CIMA Case Study - May 23 - Strategic - Mock Exam A - Answers WITH MARKING GUIDE

Download as pdf or txt
Download as pdf or txt
You are on page 1of 16

CIMA

Strategic Case Study

May 2023

Mock Exam A
Answers

To gain maximum benefit, do not refer to these answers


until you have completed the mock questions and
submitted them for marking.
CIM A S TR ATE GI C LE VE L CA SE ST U D Y (M A Y 20 23 )

© Kaplan Financial Limited, 2023


The text in this material and any others made available by any Kaplan Group company does
not amount to advice on a particular matter and should not be taken as such. No reliance
should be placed on the content as the basis for any investment or other decision or in
connection with any advice given to third parties. Please consult your appropriate
professional adviser as necessary. Kaplan Publishing Limited and all other Kaplan group
companies expressly disclaim all liability to any person in respect of any losses or other
claims, whether direct, indirect, incidental, consequential or otherwise arising in relation to
the use of such materials.
All rights reserved. No part of this examination may be reproduced or transmitted in any
form or by any means, electronic or mechanical, including photocopying, recording, or by
any information storage and retrieval system, without prior permission from Kaplan
Publishing.

2 KA PL AN P U BLI SH IN G
MO C K E X AM A AN SWE RS

Task 1

Email

To: Rasim Hamid, Chief Finance Officer


From: Senior Finance Manager
Subject: Ransomware attack

Outcome for the three scenarios

Ransomware is triggered and the data files are encrypted

If the data files were to be encrypted, there would be an immediate impact for Daistruk as
all data in respect of operations would become inaccessible. This means that information
about movement of goods on behalf of clients, details of inventory in warehouses etc. would
no longer be understood, and operations could potentially grind to a halt. This would lead to
loss of confidence on the part of our clients as their own operations would be adversely
impacted. After a while, this may lead to the termination of contracts, and ultimately the
end of the company.

The Board would need to decide immediately what information it is prepared to make public
about disruption to operations. It may consider that admitting Daistruk has been hacked
successfully could lead to loss of confidence in IT security, which would naturally be
extremely concerning to any client whose own system is integrated in some way with that of
Daistruk.

If the Daistruk Board were to announce a temporary shutdown whilst a solution to ‘an IT
glitch’ is found, without explaining the reason to clients, then the creators of the malware
may make further contact and agree to supply the decryption key in return for the ransom
being paid. In this instance, it would probably be worth paying the ransom of R$50m in order
to restore normal operations as quickly as possible in order to prevent much greater long-
term financial and reputational damage to the company.

However, if clients’ own systems were to be compromised, and those clients later
discovered that Daistruk had willingly withheld knowledge of such risk, this could also cause
long-term reputational damage.

Either way, Daistruk will need to introduce greater checks on operational data once the
system is functioning properly again, to check the accuracy of inventory levels and
movement. This is because of concerns about decrypting the files being not completely
successful.

Ransomware is triggered and the attacker targets client data

This has even greater consequence than the outcome above, in that Daistruk has no control
over the immediate outcome. The abuse of client data will lead to uncertainty over what is
happening and why, if clients have not had prior warning from Daistruk over the threatened
action.

If the hackers target client systems due to a degree of integration with Daistruk systems, it
will be immediately evident to clients what is happening. They would then presumably

KA PL AN P U BLI SH IN G 3
CIM A S TR ATE GI C LE VE L CA SE ST U D Y (M A Y 20 23 )

investigate why the data they hold is no longer accurate or why their system is not working
the way that it should, and would, it is safe to assume, quickly realise that they have been
compromised because of their relationship with Daistruk. A failure on this company’s part to
warn them at the earliest possible opportunity could damage business trust irreparably, and
even lead to litigation for loss of earnings.

The worst-case scenario if client systems are targeted is that clients decide to move to other
companies for their logistics needs, and the reasons behind such decisions are made public
knowledge. Daistruk would find it almost impossible to restore faith in its ability to meet
customer needs. The share price would be adversely affected by such negative stories, and
shareholders would demand an immediate response; they may also consider replacing the
executive directors.

