Scarcely a month after the world media was flooded with news of the catastrophic terrorist attacks in Mumbai, headlines are once again rife with articles on the global impact of events in India. This time, the news has focused on Satyam Computer Services (“Satyam”), previously one of India’s largest and most prestigious outsourcing providers, and a series of missteps that began in October 2008, when alarming allegations of possible involvement in a customer security breach surfaced in the media. After that news, there were allegations of misdeeds with customers, a failed takeover attempt, and now the chairman’s confession of massive accounting irregularities.1 This alert will be followed shortly by an additional piece that will explore what you can do to assess and address your Satyam relationship.  

Alleged Security Breach at World Bank  

In October 2008, reports emerged that The World Bank Group, a client of Satyam, may have been the victim of a security breach.2 In an interesting twist, The World Bank (“the Bank”) denies that any such breach occurred.3  

News reports allege that World Bank servers were first discovered to have been penetrated in September 2007.4 News sources further report that another breach occurred in April 2008 when intruders allegedly gained access to the bank’s treasury network.5 Despite the Bank’s denial that the breach occurred, the Fox News report contained detailed factual allegations, said to have come from top bank executives. These reports included allegations that Satyam contractors had covertly installed spy software on workstations in the Bank’s Washington, DC, headquarters.6  

While there has been no further comment from Satyam or World Bank about the alleged security breach, the Bank recently confirmed reports that it has barred Satyam from doing business with it for eight years.7 Reportedly, the Bank confirmed reports that it had barred Satyam for providing “improper benefits to bank staff” in exchange for the award of contracts and for failing to provide adequate documentation on invoices.  

These allegations only served to further undermine confidence in Satyam, which had been struggling with corporate governance issues following erratic and unorthodox behavior early in the month.8 In an effort to stop the plunging direction of its stock, Satyam offered a share buyback, but the stock continued to fall amid speculation that the founders may be looking to sell their shares in the company.9  

Chairman Confesses Accounting Fraud  

On January 7, 2009, world markets were stunned by the announcement by Satyam’s chairman, Ramalinga Raju, that the company’s accounting records had been riddled with fraudulent numbers for years. In a letter written to Satyam’s board of directors and distributed by the Bombay Stock Exchange, Mr. Raju stated that some 50.4 billion rupees, or $1.04 billion, most of the cash and bank balances that Satyam had listed as assets in its second-quarter earnings report, were nonexistent.10 Raju further admitted that Satyam had significantly inflated its revenues, operating margin and accrued interest, and significantly understated its liabilities. The chairman stated that neither the board nor other Satyam executives had knowledge of the fraud and that the misstatements did not affect the books of Satyam subsidiaries.  

Going forward, Satyam’s management and board will undoubtedly face some tough questions, as investors worldwide struggle to understand how such a gross misstatement of accounts went undetected by auditors and regulators alike. There is no doubt that the Indian government and outsourcing industry will both be seeking answers to how this fraud could have occurred, while simultaneously working to ensure that the Satyam scandal does not unjustly sully the reputation of the Indian outsourcing industry as a whole.  

Indian Parliament Passes New Information Security Bill  

Ironically, while Satyam’s shares continued their tumble, the Indian Parliament worked diligently to pass legislation that will presumably shore up some perceived weaknesses in the outsourcing industry. On December 23, the upper house of Parliament passed the Information Technology (Amendment) Bill of 2008, one day after it had been passed by the lower house of Parliament.11 The new bill, which builds upon certain provisions of the IT Act of 2000, is an amended version of the 2006 IT Amendment Bill that failed to win Parliamentary approval.12 If enacted into law (which requires obtaining the assent of the Indian president), the bill would allow individuals in India to sue a company possessing, dealing or handling any personal data or information in a computer system that it owns, controls or operates for up to $1 million in damages, if the corporation negligently fails to implement “reasonable security practices and procedures.”13 This is a significant expansion of the 2000 Act, which created penalties for unauthorized access and hacking, but did not provide victims of a breach with a civil remedy. We will be reporting further on this legislation as the situation unfolds. It is difficult to determine whether this legislation is independently motivated, or whether it is an indirect reaction to the Mumbai bombings, Satyam events or otherwise, but the timing and speed with which it moved are certainly noteworthy. We have consulted with a prominent Indian lawyer, however, who advises that any connection between the recent events in India and the timing of the amended legislation is purely coincidental.  

Dealing with Existing Satyam Agreements  

Companies who are currently engaged in business with Satyam should take steps to safeguard their rights and interests amid the chaotic climate. Stay tuned for a follow-up Client Alert on how Satyam customers should consider dealing with agreements currently in place with the distressed service provider.