On May 9, 2016 the International Consortium of Investigative Journalists (ICIJ) released a searchable database with information on almost 320,000 offshore entities from of the Panama Papers and Offshore Leaks investigations. The Mossack Fonesca leaks and subsequent publication of the database, the largest ever release of secret offshore holdings and the people behind them, links people in more than 200 countries and territories across 21 jurisdictions, and will continue to have ramifications around the world.

Records suggest that over 30% of Mossack Fonseca clients were in the Hong Kong / Greater China region. The papers hint at the large role Hong Kong plays in offshoring funds from Mainland China. The importance of some individuals involved has prompted PRC censorship of the reporting, possibly for fear that the revelations might discredit the ongoing anti-corruption campaign.

The concentration of Mossack Fonseca clients highlights that Hong Kong-based law firms, accounting firms and the wider offshore trust industry are an attractive target for cyber criminals and data breach incidents. Professional services firms must take action by assessing their vulnerability and put in place measures to secure data and vital client information against external attacks and also from internal threats.

The recent article in our Privacy & Cyber Security newsletter, The Panama Papers and Implications for Cyber Security in Law Firms, addresses concerns raised about the ability of law firms to protect themselves and their clients’ data from data breaches, and highlights tips for firms to keep the data they handle secure.

It has been reported that Mossack Fonseca established 37,675 companies in Hong Kong between 1977 and 2015, more than in any other country. The off-shore Panamanian-based law firm relied on a secretarial management company run by an accountant based in Wanchai, Hong Kong. As a result of the large number of companies established in Hong Kong, the territory will likely become a target of further investigation.

How the initial leak of documents became available to governments and to the ICIJ is far from clear, with Mossack Fonseca claiming its server was the subject of hacking. Further investigation by the Panama Attorney General’s Office, who raided the offices of Mossack Fonesca on April 13, 2016 may in time shed some light as to whether this was an IT security failing or whether an insider played a significant role.

This brings to the forefront the fact that Hong Kong is at risk owing to the large number of Hong Kong companies in the Panama Papers. Security at many companies in the trust, offshore finance and company formation business is not strong enough to protect vital client information.

Further disclosures arising from the leaked Panama Papers may lead to the reassessment of existing anti-money laundering and countering the financing of terrorism regulations, in addition to customer due diligence measures. New regulatory measures are likely and prosecutions may follow under AML rules or bribery legislation such as the Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act.