It is therefore advised that, whatever outcome may transpire, key clients who might be
impacted are contacted immediately and warned of the threat, so that they can take
whatever steps possible to protect their own data and systems immediately.

Pay the ransom

As at the end of the last financial year, Daistruk had R$32 million in cash. The ransom
demanded is R$50 million, and so it could not be paid just from existing cash reserves; an
element of short-term borrowing would be required. However, the financial status of the
company is healthy, with an interest cover ratio of 9.9 times, and so servicing any increase in
debt should not be a problem and the company would no doubt be able to raise the
necessary funds.

Although the Board would not wish to make public the payment (there is no real need for it
to do so) there would be a financial impact in this year’s financial statements. Based on
results for the year to 31 December 2022, a payment of R$50 million would decrease
operating profit by almost 36%, as it would have to be reflected in the statement of profit or
loss for that year. This could lead to questions from shareholders over the cause for the fall
in profits, which the Board would be bound to answer honestly.

Furthermore, the dividend policy shown in 2022, with a high percentage of profit for the
year being paid out as dividends, would probably have to change, given the reduced profits
anticipated for 2023 as a result of the ransom payment (unless the company were to start
borrowing to fund a dividend in excess of profit). Either way, this could be interpreted as a
change in policy.

A further consideration is what might happen in the future. If Daistruk were to be seen as a
‘soft touch’, the decision to pay could result in further threats from hackers, more attempts
at breaching the company’s IT security, and/or larger ransoms being demanded. Those who
have (successfully) held the company to ransom once will be of the opinion that the Board
will agree to more payments for future threatened attacks. In addition, other cyber criminals
may be tempted to target this company once the payment for this attack becomes public
knowledge. Daistruk is going to have to invest considerably more money and time on IT
security to ensure that the threat of such attacks is minimised.

4 KA PL AN P U BLI SH IN G
MO C K E X AM A AN SWE RS

Relative responsibilities of the CIO and the Board as a whole

The Board of Directors has a collective responsibility to manage all aspects of the company,
including IT security. It is normal and acceptable to delegate responsibility for tasks
associated with a particular area to a designated director. For example, any issues that
involve employees or employment policy will typically be the responsibility of the Human
Resources (HR) Director. This is to ensure efficient management of the organisation, as the
HR Director will have special expertise in respect of the matter at issue.

However, any recommendations that come from a particular director must then be
considered by the Board as a whole, and the Board must accept collective responsibility for
any decisions taken. If particular Board members were to try to absolve themselves from
being involved from particular matters, perhaps on the grounds that they do not want to
threaten their own career prospects, then they would not be satisfying the legal and
fiduciary responsibilities that they accepted when taking on their role.

In this particular instance, it is reasonable for the Board to delegate specific tasks and
decisions to Andrea Lopes, the CIO, as she will have the knowledge, expertise and
experience to advise the Board on what she feels is the most appropriate response. She has
been in a senior IT position since 2017, and so is well versed in all aspects of Daistruk’s
systems and operations. She has also been on the Board for three years, and so will be
particularly well-qualified to advise on how IT impacts strategic leadership.

This attack on Daistruk’s systems is too significant, however, for one person to deal with
individually. Andrea will need to delegate much of the necessary work to managers who
have greater recent experience of day-to-day operations; their advice will be critical in
determining how to respond, and in monitoring any impact triggering the ransomware is
having.

This matter is too important to leave in the hands of just one person on how to respond. The
best-case scenario (assuming that the threat is not merely a hoax) is the payment of R$50
million; the worst-case scenario, that Daistruk can no longer continue as a going concern.
Leaving this decision to Andrea alone would put her under the most extreme pressure and,
given the consequent levels of stress, could lead to the wrong steps being taken.

It is therefore vital that the Board as a whole works together to debate the different ways in
responding to this threat, and agrees on the most suitable way forward.

