Beware of identity theft, phishing and cyber breaches
CGj reviews the latest guidance note issued by the Institute, focusing on helping charities and NGOs understand the dangers of fraud, as well as offering practical advice on its prevention and mitigation, and provides an overview of all guidance notes published by the Institute between April and September 2024.
Highlights
- charities and NGOs are particularly vulnerable to fraud and identity theft as their cybersecurity resources are often limited, awareness of the hazards may be inadequate and reliance on donors means that any breach can lead to serious, long-term reputational damage
- awareness of possible threats and a robust system of risk management, along with installing a culture of vigilance, are vital to protect against the ever-growing threat of fraud and identity theft
- everyone involved in a charity or NGO should be made aware of the organisation’s fraud prevention guidelines, and should receive regular, up-to-date training on the risks and preventative measures
As an integral part of its thought leadership initiatives, the Institute regularly publishes guidance notes as a way to assist governance professionals in Hong Kong and the Chinese mainland to better fulfil their roles as the governance guardians and gatekeepers of their organisations, and to promote good governance practices.
The Institute, with the support of its Public Governance Interest Group under the Technical Consultation Panel, published a two-part guidance note in September 2024, titled Fraud Prevention and Mitigation for Charities and NGOs, to highlight the risk of fraud faced by these organisations, and outlining a number of pragmatic measures for prevention and mitigation.
Background
In today’s more interconnected and digitalised world, it is an inescapable fact that fraud – such as identity theft and phishing – is becoming increasingly prevalent across all industries. NGOs and charities are particularly vulnerable, for several reasons.
Resources for NGOs and charities to adequately protect against fraud and cybersecurity breaches may be limited – as the guidance note explains, ‘they usually face severe competition against funding allocation for operational services requirements’. In addition, charities may be viewed by fraudsters as soft targets for identity theft, as the nature of these organisations ‘may result in less stringent financial controls and a lack of awareness of possible hazards’, the guidance note warns. Identity theft hazards include impersonation fraud, website cloning, phishing attacks and unauthorised fundraising campaigns.
In addition, the risk of identity theft and phishing is particularly relevant to charities and NGOs since they depend so heavily on donations and goodwill from the general public. The loss of reputation, on top of possible financial losses, resulting from such breaches has a very detrimental impact – a negative reputation can last indefinitely and can affect a charity’s capacity to carry out its goals.
Case examples
The guidance note highlights UNICEF as a pertinent example of the fraudulent use of a charity’s name and logo – in this case, through ‘the fraudulent use of our name and logo by unethical individuals who deliberately abuse the trust of UNICEF supporters worldwide’– citing the UNICEF website, which provides clear and precise information on how fraud is perpetrated and what measures can be taken to protect against such abuse. This demonstrates that even a large international organisation like UNICEF, which has far more resources than the majority of smaller charities and NGOs, is not immune to cybersecurity breaches, identity theft and phishing.
While this was a worldwide issue for UNICEF, the Institute’s guidance note pinpoints a number of recent examples from Hong Kong. In September 2023, HK Ballet suffered a ransomware attack, where hackers took control of the data of 8,122 individuals. The guidance note reveals that, in this case: ‘The Office of the Privacy Commissioner for Personal Data found deficiencies in information system management, lax monitoring of the data security measures adopted by the service vendor, lack of policies and guidelines on information security and lack of appropriate data backup solutions.’ More recently, in July 2024, Oxfam Hong Kong suffered a cyberattack in which the personal data of 470,000 people was potentially leaked.
Fraud prevention and mitigation
Awareness of possible threats and a robust system of risk management, along with installing a culture of vigilance, are vital to protect against the ever-growing threat of fraud and identity theft. While the guidance note states that ‘the possibility of fraud cannot be eliminated, even with preventative measures in place’, it points out that charities and NGOs should take steps to lessen their exposure, as well as establish a number of mitigation measures in the event that fraud does take place.
Fraud prevention
It is essential that everyone involved in a charity or NGO is aware of the organisation’s fraud prevention guidelines and that there is a programme of regular, up-to-date training sessions – not just for the board members, other senior members and employees, but also for any volunteers. It is also important to have a clear whistleblowing policy.
