Despite being comparatively well-prepared, watchdog Sepa is still suffering the fallout of a breach in December 2020
The Auditor General for Scotland has warned that public sector bodies must have robust IT defences in place after revealing that the Scottish Environment Protection Agency (Sepa) does still not know the full financial implications of a December 2020 cyberattack.
Last year Sepa described the cyberattack, which took place on Christmas Eve 2020, as “serious and complex”, noted that it displayed “significant stealth and malicious sophistication” that “significantly impacted our organisation, our staff, our public and private partners, and the communities who rely on our services”.
During the attack the majority of Sepa’s data was encrypted, stolen or deleted overnight, with cybercriminals demanding the organisation pay a ransom in order to access it again.
Sepa did not pay up and was able to continue operating, but a special report from Audit Scotland has found that the organisation is still working on reinstating parts of its systems and has not yet been able to quantify the full implications of its financial records being wiped.
“Sepa was unable to quickly restore its data from its back-ups,” the report states. “Sepa’s back-up policy was in line with best practice in that there were three copies of the data, located at two separate locations, with one copy stored offline. However, the sophisticated nature of the attack meant that online backups were targeted and corrupted at an early stage, meaning there was no way of accessing historical records quickly.”
The report continues: “The auditor reported that prior to the cyberattack Sepa had well-developed systems of internal financial control and reporting. However, the attack meant that Sepa could not access any of its financial systems and a significant amount of its data. This meant, since December 2020, management has had limited financial information in which to monitor performance and make decisions as it prioritised re-establishing business-critical systems.”
As a result, Sepa’s finance team has had to piece its accounts together using HMRC and banking records, meaning Audit Scotland had to issue a disclaimer when signing off its 2021-21 accounts.
“As a result of the cybe attack and subsequent impact on Sepa’s underlying financial records, the auditor was unable to obtain sufficient evidence over income from contracts (£42.1m) to gain assurance that this was free from material misstatement or fraud, including whether income had been receipted in the correct financial year,” the report states. “This also impacted on bad debts written off in year (£2.2m) and the deferred income included within trade and other payables (£11.2m) recorded in the Statement of Financial Position.”
Auditor general Stephen Boyle said that, given Sepa had strong cyber defences in place before the attack, the incident highlights how important it is that public sector bodies focus on cyber security.
“This incident highlights how no organisation can fully defend itself against the threat of today’s sophisticated cyberattacks, but it’s crucial that organisations are as well-prepared as possible,” he said. “Sepa was in a solid starting position but it will continue to feel the consequences of this attack for a while to come. Everyone in the public sector can, and should, learn from their experience.”
Jo Green, acting chief executive of Sepa, noted that while it is proving “challenging and complex” Sepa’s recovery from the attack “continues apace”, adding that accountancy firm Grant Thornton had praised it for being able to prepare financial accounts in light of the breach.
“We approved and submitted audited accounts for publication. Qualified accounts and a Section 22 report outlining the circumstances of the crime, the organisation’s response, recovery and financial impact have been laid before the Scottish Parliament by the Auditor General and our full response to the cyberattack, including service status and independent audits, can be found [on the Sepa website],” she said.
“Grant Thornton, in their external audit report to the Auditor General for Scotland, noted that Sepa undertook ‘a significant exercise’ to recreate accounting records in order to prepare financial statements for the financial year ended 31 March 2021 and given the catastrophic impact of the attack, they have commended management on their ability to reproduce accounting records and prepare draft financial statements by September 2021.”
Green stepped in as interim chief executive last month after incumbent Terry A’Hearn left the organisation in the wake of “conduct allegations”.
Sepa chairman Bob Downes said at the time that A’Hearn had “stepped down and left his position” but did not elaborate on what the allegations related to.
“Sepa has a clear Code of Conduct and takes conduct allegations very seriously indeed,” Downes said. “In order to protect anonymity, Sepa is unable to comment further.”