KA PL AN P U BLI SH IN G 5
CIM A S TR ATE GI C LE VE L CA SE ST U D Y (M A Y 20 23 )

Marking guide:

a) Outcome for each of 3 scenarios re ransomware = 20 marks

Trait
Recomme Level Descriptor Marks
nd
No rewardable material 0
responses
to threats Level 1 No application to the context of the scenario. No 1-5
explanation of likely outcomes. Does not address all 3
scenarios
Level 2 Identifies and explains briefly the likely outcomes for all 3 6-12
scenarios, but with little depth. Some relevance to the
context of the scenario
Level 3 Identifies and explains fully the likely outcomes for all 3 13-20
scenarios. At all times relevant to the scenario

b) Responsibilities of CIO and Board= 13 marks

Trait
Changes in Level Descriptor Marks
business
No rewardable material 0
ecosystem
Level 1 Gives limited explanation of responsibilities, no relevance to 1-4
scenario. Doesn’t address CIO/Board separately
Level 2 Explains briefly a reasonable number of points in respect of 5-8
responsibilities of CIO/Board, all relevant to the scenario

Level 3 Explains fully a broad number of points in respect of 9-13


responsibilities of CIO/Board, all relevant to the scenario

6 KA PL AN P U BLI SH IN G
MO C K E X AM A AN SWE RS

Task 2

Email

To: Rasim Hamid, CFO, Daistruk


From: Senior Finance Manager
Subject: Share price movements, and currency risks

I have been considering the recent Daistruk share price movements, and the currency risks
associated with the EDS contract. I have presented my thoughts below.

Share price movements

Short selling

Short selling is when a trader (speculator) borrows shares from a broker and immediately
sells them with the expectation that the share price will fall shortly afterwards. If it does, the
trader can buy the shares back at the lower price, return them to the broker, and keep the
difference, minus any loan interest, as profit. It is a very risky strategy – if the share price
were to rise instead of fall, the trader could lose a lot of money.

Market efficiency

In an active and well-regulated stock exchange (like the one in Roundland), share prices
generally move in response to information. Good news about a company generally pushes
the share price up, and bad news leads to the share price falling.

In a semi-strongly efficient market, the prices would only respond to information being
made public. However, in a strongly efficient market the prices would move in response to
any information at all – even private information.

In this case, the Chair, Chief Executive Officer and Chief Financial Officer have been
discussing the Daistruk share price movement and none of them seems to understand why
the price has been falling. This seems to point towards a strongly efficient stock market in
Roundland, where some private information (that even the directors don’t know about!)
seems to be driving the share price.

Short selling by a hacker

In a strongly efficient market, one way in which a steady and persistent decrease in the
share price could occur would be if someone was selling shares on the open market, despite
the declining price. This could be explained by someone in possession of inside information,
who knows that the price will soon fall much further, who wishes to profit from short selling.
This could be consistent with a hacker who plans to attack Daistruk, selling shares in advance
of that attack. The adverse publicity caused by a successful attack would probably make the
share price plummet, and so it would be possible to buy shares cheaply on the open market.
The hacker could be planning to use the short sale as an additional way to benefit from the
ransomware attack, perhaps in case we do not pay the ransom. Selling Daistruk short and

KA PL AN P U BLI SH IN G 7
CIM A S TR ATE GI C LE VE L CA SE ST U D Y (M A Y 20 23 )

triggering the ransomware will benefit the hackers over and above any ransom that the
company pays, but only if the attack occurs before the short sales have to be closed out. If it
is assumed that the decreasing share price is linked to the threatened attack, then the
assumption is consistent with the threat being real.

Other possible explanations

There is no guarantee that any short selling is linked to this ransomware threat. There could
be other inside information that is triggering short sales. The same behaviour could be
caused by someone who knew about some other problems that were about to emerge. For
example, an employee of a competitor could know that the competitor has plans to launch
an exciting new service on a specific date, but that information is being kept confidential
until the launch date.

Insider trading is a serious crime, and it might be more difficult to profit from such a blatant
short sale as this without being caught. The authorities will be suspicious if Daistruk suffers a
major cyber-attack and short-selling positions are closed out immediately afterwards.

Alternatively, the declining share price may not be due to short selling and may not be a sign
of strong-form efficiency. It may be attributable to a shareholder who has a large investment
and wishes to liquidate that position. Announcing the sale of a large block of shares will
always depress the share price, and the shareholder will not get the full market price for a
large shareholding, even if the sale is motivated by a desire to rebalance a portfolio or to
release cash for some strategic purpose. Shareholders with large blocks generally do their
best to sell them in small blocks in the hope that the market will not pay too much attention.
Whatever the reason for the fall, it might have nothing to do with sales. Share prices
respond to new information reaching the market, and the market can adjust prices without
waiting for purchases and sales to adjust through supply and demand. While it is unlikely,
there could have been a succession of news events that the market has perceived as
negative over the past two months.

