Wednesday, November 29, 2023

PwC’s vulnerability exposed as head of its risk and ethics duped by a fake email accoun


PwC’s vulnerability exposed as head of its risk and ethics duped by a fake email account

PwC Australia’s head of risk discussed the hiring of new general counsel with a fake email account made by an insider concerned over the firm’s lax security

Emails shown to The Australian show PwC chief risk and ethics leader Jan McCahey supplied information concerning the appointment of new general counsel Kylie Gray after she was contacted from a Proton mail account under Ms Gray’s name. 
Ms McCahey’s failure to identify the emails from the Protonmail account, a secure encrypted email platform, have been seen by some as a significant oversight by the firm’s new head of risk and ethics. 
This email to Ms McCahey, sent on Wednesday last week, questioned the chief risk officer over “my remuneration and bonus arrangements”, asking whether information could be kept secret from partners “in the current circumstances”. Ms McCahey told the sender, whom she believed to be Ms Gray, that her “rem and bonus arrangements will not be disclosed to partners”. The Australian understands this would be an unusual arrangement for PwC, with current and former partners saying partnership pay is usually disclosed within the firm. 
One source told The Australian there was an internal database that could be accessed using a code linked to a partner.
This database showed the pay of partners across PwC, except for the chief executive. The fake email also questioned Ms McCahey on “when her role was planned to be announced to the firm”. 
Ms McCahey replied that the announcement would be made this week. PwC on Tuesday announced that Ms Gray was joining the besieged firm from Westpac, as new general counsel. Ms Gray, who worked at the bank for more than a decade, joins PwC as the firm attempts to rebuild confidence in its management and operations. 
She will start in early 2024, replacing Karen Evans-Cullen, who took the post in July, replacing Meredith Beatie. Ms Evans-Cullen is returning to law firm Gilbert + Tobin.
Ms Beatie was widely seen internally as the architect of the legal strategy that PwC used to attempt to evade legal attention from the Australian Taxation ­Office.
The ATO targeted PwC after learning the firm’s former head of international tax Peter Collins shared confidential information with other members of the firm. 
PwC was excoriated after it was revealed the firm had used confidential government briefings to sell help clients attempt to minimise their tax obligations. 
Already PwC has been forced to sell its government consulting arm in the wake of work evaporating after revelations of the firm’s misuse of confidential information. 
The Australian understands the operator of the account that purported to be Ms Gray’s has referred the exchange to PwC’s management after alerting Ms McCahey that she had been duped.
The operator of the fake account said they did so to alert PwC of its confidentiality failures and cyber security vulnerability. They said they did this after hearing Ms McCahey openly speaking about “confidential recruiting matters in public”. A PwC spokesman on Tuesday said Ms Gray’s “confidential information” had not been shared with the fake account by Ms McCahey. “Fraudulent emails are directed to the firm’s IT department,” he said. 
The fake email scandal is a setback for PwC’s new chief executive Kevin Burrowes, who has been working to stabilise the listing audit and consulting giant. 
Mr Burrowes took on the top job at the firm in June after the firm dumped its local leadership, including CEO Tom Seymour, after being linked to the scandal, and then Kristin Stubbins after she was unable to repair the damage. Ms McCahey was appointed by Mr Burrowes as PwC’s new head of risk in July this year as part of a broad shake-up in leadership. 
At the time Mr Burrowes said Ms McCahey was “an experienced risk and quality leader and was previously PwC’s global leader for public policy and regulation”.
PwC recently announced it would appoint corporate veteran David Stephen as its new chief risk officer. Mr Stephen, who previously served as chief risk officer at Westpac from 2018 to 2022, will report to Ms McCahey. 
Ms Gray did not respond to requests for comment.