- Inspection and surveillance: according to the guidance note: ‘Charities and NGOs should implement stringent screening procedures for any people or groups claiming to be raising money on their behalf.’
- Robust internal regulations: robust internal controls, such as segregation of roles, frequent financial audits and personal data protection, are necessary to help prevent fraud.
- Regular review and audit: regular review and audit by both internal and external parties can help identify fraud or irregularities at an early stage.
- Internal training and building awareness: good governance practice calls for regular and frequently updated training on risk and governance issues, covering both management control and operational levels.
- Awareness-raising initiatives: NGOs and charities should proactively inform their donors of the dangers of fraud and the precautions they can take.
- Digital security measures: ‘online contribution platforms and websites for charities and NGOs must be secured. This entails using SSL certificates, installing two-factor authentication for administrative access and routine software updates to guard against security flaws,’ the guidance note recommends.
Fraud mitigation
Fraud can – and does – happen, even if preventative measures exist. Charities and NGOs should therefore also institute a framework for fraud mitigation to counteract any occurrence.
Crisis management plans: crisis management strategies and incident response plans that specify what actions to take, and by whom, need to be put in place. This would include protocols for communication with donors.
Reputational management: the guidance note clearly states that ‘communicating openly and promptly with the public, stakeholders and contributors is crucial’, and suggests that professional external communication specialists should be engaged if the incident is considered to have a sizeable impact on the reputation of the organisation or on the community.
Insurance coverage: acquiring insurance coverage to guard against fraud can lessen the financial damage and provide funds for any repairs or legal fees.
Working with authorities: charities and NGOs must know what legal remedies are available in the case of fraud, such as notifying the proper authorities, taking legal action against those responsible, and cooperating with the police to locate and retrieve money that has been lost, if possible.
Key takeaways
‘In the current difficult climate, charities and NGOs must always be on the lookout for fraud,’ the guidance note emphasises. While the possibility of fraud cannot be totally eliminated, charities and NGOs can take active steps to safeguard their assets, donors and reputations. However, as the guidance note cautions, ‘there is no one-size-fits-all solution’, so these organisations must adopt clear and careful strategies to deal with identity theft and other examples of fraud by remaining vigilant and encouraging a culture of alertness.
The Institute would like to thank all those involved in the production of this two-part guidance note (see ‘Guidance note roundup’ for details).
Guidance note roundup
The HKCGI guidance notes published in the second and third quarters of 2024 are set out below. The Institute would like to thank everyone involved in their production.
April
Guide on Board Evaluations – An Overview. This HKCGI guidance note examines the increasingly important governance issue of board evaluations by examining the UK position on the purpose and procedure of a board evaluation, as well as the required disclosure, as a matter of good governance. The UK and some other jurisdictions adopt the ‘comply or explain’ approach, which Hong Kong is also expected to move towards from the current best practice recommendation.
This guidance note was authored by Mohan Datwani FCG HKFCG(PE), Institute Deputy Chief Executive, with contributions from David Simmonds FCG HKFCG, Institute President, Michael Ling FCG HKFCG, Chairman of the Institute’s Technical Consultation Panel, April Chan FCG HKFCG, Institute Past President, and Ellie Pang FCG HKFCG(PE), Institute Chief Executive.
A Chinese-language version of this guidance note was published in June.
May
Climate Disclosure Requirements – Executive Summary (Parts 1 and 2). These two guidance notes were compiled by HKCGI to provide governance professionals with an overview for advising their chairpersons and boards of listed issuers on the new climate disclosure requirements and proposed changes to the Hong Kong Listing Rules to align with IFRS S2.
The two guidance notes were authored by Teresa Ko BBS JP FCG HKFCG, Partner and China Chairman, Connie Cheung, Head of Listed Companies Advisory, and Sam Cheung, Associate, Freshfields Bruckhaus Deringer. Edith Shih FCG(CS, CGP) HKFCG(CS, CGP) (PE), Honorary Adviser to Council, Past International President and Institute Past President, and Ellie Pang FCG HKFCG(PE), Institute Chief Executive, were contributors to both parts.
July
The Impact of the New PRC Company Law on Companies Listed in Hong Kong. This Chinese-language HKCGI guidance note was produced in collaboration with Tian Yuan Law Firm LLP to introduce the new PRC Company Law and explain its impact on Hong Kong–listed companies.