Currency risk

Different types of risk

The three types of currency risk are transaction risk, economic risk and translation risk. If it
enters the contract with EDS, Daistruk will face transaction risk (the risk that the exchange
rate moves between agreeing to make the payment and the payment date) and economic
risk (a longer-term risk caused by currency movements over a number of years). Translation
risk relates to foreign assets and liabilities so would not be relevant here.

Risks faced by Daistruk

It sounds like Daistruk will have to commit to paying six annual amounts in S$. At today’s
exchange rate, the amount is approximately R$ 20 million per year, but this will change each
year if the exchange rate between the R$ and the S$ changes. Each year, Daistruk will be
able to hedge the payment using a method such as a forward contract or futures contract, to
eliminate the transaction risk each year. However, if the exchange rate between the R$ and
the S$ moves significantly over the six years of the contract, the amount paid towards the

8 KA PL AN P U BLI SH IN G
MO C K E X AM A AN SWE RS

end of this period could be materially different from R$ 20 million. This is the impact of
economic risk – the present value of these payments, and hence the value of the company,
could vary as a consequence.

Evaluating the potential impact of these risks

The starting point in evaluating the currency risk would be to review historical movements in
the exchange rates. Past volatility may not necessarily indicate future exchange rate
movements, but it is a logical starting place. The press can also be reviewed in order to
establish whether there have been any significant economic adjustments by either of the
governments (in Roundland and Southland) in case that could render past volatility
unrepresentative of the future.

There is also a forecast exchange rate implicit in the interest rates offered in both Roundland
and Southland. It would be possible to determine the market’s expectations of the
movements over the five-year period by simply looking at the differential interest rates.

It could be argued that there is very little point in evaluating the potential currency
movements because the commitment lasts only six years, and the likely impact is only likely
to be material if the cost in R$ is expected to be significant. It should also be noted that EDS
appears to be offering an immediate response to a problem that will cost a great deal if we
pay the ransom (and the perpetrator may demand further payments).

The company can also protect Daistruk’s data over the next six years, thereby ensuring the
continuation of IT operations for that period. It seems rather foolish to be discussing the
possibility of currency exposure on EDS’s fee under those circumstances because it seems as
if Daistruk has little real choice.

KA PL AN P U BLI SH IN G 9
CIM A S TR ATE GI C LE VE L CA SE ST U D Y (M A Y 20 23 )

Marking guide:

a) Discussion of share price movement = 21 marks

Trait
Business Level Descriptor Marks
valuation
No rewardable material 0
Level 1 Explains a limited number of points without reference to 1-5
the scenario. Ignores short selling
Level 2 Explains a reasonable number of points in respect of the 6-13
scenario, including an attempt to explain short selling

Level 3 Explains fully a broad number of points, specific to the 14-21


scenario, including short selling.

b) Exposure to currency risks = 12 marks

Trait
Recomme Level Descriptor Marks
nd
No rewardable material 0
responses
to Level 1 Gives limited explanation of currency risk, no application to 1-3
currency scenario.
risk
Level 2 Explains briefly a reasonable number of points on currency 4-7
risk, usually relevant to the scenario

Level 3 Explains fully a number of points on currency risk, always 8-12


relevant to the scenario.

10 KA PL AN P U BLI SH IN G
MO C K E X AM A AN SWE RS

Task 3

Email

To: Rasim Hamid, CFO


From: Senior Finance Manager
Subject: Implications of events

Ethical arguments

In evaluating the ethical arguments it is useful to consider the fundamental ethical principles
of integrity, objectivity, confidentiality, professional competence & due care and
professional behaviour. The key is to consider different viewpoints, as what may seem like
appropriate action to some, may be perceived differently by others.

