Risk Resilience in the Energy Sector

Sanctions

• UK sanctions are governed by the Sanctions and Anti-Money Laundering Act 2018 (SAMLA). Sanctions may apply to a regime, country or be thematic (such as international counterterrorism, and cyber activity). Lists of individuals, entities, and assets targeted by sanctions can be updated daily.
• Restrictions on entities include those which are “owned or controlled by” a designated person. Ownership and control are based on shareholding, voting rights, control of management, or other overarching control. Due diligence should consider how any counterparty’s activities are directed.
  Risk registers should take all relevant sanctions risks into account. Sending samples overseas, logistics chains, paying dividends, or employing remote workers – you might inadvertently be exposed to sanctions risks.
• Licensing is possible. General Licences are available for certain actions or activities which are otherwise prohibited by the UK sanctions regime, or an application could be made for a Specific Licence where there is no relevant General Licence in place. There is no guarantee a Specific Licence will be granted and even where they are, this can take months.
• Overlapping or contradictory sanctions regimes in different jurisdictions may apply. UK and US sanctions impose restrictions on persons, wherever in the world they are based – this can include activities of subsidiaries. Blocking regulations can prevent UK persons from complying with the US restrictions, causing problems if the company and its employees are subject to two different conflicting regimes.
• Heading Sanctions enforcement may include the seizure of goods, civil or criminal penalties, and imprisonment in serious cases. UK regulators with enforcement powers include OFSI (the Office of Financial Sanctions Implementation), and HMRC.
• OFSI used “name and shame” disclosure powers for the first time in 2023, which allow for details of sanctions violations to be published, including identifying the entity who carried out the breach – even if no other enforcement action is taken.
• On 10 October 2024 the Office of Trade Sanctions Implementation (“OTSI”) is set to take over the civil enforcement of trade sanctions from HMRC who will remain responsible for the criminal enforcement of trade sanctions breaches.
• The first UK sanctions strategy was published this year, entitled “Deter, Disrupt, and Demonstrate.” This strategy outlines an increased focus on sanctions enforcement in the UK.
  Self-reporting (to OFSI, OTSI or HMRC) can be important mitigation, and should be carefully considered if you become aware of a sanctions breach in your organisation. Carrying out sanctions due-diligence, and keeping records of any checks carried out, will help you to prevent breaches before they occur, and defend your position effectively if a breach is alleged.

Lynne Moss

DIRECTOR -
HEALTH & SAFETY
lynne.moss@burnesspaull.com

Failure to prevent fraud offence

• The Economic Crime and Corporate Transparency Act introduces the new corporate offence of failing to prevent fraud. This offence is expected to come into force Q1/Q2 2025, is wider in scope than the failure to prevent bribery offence but with similar extra territorial reach.
• The offence applies to large companies or partnerships, who have at least two out of three of the following:
  • over 250 employees,
  • a turnover of above £36m,
  • or total assets above £18m.

The offence will apply to a parent company if the group meets two of the three above conditions.

• No knowledge of fraud will be required under this offence, but rather businesses may be held criminally liable for the acts of associated persons, including employees of their subsidiaries, unless they can demonstrate that they had reasonable procedures in place to prevent fraud or that it would not be reasonable for them to have such processes in place.
• Whether the person who has committed the offence is an associate of the business will be determined based on the services carried out and the full circumstances of their relationship with the corporation, not just the title or employment status of that individual.
• Fraud is defined widely and includes offences under the Fraud Act 2006, the Theft Act 1968, the Companies Act 2006, and under common law. A fraud offence also includes aiding, abetting, counselling, or procuring the commission of one of the above offences.
• The act applies where the victims of the offence are in the UK, or the offence was committed in the UK, even if the corporation is based overseas.
• Organisations will not be guilty of the offence if they were a victim of the offence, and the intended benefit was to a person or subsidiary undertaking who provides services on their behalf.
• Guidance must be published by the government before the offence comes into force, setting out what the appropriate processes should look like. These are likely to include individualised documented risk assessments, training, monitoring, and the use of digital compliance tools.
• Corporations may be subject to unlimited fines on indictment, or fines to the statutory maximum on summary conviction. They can be prosecuted in any part of the UK.
• The offence may be amended by secondary legislation in future to include smaller businesses, further offences of dishonesty, offences of a similar character to those already included, or relevant money laundering offences. This could significantly widen the application of the offence, and corporations will need to keep up to date with changes to ensure their processes remain effective.

