing too quickly for the organisations to keep up. With this in mind, it’s likely we will see more and more attacks that leverage Artificial Intelligence, and as a result the old defences that have been working up until now, will be far less useful in the coming years.

Cyber risks are also multiplying due to M&A transactions since the pandemic as well. These acquisitions potentially connect environments with different cyber characteristics and maturities. The risk is therefore to introduce cyber vulnerabilities, usually underestimated, in environments with adequate maturity, without having thought about how to manage them, but only how to make business processes work (TSAs, etc.)

Firms across all sectors will need to beef up their cyber security measures as we move into the new year. And to do this, they must ensure that cyber security risk is on the agenda of the Board and the Risk Committee. This must be managed by senior management and not just at a technical level (as is often the case right now). Doing this would simplify the allocation of adequate budgets and resources, but also simplify the approval process for cyber rules, and introduction of cyber Key Performance Indicators (KPIs).

Clearly this is a change that will involve a whole new understanding a cyber-vocabulary at board level, but it will almost certainly help companies to understand this new class of cyber security threats landscape. In this way companies will be able to mitigate, transfer, and accept cyber risk commensurate to the business needs far better than they are right now.

Regulatory investigations and court cases

Regulatory investigations slowed down for the first three months at the start of the pandemic, mainly because it took some time for the regulatory bodies to adapt to working from home. That being said though, we are expecting much more activity from the regulators in 2022. We know the CMA in the UK has been talking to French competition authority and they have been learning from one another, particularly around remote inspections/ investigations, for instance.

We’ve also started to see more and more remote interviews being conducted too as we transitioned through 2021. But it has to be said that these make for difficult cases. This is predominantly because it’s much more difficult to read body language during online interviews, unlike when attending in person. Individuals can also be “coached” by another person off screen during a remote too which can cause difficulties.

Data collection processes for cases have also been more difficult and required a much heavier reliance on the IT infrastructure being trustworthy, especially where in person attendance is not possible. Likewise, where confidential information is to be reviewed, it’s been much more challenging to enforce and monitor data security when all parties are working remotely.

Disclosure Pilot Scheme extensions

2021 also saw a number of changes in the business and property courts too. The Disclosure Pilot Scheme (DPS) trial period, which was originally due to come to an end at the close of 2021, was since extended until 2022. I think it’s fair to say that some serious questions still remain about whether the pilot will become a permanent enforcement, predominantly because multiple litigators have reported some significant concerns about the pilot to date. In fact, 70% of respondents to our DPS survey judged that the scheme was not fit for purpose, with almost all respondents (97%) expressing dissatisfaction with aspects of the pilot.

But that being said, we have to remember that a great deal has happened over the last two years. I’m sure, in an ideal world, the DWG would have had enough feedback (case rulings, judges’ comments etc) in the two-year original timeframe to get the DPS?from ‘pilot’ to ‘final’, but there has been a number of unexpected scenarios at play. Certainly, Covid has played a part in case volumes and judge’s rulings and slowed down the overall process. And to an extent, maybe they simply underestimated how long it would take and the amount of work to go from v1 of the pilot to final.

Whilst it is yet to be seen whether the pilot scheme will be extended yet again after this next 2022 deadline, it’s important that there is a plan put in place and real actions are taken – this cannot simply be a case of kicking the can down the road.

Future of investigations and tech

So, what does the future look like? Well, although the underlying systems and tools being used have changed dramatically, the intent of the wrongdoers, and the ‘schemes’ being investigated, have not. And they probably won’t either in the future either. There is now a more diverse range of systems that can be compromised, or for fraudsters to exploit, but thankfully the forensic world is keeping up with analysis of such systems and the digital fingerprints actions of individuals leave on these systems.

Regulators are increasingly becoming more sophisticated with their use of technology. They now have the ability to capture data remotely from companies or from external sources for pre-investigation work. For example, competition authorities have been using web scraping to capture data regarding companies performance and proposed mergers/acquisitions to check competition/anti – trust law. Tech will need to continue to become more ‘intuitive’. For instance, using AI models to learn from previous cases to help solve future cases faster. There also needs to be a continued use of AI in monitoring and regulatory divisions of companies to detect problems earlier.

It’s also safe to say that data and systems are only going to get more complex, more interlinked from a system basis and more intertwined from a life perspective too. We will likely see multiple examples of blockchains, and cryptocurrencies impacting financial decisions and will also witness how the trend to remote or hybrid working will continue to drive new tools and dispersion of data, as well as increasing the lack of clarity between home and work. In addition, we will no doubt see how the metaverse (whatever that ends up being) comes to interact with us all. For instance, you can already buy ‘property’ in a virtual metaworld, but how long before we start to experience serious meta-frauds.

With this amount of change and, indeed uncertainty, there are often no simple solutions. This means organisations will need to call on expert help when dealing with contentious issues around data and/or technology when it comes to cyber, investigations or disclosure. The key though, as always, is making sure that they don’t call upon these experts too late, but rather bring them into their preparation stages. The tide of change is upon us, but those at the forefront, with robust preparation, strong systems and a proficient team of experts, will be able to negotiate the choppy waters, no matter what 2022 brings.