The first principle of integrity is probably the most significant given its presence in Daistruk’s
core values and therefore the importance Daistruk gives to ensuring integrity with its
stakeholders. Integrity means being straightforward and honest in all professional and
business relationships. Daistruk’s behaviour does appear to be consistent with this,
perpetrators of ransomware are unlikely to value integrity highly, and as such paying the
R$50 million ransom would unlikely be the final demand from them. The perpetrators of the
ransomware are likely to be motivated by making as much money as they possibly can, and
once they discover that Daistruk is likely to succumb to demands like this, they will be more
likely to place further demands with the Daistruk Board. As such, there would be very little
benefit to the main stakeholders of Daistruk to the payment of the ransom.

Moving on to objectivity, this principle requires the Board not to allow bias or conflict of
interest influence business judgements. Considering that Daistruk is a quoted company on
the Roundland stock exchange this means that the Board should choose the option that will
maximise the shareholders returns. The important point to note is that the Board would not
know for sure at the time of informing the police that it was indeed a hoax. Daistruk were
warned not to inform the police, although the result of that warning is unclear from the
information I have seen. Some may perceive the action of refusing to negotiate as an
attempt to protect the Boards reputation first, rather than the best interests of the
shareholders and other stakeholders

In terms of confidentiality, this is about Daistruk and the Board not disclosing information
without specific authority. It could be argued that contacting the police would make
disclosure of personally identifiable information, confidential business information and client
data that Daistruk has more likely. It may have been more appropriate to contact data
security specialists (such as EDS) to understand the potential ramifications and find a
possible satisfactory solution. Another concern associated with confidentiality is that the
police may be more likely to disclose the attack to show they had resolved the issue. This
disclosure could alert further threat actors to consider possible attacks on any flaws in the
Daistruk cyber defences.

Considering the principle of professional behaviour, this relates to Daistruk and the Board
complying with relevant laws and avoiding actions that would discredit Daistruk. It would

KA PL AN P U BLI SH IN G 11
CIM A S TR ATE GI C LE VE L CA SE ST U D Y (M A Y 20 23 )

seem that contacting the police when someone is attempting to commit a criminal offence
would be appropriate. That allows the authorities to investigate the issue and likely prevent
it happening to other parties. Had Daistruk paid the R$50 million ransom, then it could be
argued that Daistruk was complicit in a criminal act. Perhaps more concerning, the
perpetrators would not only be encouraged to try other organisations, they would also have
significantly more resources available, even if they only used a portion of the R$50 million
they received in this instance for further hacking attempts.

Finally, there is the principle of professional competence & due care, this is about the Board
maintaining appropriate knowledge and skill. In terms of appropriate knowledge, the Board
has a good range of experience, particularly in IT areas with Henrik Gerding (CEO) and
Andrea Lopes (CIO) having expertise in this area. It would seem that Daistruk could
reasonably argue that the Board had assessed the threat and taken a reasoned judgement.
Cyber threats are constantly evolving and so it is important for Andrea Lopes and her team
to maintain their professional development.

Cyber security objectives

Availability

The cyber security objective of availability is about making sure that both Daistruk
employees and clients have access to the Daistruk systems and network 24 hours a day, 365
days a year. If the systems fail then it could result in lost clients. Those who need a delivery
made and choose an alternative logistics provider, or it could mean a delivery driver getting
lost and failing to make a delivery on time.

Andrea Lopes references a hot back-up site and this can be a very useful tool for business
continuity. It appears that the Daistruk Board could be guilty of assuming that having such a
good back-up, has meant that Daistruk can guarantee availability. That, if required, the back-
up can be brought online instantly. This incident has highlighted that a hot back-up is not
sufficient, that the back-up could also be encrypted by the same malware and Daistruk could
be taken offline completely. A hot back-up works by constantly updating the back-up, so that
it is completely up to date, but the real time updates mean that malware could be uploaded
onto the back-up system too. The constant updating is an excellent defence against the
threat of flood, fire or some kind of natural disaster at the head office, but it appears to be
at greater risk of issues created by hackers and malware.

Rectification

A hot back-up is very appealing, but it seems appropriate to build in additional security to
avoid both primary and back-up servers being taken offline by the same malware. This could
be done by reducing the frequency of updates to the back-up. Daistruk could introduce a
screening process prior to each back-up to verify the latest update would not corrupt the
back-up system. This would mean that the back-up was not as ’hot’, i.e. not always instantly
ready to go online, but it would help mitigate the issue that has been identified here.