Audit Governance. This HKCGI guidance note is based on the Accounting and Financial Reporting Council’s July 2024 publication – which sets out actionable recommendations for public interest entities – to provide advice to governance professionals supporting listed issuers and their management as part of audit governance.
It was authored by Mohan Datwani FCG HKFCG(PE), Institute Deputy Chief Executive, with input from April Chan FCG HKFCG, Institute Past President, and Michael Ling FCG HKFCG, Chairman of the Institute’s Technical Consultation Panel.
PCPD’s AI Regulatory Framework. This guidance note, published by the Institute’s Technology Interest Group, updates governance professionals and other relevant stakeholders – including directors and senior management – on the latest AI regulatory advisory in Hong Kong to help organisations use and manage AI risks for operational resilience in an ethical manner.
Wynne Mok, Partner, and Jason Cheng, Associate, Slaughter and May, are coauthors of this guidance note. Members of the Institute’s Technology Interest Group are Dylan Williams FCG HKFCG (Chairman), Ricky Cheng, Harry Evans, Gabriela Kennedy and Philip Miller FCG HKFCG.
August
Redomiciliation Regime for Hong Kong (Update). This guidance note, the 12th issue published by the Institute’s Company Law Interest Group, updates governance professionals and the general public on the technical requirements of the redomiciliation regime to enhance their knowledge and help them plan accordingly.
This guidance note was coauthored by Benita Yu FCG HKFC, Senior Partner and Chairman of the Institute’s Company Law Interest Group, and Lisa Chung, Partner, Slaughter and May, with contributions from Angela Mak FCG HKFCG, Cathy Yu FCG HKFCG and Wendy Yung FCG HKFCG.
Privatization of Hong Kong Listed Companies. This HKCGI guidance note, published in both English and Chinese in collaboration with Baker McKenzie FenXun, introduces the common methods, major steps and important points to note in the privatisation of companies with a primary listing in Hong Kong.
Spin-offs of Hong Kong Listed Companies. Also in August, in collaboration with Baker McKenzie FenXun in both English and Chinese, this HKCGI guidance note offers a clear and concise framework of practical advice for Hong Kong–listed companies, their directors, supervisors, senior management and investors, as well as all relevant stakeholders, on the issue of spin-offs of Hong Kong–listed companies from the perspective of the securities regulatory regime.
September
Handling Cayman Islands Shareholder Disputes. This HKCGI guidance note provides governance professionals with a clear and practical understanding of possible remedies available under Cayman Islands law in the event of shareholder disputes.
This guidance note was coauthored by Gemma Bellfield, Partner, and Max Galt, Associate, Ogier, Cayman Islands.
Fraud Prevention and Mitigation for Charities and NGOs (Parts 1 and 2). This two-part HKCGI guidance note, published in collaboration with the Institute’s Public Governance Interest Group, looks at fraud risks, including identity theft for charities and non-governmental organisations, and offers practical advice on fraud prevention and mitigation.
This guidance note was authored by Mohan Datwani FCG HKFCG(PE), Institute Deputy Chief Executive, with contributions from Michael Ling FCG HKFCG, Chairman of the Institute’s Technical Consultation Panel, April Chan FCG HKFCG, Institute Past President, and Daniel Chow FCG HKFCG(PE), Institute Treasurer and Council member. Members of the Public Governance Interest Group comprise April Chan FCG HKFCG (Chairman), Lau Ka Shi BBS FCG HKFCG, Margaret Yan, Natalia Seng FCG HKFCG, Rachel Ng ACG HKACG, Samantha Suen FCG HKFCG, Stella Lo FCG HKFCG(PE) and Vicky Li.
The Institute would also like to thank April Chan FCG HKFCG, Institute Past President, and Michael Ling FCG HKFCG, Chairman of the Institute’s Technical Consultation Panel, for their oversight of the Institute’s guidance notes, and Mohan Datwani FCG HKFCG(PE), Institute Deputy Chief Executive, who serves as the Secretary of the Institute’s Interest Groups and is the Contributing Editor of the Institute’s guidance notes.
Comments and suggestions are welcome, and should be sent to: mohan.datwani@hkcgi.org.hk.