News

How we reacted to the London Bridge atrocity

June 14, 2017

Recent events at London Bridge, the location of our London office, required us to implement Disaster Recovery and Business Continuity Plans. However unfortunate, from a business point of view, such events prompt us to constantly review and develop our disaster recovery procedures and ensure they are sufficiently robust. This article gives a brief insight into the action taken, what worked and what didn’t.

The premise

On the evening of Saturday 3rd June, a major terrorist atrocity occurred at London Bridge – the location of our London office. This involved people being hit by a van on the Bridge itself, in front of our office, and a number of members of the public being stabbed in the location including one stabbing outside the rear entrance to our building. As a result of this, our office was immediately evacuated of all security staff by the Police and put into the “secure zone”. All access to the building was precluded to facilitate the collection of forensic evidence.

The initial reaction

Throughout Sunday 4th June the premises status was monitored in conjunction with our landlord’s agents and by late afternoon it became apparent that access to our London office remained unlikely. The London Disaster Recovery (DR) team met via conference call at 1630 and plans were put in place, on the basis that the building would continue to remain “out of bounds” for the next 24 hours. This included the activation of our DR site and preparation of IT systems to allow staff to work from home. Finally, all staff were advised via our DR notification system of the likelihood of the implementation of DR procedures and not to travel into London until further notification.

The DR team met again via conference call at 0700 on Monday 5th June, having monitored the situation since 0600 in conjunction with the premises manager. It was confirmed that access to our London premises was not possible and as a consequence, our DR plan was implemented. Staff were advised of the situation at 0730, as promised and all clients were emailed at 0830. The client emails were supplemented by calls, from our Client Service teams, with clients from 0900 onwards.

Business as usual

By 0900 60% of our Client Service staff were either logged into Augentius’ systems at home or present at our DR site (the vast majority working from home) – with over 95% being operational by 1000. Although there were some slight delays, all client deliverables were achieved during the course of the day. It was not possible to re-direct 100+ telephone numbers in the shorter term (the event was not expected to last more than 48 hours maximum) and as a consequence Augentius staff communicated to clients via email or mobile phones. The office reception number was transferred to a mobile phone and all calls answered and dealt with.

Whilst access to the building was made available during the morning, only one doorway was open – precluding the use of the office (two separate exits are required under Health and Safety Law to facilitate an easy evacuation in the event of fire/another event). In any case, the DR team had already made the decision not to relocate staff until the next working day to prevent a loss of useful time. Whilst a 1600 call was scheduled for the DR team to plan the next 24 hours of working, the Police relaxed access to the building at circa 1530 and our offices then became fully usable. As a consequence, the call was cancelled and a message issued to all staff at 1630 advising that the office would be open for “business as usual” on Tuesday 6th June. Clients were advised by email of the updated situation prior to 1700.

All in all, the DR event was successful. Our staff were kept informed at all times (in a survey over 80% responded that our communications were either “good” or “very good”); our clients were kept fully informed; our technology, in which we continue to invest substantial sums, allowed effective working either at home or at our DR site without any issues and all client deliverables were achieved.

Lessons learned

As with all events such as this, there are learning points and our review process is ongoing. These include:

(i) Due to holidays/personal events, it was difficult to get in touch with some DR team members over the weekend – this has been discussed and alternative lines of communication are being put in place.

(ii) We were unable to ascertain, either through our own systems or those of the London Bridge office, whether any of our staff had been caught up in the event – processes are being put in place to achieve a better response rate from staff and to be more aware of “missing” staff to facilitate investigation

(iii) Some delays were incurred, by the third party provider, in the setting up of PCs at our DR location – discussions are underway with the provider

(iv) We were unable to re-route all telephone numbers – software has now been identified to achieve this and this is currently being tested

Conclusion

We are carrying out a further review to enhance our procedures and practices in light of this event but we are pleased to report that none of our staff were caught up in the event itself and we were able to deliver all our clients requirements during the day.


Wannacry – What should you be doing?

May 31, 2017

Wannacry, the cyber-attack that crippled numerous organisations around the world recently, was a simple global attack on Microsoft Windows XP and similarly outdated operating systems.

Organisations that maintain such outdated systems – often because they have interfaced with other systems and are unable to update systems without substantial upheaval and cost or just simply through a lack of investment – are exposed to attacks as the vendors cease to support the system. Patches are no longer provided to update systems and it generally becomes known that they are vulnerable. Interestingly, Wannacry was spread by all versions of unpatched Microsoft operating systems but nearly all infections were on Windows 7 machines.

The attack had no effect whatsoever on Augentius’ systems. This was because:
(i) we use modern systems which are constantly patched
(ii) there is no external access to our systems i.e. no holes in our firewalls and
(iii) anti-virus protection is run across all systems and updated intra-day.

Augentius has a dedicated team managing our IT network around the clock and we run modern operating systems which are fully supported by Microsoft. In addition, our network is monitored for malicious traffic and our firewalls are regularly penetration tested against known threats by accredited external specialists.

For many, the Wannacry incident was a wake-up call. So, what should managers be doing, if they haven’t already?

  • Review current systems, identify any old or unsupported systems and consider replacement
  • Install all patches as quickly as possible
  • Have anti-virus checks running across all systems at all times and ensure they are constantly maintained up to date – and are current
  • Run penetration tests with certified external providers

Update of the Singapore Companies Act

April 20, 2017

Key changes to the Singapore Companies Act have taken place with effect from 31/03/2017. Clients and Managers need to consider what effect these may have and what changes to practices and procedures are necessary, if any. Below is a brief synopsis of the changes.

1. Register of Registrable Controllers

(a) All companies incorporated in Singapore, foreign companies and limited liability partnerships (“LLPs”) registered in Singapore (unless exempted) are required to maintain beneficial ownership information in the form of a register of registrable controllers.

(b) A controller is defined as an individual or an entity that has a significant interest in or significant control over the company:

  • Significant Interest
  • Own shares with more than 25% of total voting power in the company.
  • Significant Control
    • (i) Holds the right to appoint or remove directors who hold a majority of the voting rights at directors’ meetings;
    • (ii) Holds more than 25% of the rights to vote on matters that are to be decided upon by a vote of the members of the company; or
    • (iii) Holds the right to exercise significant influence and control over the company.
    • (c) The register of controllers should be maintained at the registered office and must be made available to the Registrar and public agencies (e.g. Commercial Affairs Department, Corrupt Practices Investigation Bureau and IRAS) upon request.

2. Register of Nominee Directors

Companies will also be required to maintain a register of nominee directors. The registers and the information must be made available to the Registrar and public agencies upon request.

3. Retain Records of Wound Up Companies

(a) The officers/partners/managers of struck off companies and LLPs are required to retain all books and papers of the companies or LLPs for five years.

(b) A liquidator must retain records of wound up companies and LLPs for five years instead of two.

4. Common Seal

(a) Companies and LLPs have the option not to use the common seal in the execution of documents as a deed, or other documents such as share certificates. Companies will have the option to execute documents by having them signed by:

  • (i) a director and a secretary of a company,
  • (ii) two directors of a company; or
  • (iii) a director of the company in the presence of a witness who attests the signature.

(b) Companies can choose to retain the use of a common seal based on business needs.

5. Bearer Shares in Foreign Companies

The issuance and transfer of bearer shares and share warrants by foreign companies registered in Singapore will be void.

If you feel Augentius can be of any assistance to you, please do not hesitate to contact us.