Lynne Gray

PARTNER -
HEALTH & SAFETY
lynne.gray@burnesspaull.com

Group Claims

• Scotland should be on the risk register for corporates who may face group actions relating to climate change. 
  • There has been a significant increase in climate claims over recent years: individuals and NGOs are using the courts to drive change in relation to climate action.
  • There is wide scope to bring a climate change claim against a company in Scotland, for instance based on a registered office address, operational or manufacturing presence, and/or if they have customers and consumers in Scotland.
  • Claimants may be attracted to Scotland given the prominence of particular sectors, e.g. energy and financial services; a new group actions regime; a well-established legal system; and the ease of enforcing Scottish judgements abroad.
• There are very significant risks involved for a company defending group litigation.  A large class of claimants is likely to have litigation funding to pursue their claim more robustly, can coordinate more efficiently, and it means potentially very significant exposure – both in compensation and legal costs.
• Climate claims cover a broad range of approaches. This includes a significant increase in climate-washing (or greenwashing) cases, attacking company statements and practices that assert that products or services are more climate-friendly than they really are.
• Research has identified a measurable reduction on company value from climate change litigation, even as a result of a climate case simply being filed/issued, as well as following an unfavourable judgment.
• Whilst climate litigation may have direct impacts forcing a change in company policy or stalling or preventing a project, for campaigners, it is not all about the money: claimants see success in more intangible indirect impacts such as an increase in public awareness, understanding and behaviour. This impacts the potential outcome and risk profile of climate litigation.
• Regulatory activity can bolster or provide an impetus for private claims, by throwing a spotlight on sectors or issues, and providing evidence to support a claim. The Competition and Markets Authority has a current focus on greenwashing, with a Green Claims Code, and expanding sectoral focus most recently in the household energy sector. There are also significant consumer-friendly reforms in the Digital Markets, Competition and Consumers Act (DMCC), including the power to direct companies to pay financial redress to consumers.
• Companies can manage and potentially mitigate the risks of a group claim, for example by:
  • Monitoring of potential claims through social and other media
  • Early engagement with claimants and their lawyers
  • Taking advantage of a unique ‘early warning system’ in the Scottish court process
  • Involvement of experienced advisors who can guide companies through this novel process

Joanna Fulton

PARTNER -
DISPUTE RESOLUTION
joanna.fulton@burnesspaull.com

Data Subject Access Requests (DSARs)

• The energy sector has become one of the top targets for cyber attackers, with a recent IBM Security Report identifying that 24% of all cyber attacks in the UK are made in the energy sector.
• The consequences of a successful attack in the energy sector can be particularly devastating, and include:
  • Widespread outages
  • Operational interruption with potential for safety and security issues
  • Financial damage (costs attributed to business interruption, expert IT support, legal costs, and security upgrades)
  • Reputational damage
  • Regulatory investigation and enforcement (from multiple regulators)
  • Litigation risk (from aggrieved data subject and/or contracting parties)
  • Increased burden of data subject requests
  • Risk of burnout among staff managing the response
• Some examples of basic technical security measures include multi-factor authentication, network segmentation, and activity monitoring and alerts. You should consider seeking external support to validate your chosen security mechanisms, as internal IT teams may not always be best placed to provide the requisite level of independent, expert analysis.
• While it is now generally accepted that data breaches (either because of attack or human error) are inevitable, organisations must take “appropriate technical and organisational measures” to safeguard the personal data they hold. What is appropriate will depend on the risk posed to data subjects, as well as the solutions which are available and the costs of implementing those solutions.
• Organisations should consider the following to build cyber resilience:
  • Conduct regular data mapping to understand what data you hold.
  • Delete data which is no longer required.
  • Risk assess your supply chain to ensure it meets the required level of security, and keep this under review.
  • Embed a culture of good data hygiene throughout all levels of the business.
  • Identify accountable individuals internally to monitor data protection compliance.
  • Report regularly to C-Suite on cyber risk, documenting key discussions and decisions.
  • Ensure all data-related policies are up to date, easily accessed and regularly discussed.
  • Implement a regular data protection training programme, tailored to relevant business areas and/or levels of accountability.
  • Prepare a cyber incident response plan and update it regularly (storing it somewhere you can find in the event of an attack).
  • Conduct regular “cyber drills” to stress test and develop your response plan.

Rebecca Roberts

SENIOR ASSOCIATE -
PUBLIC LAW & REGULATORY
rebecca.roberts@burnesspaull.com

Cyber Risks

• The Economic Crime and Corporate Transparency Act introduces the new corporate offence of failing to prevent fraud. This offence is expected to come into force Q1/Q2 2025, is wider in scope than the failure to prevent bribery offence but with similar extra territorial reach.
• The offence applies to large companies or partnerships, who have at least two out of three of the following:
  • over 250 employees,
  • a turnover of above £36m,
  • or total assets above £18m.

The offence will apply to a parent company if the group meets two of the three above conditions.

• No knowledge of fraud will be required under this offence, but rather businesses may be held criminally liable for the acts of associated persons, including employees of their subsidiaries, unless they can demonstrate that they had reasonable procedures in place to prevent fraud or that it would not be reasonable for them to have such processes in place.
• Whether the person who has committed the offence is an associate of the business will be determined based on the services carried out and the full circumstances of their relationship with the corporation, not just the title or employment status of that individual.
• Fraud is defined widely and includes offences under the Fraud Act 2006, the Theft Act 1968, the Companies Act 2006, and under common law. A fraud offence also includes aiding, abetting, counselling, or procuring the commission of one of the above offences.
• The act applies where the victims of the offence are in the UK, or the offence was committed in the UK, even if the corporation is based overseas.
• Organisations will not be guilty of the offence if they were a victim of the offence, and the intended benefit was to a person or subsidiary undertaking who provides services on their behalf.
• Guidance must be published by the government before the offence comes into force, setting out what the appropriate processes should look like. These are likely to include individualised documented risk assessments, training, monitoring, and the use of digital compliance tools.
• Corporations may be subject to unlimited fines on indictment, or fines to the statutory maximum on summary conviction. They can be prosecuted in any part of the UK.
• The offence may be amended by secondary legislation in future to include smaller businesses, further offences of dishonesty, offences of a similar character to those already included, or relevant money laundering offences. This could significantly widen the application of the offence, and corporations will need to keep up to date with changes to ensure their processes remain effective.

Lynne Gray

PARTNER -
HEALTH & SAFETY
lynne.gray@burnesspaull.com