Pandora Papers — How Firms like Asiaciti Trust and Trident Trust Company Are Responding

Nearly a year ago, In October 2021, an international group of media professionals known as the International Consortium of Investigative Journalists (ICIJ) revealed that it was in possession of more than 12 million documents taken from upwards of a dozen legal firms and financial services providers headquartered in Asia, the Caribbean, and Latin America — among them Alpha Consulting Limited, Asiaciti Trust, and Trident Trust Company Limited. The tranche, known as the Pandora Papers, included private corporate records and personal information from the affected organizations and their clients.

We know little about the origins of the Pandora Papers, except that it’s unlikely they were obtained through a coordinated effort of insiders at the affected organizations. We may never know exactly how the information fell into the ICIJ’s hands. What we do know is that it was likely obtained by illegal means and that much of it is of a sensitive, even embarrassing nature.

Despite their sketchy origins, The Pandora Papers records shed light on the financial behaviors of the international elite, including numerous prominent politicians and several heads of state. Because the ICIJ has members located in France, Spain, Ireland, Hungary, Belgium, Serbia, and Australia, the release generated widespread international attention with local reporting focused on the activities of individuals and entities in many different parts of the world.

Origin and Scope of the Pandora Papers

The Pandora Papers is only the latest in a string of such data intrusions. Previous major intrusions included the Paradise Papers, the Panama Papers, the FinCEN Files, Swiss Leaks, Mauritius Leaks, and LuxLeaks.

Like these prior incidents, the Pandora Papers collected information from many different sources. These sources tend to follow information security best practices, as would be expected for organizations acting in their clients’ best interests and in compliance with applicable national and regional law.

It therefore seems unlikely that the Pandora Papers intrusion was the result of a coordinated campaign by disgruntled insiders or amateur data thieves, as some have suggested. A sophisticated, directed effort by nation-state actors or international criminal organizations seems more likely.

The identity and motivations of those behind the release may never be known. Unfortunately, this reality has done little to dampen public outcry around the Pandora Papers.

Separating Truth From Fiction in the Pandora Papers

That outcry was fueled in large part by inaccurate reporting that has reinforced misconceptions about the service firms named in the release and many of their individual, family, and corporate clients. It threatened to do grave and lasting harm to the reputations of people and businesses that have done nothing illegal.

Many of those affected parties issued official public responses that clarified their roles in the international financial system and put the releases in context. These responses were tempered both by the affected firms’ confidentiality and fiduciary obligations to their clients and by ongoing legal investigations into the release. But they collectively delivered a more balanced, nuanced picture of the behaviors revealed by the Pandora Papers than sensationalized and often inaccurate mainstream media reporting.

While recognizing that defending against sophisticated and determined cyber forces is extremely difficult, the affected organizations have also taken additional steps, both internally and externally, to further protect against future intrusions. These steps provide a road map of sorts for other individuals and organizations that worry about their digital vulnerabilities.

Public Responses From Companies Affected by the Pandora Papers

The public responses to the Pandora Papers incident did not attract as much public attention as the release itself, but those responses are nevertheless worth sharing.

According to a response collected by The Guardian, Asiaciti Trust, an international trust and corporate services firm, said:

“Our work is subject to stringent law and regulation by the relevant authorities in each jurisdiction in which we operate. We are committed to the highest business standards, including ensuring that our operations fully comply with all laws and regulations. We maintain a strong compliance program and each of our offices have passed third-party audits for anti-money laundering and counter-financing of terrorism practices in recent years, which reflects our intense focus on this area.”

Alcogal, an international law firm, told The Guardian:

“Alcogal complies with all laws in the jurisdictions in which it operates, and it has always been Alcogal’s policy to cooperate fully with competent authorities. It has a robust compliance department and its due diligence policies follow the standards set by the laws in the jurisdictions in which it operates, as well as recommendations made by international organizations such as the Financial Action Task Force.”

And Trident Trust Company, an independent British Virgin Islands fiduciary services provider, declared that it would “adhere to the respective regulations in all countries in which the company operates and…cooperate with authorities,” according to reporting by CodeList.

These affected firms spoke out to defend their legitimate business interests and their clients’ reputations — as well as their own. They provide a response template for any organization affected by future large-scale data intrusions, to the extent that legal and confidentiality considerations permit them to respond.

Working With Private Investigators and Law Enforcements to Understand the Incident’s Origins

Many of the affected organizations have retained private digital forensics teams to investigate the intrusion that led to the Pandora Papers’ release. Because the event was unlikely to have been the work of insiders, determining who or what obtained the information — and how they did it — is an important early step in preventing such incidents in the future.

This is a best practice for any organization affected (or suspected to be affected) by data intrusions of this sort. Most digital intruders lack the skill to fully obscure their activities. They leave evidence of their presence on affected systems that allow forensics experts to piece together their movements and perhaps learn something about their motivations.

Data intrusions generally involve violations of applicable national or subnational law as well. While affected organizations may be hesitant to cooperate with law enforcement out of concern for their clients’ privacy, doing so may help advance the investigation or uncover the identities of those responsible — even if they’re beyond the reach of the criminal justice system.