Another step that could be taken is further use of penetration testing. Daistruk employees as
well as being a key asset are always potentially the biggest risk to cyber security, so taking
additional preventative techniques like this could help avoid any malware getting on to the
systems in the first place. If Andrea Lopes' IT team initiated some simulated phishing tests on
Daistruk employees this would help reaffirm the importance of any cyber security training
that is already carried out.

12 KA PL AN P U BLI SH IN G
MO C K E X AM A AN SWE RS

Confidentiality

Organisations like Daistruk create and obtain a huge amount of information, from driver
movements and routes to client systems and operation and also personal information like a
home address or payment details. This kind of information must be protected from
unauthorised access and disclosure, including complying with privacy requirements. The
possibility of ransomware accessing and encrypting confidential information clearly puts this
cyber security objective at risk.

In this particular case, the threat to confidentiality was not actually real. It was a
combination of a disgruntled employee and some accomplices creating a persuasive
argument. It is hard to be certain if there is a real threat to confidentiality because of the
failed blackmail attempt. Confidentiality is not just an objective of cyber security, it can carry
heavy penalties if it is not achieved, the EU legislation (GDPR) carries a possible fine of 4% of
revenue, if the Roundland equivalent is the same, that could be a fine of almost R$80 million
for Daistruk. It is also likely to damage Daistruk’s reputation for excellent service, and
therefore reduce future revenues.

Rectification

The Board should take this opportunity to consider steps it could take to both improve
confidentiality processes within Daistruk, but also to minimise any damage should a breach
occur. Absolute confidentiality may be very difficult to achieve due to the nature of
Daistruk’s operations; data, network and systems are accessed in so many ways, from
various locations (for example multi occupancy ports or inland ports) to truck drivers who
will be connected to the network and systems while on the move because of the route
planning applications used. To the integration with client systems.

Containerisation could also be reviewed to ensure that particularly sensitive data is only
available to those who absolutely need it, and that parts of the systems and networks are
fenced off to those who do not need to access those parts. This would reduce the likelihood
of any malware getting access to the most sensitive data that Daistruk holds. It could also
protect client systems and networks from the malware, and if a client’s systems were
infected with malware it could help prevent it crossing into the Daistruk network and
systems.

KA PL AN P U BLI SH IN G 13
CIM A S TR ATE GI C LE VE L CA SE ST U D Y (M A Y 20 23 )

Marking guide:

a) Ethical arguments over informing the police = 17 marks


Trait
Identify Level Descriptor Marks
ethical
No rewardable material 0
dilemmas
and Level 1 Explains a limited number on ethics, no application to the 1-4
recommen scenario.
d suitable
Level 2 Explains briefly a reasonable number of points in respect of 5-11
responses
the ethical issues, some relevance to the scenario.

Level 3 Explains fully a reasonable number of points in respect of 12-17


the ethical issues, fully relevant to the scenario in the
question.

b) Cyber security issues = 17 marks

Trait
Recomme Level Descriptor Marks
nd
No rewardable material 0
appropriat
e controls Level 1 Gives limited explanation of cyber security controls, no 1-4
relevance to scenario.
Level 2 Explains briefly a reasonable number of points in respect of 5-11
availability and confidentiality, some attempt at how to
rectify
Level 3 Explains fully a reasonable number of points in respect of 12-17
availability and confidentiality, full attempt at how to rectify.

14 KA PL AN P U BLI SH IN G
MO C K E X AM A AN SWE RS

SUMMARY MARKING GUIDE

CORE ACTIVITY
A B C D E TOTAL
TASK 1 20 13 33
TASK 2 12 21 33
TASK 3 17 17 34
TOTAL 20 25 21 17 17 100

Blueprint 15 - 25 15 - 25 15 - 25 15 - 25 15 - 25

KA PL AN P U BLI SH IN G 15
CIM A S TR ATE GI C LE VE L CA SE ST U D Y (M A Y 20 23 )

16 KA PL AN P U BLI SH IN G

You might also like