SEPA still unclear of cyber-attack financial impact

The full financial impact of the cyber attack on the Scottish Environment Protection Agency (SEPA) in 2020 is still unclear, Audit Scotland has found.

SEPA said it has launched a fresh appeal for information to tackle waste crime in Renfrewshire

The auditing body found that SEPA is still reinstating some of its systems more than a year after the “sophisticated” ransomware attack.

Accounting records had to be recreated from bank statements and HMRC records, leaving auditors unable to fully examine SEPA’s finances, including £42 million of contract income, Audit Scotland found.

SEPA’s management is also still trying to understand the “full financial impact of the cyber-attack”, which has speeded up the building, or buying, of new systems and infrastructure.

The senior team is also addressing recommendations for further improvement made in independent reviews of the incident.

Everyone in the public sector can, and should, learn from their experience

Stephen Boyle, auditor general

Prepare

Stephen Boyle, auditor general for Scotland, said: “This incident highlights how no organisation can fully defend itself against the threat of today’s sophisticated cyber-attacks. But it’s crucial that organisations are as well-prepared as possible.

“SEPA was in a solid starting position but it will continue to feel the consequences of this attack for a while to come. Everyone in the public sector can, and should, learn from their experience”.

Attack

On Christmas Eve 2020, the Scottish Environment Protection Agency (SEPA) was the victim of a “sophisticated ransomware attack”.

The agency’s annual report stated it was unable to access its systems and data due to a malicious software installed by an external agent.

Financial consequences

SEPA didn’t pay the ransom, but was able to find ways to continue delivering key services such as issuing flood alert and flood warnings within 24 hours of the attack, Audit Scotland said.

More than twelve months later, it is still rebuilding its digital infrastructure and assessing the full impact of financial consequences, the report added.

According to the document, SEPA could not access any of its financial systems. Since December 2020, the agency had limited financial information in which to monitor performance and make decisions as re-establishing business critical systems was a priority.

Opportunity to improve

Audit Scotland also advised actions across the Scottish public sector to consider things such as 24-hour security operations, implementing a Cyber Incident Response specialist company and regular reviews of an incident response plan.

The annual report stated it will take time for SEPA to fully recover from the attack, but the agency views this as an opportunity to improve and accelerate the delivery of its digital strategy.