Ensuring Operational Compliance

Firms that conduct business internationally and handle sensitive client information have a solemn obligation to protect that information and comply with applicable laws. As the firms’ responses to the most recent data intrusion make clear, law-abiding organizations take this responsibility seriously and devote considerable resources to uphold it.

Of course, compliance requirements multiply for businesses that operate in multiple jurisdictions around the world. Every country has its own set of regulations, and while many of these regulations follow predictable patterns, the details vary. If they attract regulators’ attention, even honest mistakes can prove costly.

Ensuring operational compliance is costly as well. But reputable firms understand it’s a non-negotiable investment. They work to implement compliance architectures, typically headed by compliance officers overseeing compliance teams focused on specific business areas or geographies. These architectures have two broad areas of focus:
  • National and subnational laws and regulations that vary by locality and are often industry-specific
  • International laws and regulations that apply across borders and typically concern broader business functions, such as information security and payments security
Operational compliance is best understood less as a business process, like managing payroll, and more as another layer of protection that scrupulous firms are compelled to use, like risk insurance.

Improving Cyber Security Protocols

Even if it’s not obligatory under applicable national or international law, all organizations have a clear business interest in adopting strong, scalable cyber security protocols.

The firms affected by these large-scale data incidents generally do have strong cyber security protocols, underscoring the sophistication of the forces responsible for them. But not all organizations have made the necessary investments in this area. Those concerned about their own vulnerabilities should hasten to do so.

Strong cyber security practices typically leverage formal frameworks maintained by recognized authorities in the digital security space. For financial firms and firms operating in other highly regulated industries, the cybersecurity frameworks published by the National Institute of Standards and Technology (NIST) and the Federal Financial Institutions Examination Council (FFIEC) are recognized as best-in-class.

These frameworks are designed to ensure compliance with applicable national and regional information technology laws and regulations. They’re therefore integral to the broader compliance obligations described above. And while a strong cyber security framework can’t deter every sophisticated, determined adversary, it reduces the risk of opportunistic intrusions by less skilled foes.

Strengthening Internal Information Security Protocols

Important as it is, a strong cyber security framework is not enough. To further reduce their vulnerabilities, organizations need to implement internal information security protocols customized to their specific business needs and aligned with their unique processes and workflows.

These protocols may include:
  • Educating employees on the nature of insider threats, including signs that a colleague may be improperly accessing and transferring sensitive information
  • Reinforcing sound email security practices, such as a strict policy against providing passwords, account numbers, and other sensitive data over email
  • Prohibiting team members from downloading email attachments from external senders or enabling macros on downloaded files
  • Continuously monitoring for external threats and using regularly updated anti-malware software to block them
  • Applying software patches systemwide as soon as they become available
  • Protecting end-user devices with firewalls, anti-malware software, VPNs, and other layers of protection as appropriate
  • Instituting end-user device policies that allow remote data wiping in the event the device is lost or stolen
  • Educating employees on the dangers of connecting unknown external media to company devices

Balancing Public Disclosure Against Legal Obligations Following Data Incidents

No organization wants to contemplate what might happen to it in the event of an unauthorized intrusion or data release. But it’s important to do this work before it’s necessary — otherwise, it’ll be done in rushed fashion under considerable duress.

One aspect of the crisis communications plan that every organization should have in reserve is a public disclosure policy. Depending on the nature of the incident and the organization, this may well be the framework around which the entire plan orients. It must answer a key question: what information can we disclose — both for the benefit of our stakeholders and to satisfy legitimate public interest — without violating our legal and confidentiality obligations to our clients or jeopardizing the investigative process?

Many organizations choose to err on the side of nondisclosure, at least in the immediate aftermath of the event. This is reasonable and even prudent amid ongoing private and law enforcement investigations and where legitimate confidentiality or fiduciary obligations exist. But it’s important for firms that choose to remain tight-lipped to at least communicate why they’ve done so — that is, to inform the public that they would like to provide more information to the public but can’t.

Advocating for Sensible International Tax Reform and Other Public Policy Changes

It may be true that much of the public outcry over the behaviors revealed by recent large-scale data releases is misguided, provoked by sensationalized media coverage. And it’s clear that many of the individuals and firms named in these releases have done nothing wrong according to the letter of the law — they’re fully compliant with applicable laws and regulations wherever they do business.

Yet these incidents also reveal opportunities for commonsense reform of the international financial system to increase fairness across the board. Organizations that wish to get out in front of any public backlash may wish to advocate for such reforms, perhaps using the United States government’s recent proposals for new cross-border tax rules as a template. In any case, as momentum builds for such changes, firms seen as early advocates may find themselves at a competitive advantage to those seen fighting the shift.

Defending the Reputations of Clients Who’ve Done Nothing Illegal

Finally, organizations affected by unauthorized data intrusions and releases must uphold their obligations as client advocates. This means fiercely and publicly — to the extent permissible by law and advisable by counsel — defending the reputations of innocent clients besmirched by inaccurate or sensationalized reporting around their legitimate financial activities.

A Framework for “Just in Case”

Taken together, these action items comprise a comprehensive preparation and response framework for data incidents. This is the sort of framework that no organization wishes to deploy — but one that proves absolutely essential should circumstances demand it.
Previous Post Next Post