Scotland’s environment agency has been warned that £42m in contracts income for its regulatory work cannot be “substantiated” following a devastating cyberattack.
The Scottish Environment Protection Agency (SEPA) has been unable to recover sufficient evidence of its finances through bank statements and HMRC records, Audit Scotland said today.
A new report from the Auditor General for Scotland’s office released today has revealed that SEPA – rocked just a week ago by the sudden departure of its chief executive over conduct allegations – is ‘in the process of understanding the full financial impact of the cyberattack on the organisation in December 2020’.
The contracts in question relate to SEPA’s official environmental monitoring work of regulated activities including licenses for utility companies, waste and manufacturing companies, fish farming and quarrying, which is a sizeable part of its annual income.
SEPA employs 1,268 people who are based around Scotland. It is funded by ‘grant-in-aid’ from the Scottish Government (£37.6 million 2020/21), income from contracts such as license fees paid by businesses and individuals (£42 million, 2020/21), and other income (£1.8 million 2020/21).
In 2020/21, SEPA underspent against its departmental expenditure budget by £1.3 million. However, the auditor was unable to obtain sufficient audit evidence that income from contracts, and related transactions, were ‘free from material misstatement and issued a disclaimer of opinion on the financial statements’.
The cyberattack on Christmas Eve 2020 crippled the agency’s networks leading to a full-scale government and police response. However the agency refused to pay the bitcoin demands from the Conti ransomware gang suspected of the attack to recover its systems. Subsequently the majority of SEPA’s data was encrypted, stolen or lost, with a cache of its files posted on the dark web. The agency was able, though, to quickly reinstate its emergency alert systems for flooding despite the impact on the organisation.
SEPA has indeed been praised for its transparency about the attack, with Terry A’Hearn, its chief executive until recently, praised for his leadership and focus on recovery throughout the crisis. A series of independent reviews he commissioned concluded that SEPA had a high level of cyber maturity, with police saying it ‘was not and is not a poorly protected organisation’. They identified areas for further improvement which SEPA accepted and is addressing the 44 recommendations made in the reviews.
Another section of the report reveals that although the sophistication of the cyberattack meant investigators have been unable to identify its exact route source, there are “indications” that it was a ‘phishing’ attack, meaning ‘there may have been a degree of human error involved, which is very difficult to mitigate against’.
The National Cyber Security Centre – which played a part alongside the Scottish Business Resilience Centre (SBRC) helping SEPA to recover – defines phishing as ‘when attackers attempt to trick users into doing ‘the wrong thing’, such as clicking on a bad link that will download malware, or direct them to a dodgy website.’
As part of its recovery, SEPA has committed to building its systems from scratch, rather than to try and recover the old ones, a decision that will help it achieve its goal of becoming one of the most digitally advanced public sector organisations.
However the impact in the short term has been considerable; the Audit Scotland report reveals that since December 2020 it has had ‘limited financial information in which to monitor performance and make decisions as it prioritised re-establishing business critical systems’.
It states: “SEPA was unable to record any income received or payments made or match them to pre-existing information held on its systems, such as sales and purchase orders. Many internal controls which management rely on, such as authorisation levels, are inbuilt into financial systems. Without these systems in place the control environment was weakened. Temporary financial arrangements were put in place to ensure there were appropriate controls and authorisation of expenditure, such as paying staff and suppliers.
“The finance team had to recreate accounting records from the prior year trial balance and record transactions in manual journals. It created payroll/staff costs information from HMRC records, and income and expenditure information from bank records. There are inherent limitations in recreating records this way. It meant there was not the level of detail required to substantiate the completeness, accuracy and authenticity of financial transactions for 2020/21.”
In addition, it said: “As a result of the cyber-attack and subsequent impact on SEPA’s underlying financial records, the auditor was unable to obtain sufficient evidence over income from contracts (£42.097 million) to gain assurance that this was free from material misstatement or fraud, including whether income had been receipted in the correct financial year. This also impacted on bad debts written off in year (£2.197 million) and the deferred income included within trade and other payables (£11.210 million) recorded in the Statement of Financial Position.”
Going forward, Stephen Boyle, Auditor General for Scotland, said: “This incident highlights how no organisation can fully defend itself against the threat of today’s sophisticated cyber-attacks. But it’s crucial that organisations are as well-prepared as possible.
“SEPA was in a solid starting position but it will continue to feel the consequences of this attack for a while to come. Everyone in the public sector can, and should, learn from their experience.”
Jo Green, acting CEO of SEPA, said: “We approved and submitted audited accounts for publication. Qualified accounts and a Section 22 report outlining the circumstances of the crime, the organisation’s response, recovery and financial impact have been laid before the Scottish Parliament by the Auditor General and our full response to the cyber-attack, including service status and independent audits, can be found at sepa.org.uk/cyberattack.
“Grant Thornton, in their external audit report to the Auditor General for Scotland noted that SEPA undertook ‘a significant exercise’ to recreate accounting records in order to prepare financial statements for the financial year ended 31 March 2021 and given the catastrophic impact of the attack, they have commended management on their ability to reproduce accounting records and prepare draft financial statements by September 2021.”
