Professional Documents
Culture Documents
February 2024
Mock Exam J
Answers
2 KA PL AN P U BLI SH IN G
MO C K E X AM J AN SW E R S
Task 1
The purpose of this email is to address the actions Robobryce could take in response to the
alleged IT hack, to explain any strategic implications that these actions might have, and to
set out objectives for Sally Tang for the next 24 hours.
Strategic options
There are a number of actions that Robobryce could take in response to the alleged IT hack.
Firstly, it could choose to do nothing. We have only just been notified of the alleged hack,
and so it has not yet been proven whether the claims made by Genesys are true or false. It is
possible that Sally Tang’s fears are unfounded, and that both our operations, and those of
our AMR customers, will not be impacted.
This choice of response (i.e. doing nothing) would have the strategic advantage of avoiding
any adverse publicity over Robobryce’s IT security. However, if the claims are later found to
be true, and it were proven that the Board chose to do nothing in response, the negative
impact on our reputation could be considerable. I would therefore advise that this option is
not pursued.
Secondly, Robobryce could choose to contact all of its customers who have been supplied
with AMRs and notify them of the possible disruption to their operations if Genesys
activates its hack. This would have the strategic advantage of demonstrating a proactive
response to the threat and, if the overall impact of the threat is contained, could increase
public confidence in our company and its products. This would be the result of being seen to
act swiftly and responsibly to protect client interests in the face of a potential, but as yet
unproven, threat.
However, there is also the risk to immediate revenues; clients who are considering placing
an order with Robobryce may delay until the issue is fully resolved, or even choose to order
from a competitor. If this goes on for an extended period of time, there could be a negative
impact on the company share price, at a time when the share price is already at a relative
low. This could cause the Robobryce shareholders to demand answers over the Board’s
decisions.
Thirdly, Robobryce could suspend all sales of AMRs until the threat has been fully dealt with.
This would no doubt become a public issue; it would be difficult to keep the story out of the
media, and so there would probably be a fall in the company’s value as a result.
Interestingly, once the issue is resolved, public confidence in Robobryce might have
increased as a result of perceived responsible behaviour; investors might be impressed that
Robobryce is prepared to lose revenue even though the level of threat is unproven. The
downtime would also allow all of the company’s IT resources to be used in identifying the
source of the threat, assessing the extent, and upgrading defences against any possible
repeat incident in the near future.
KA PL AN P U BLI SH IN G 3
CIM A S TR AT E GI C L E V E L CA S E ST U D Y ( F EB R U AR Y 20 24 )
If Robobryce chooses to announce to the public that it has been the target of a suspected
ransomware attack, it should issue a full press release – with associated announcements on
its website and social media channels – in order to try to control the story. It will want to
give as positive an impression as it can over the matter, so as not to cause uncertainty and
panic amongst those who might be affected.
The final option would be to simply agree to Genesys’ demands immediately, and pay the
T$150 million ransom. This would have the advantage of preventing the issue becoming
public knowledge in the short term, and should result in no negative impact for customers.
However, it would consume almost all of the company’s current cash reserves, and may
even increase the threat of repeat actions in the future (if Genesys sees Robobryce as a soft
target that agrees to threats immediately, it will have every incentive to target us again in
the future). For this reason, this option is not recommended.
Sally Tang should be set a deadline by which she and her team can reach a tentative
conclusion about the cause of this incident, and report accordingly to the Board. This
deadline needs to be late enough that it allows a full assessment, but also soon enough so
that the Board can start to take the appropriate action. It should be made clear that meeting
this deadline is crucial, and should also indicate the questions to which the Board will be
expecting answers. The Board may also want to clarify which is most important in its opinion
– speed of response or accuracy of information.
The Board also needs to be informed of which customers might be affected if the hack were
to be activated. For example, does it relate to all AMR systems that have been delivered
over the years to customers, or might it only be the software systems of the more recent
products? In this way, Robobryce can be selective over which customers it decides to
contact to alert them of this issue, and not have to warn every single one. This would
minimise, to an extent, any negative reaction from customers.
Sally Tang should be asked to produce a report as to the nature of the attack and the
methods used by the perpetrators, with as much accurate detail as possible. Specific criteria
should be set for the standard of evidence that Sally should meet in collating and
interpreting the facts. This is because the report will be used not only for internal purposes
to make the company’s systems more robust in the future, but could also form the basis of a
prosecution in case the perpetrators at Genesys are ever caught and brought to trial.
Finally, Sally Tang should be tasked with preparing a plan for preventing a recurrence of this
ransomware attack that would stand up to scrutiny by an independent expert or consultant.
The quality of the plan would be assessed based on its ability to offer a proportionate and
cost-effective response to each of the weaknesses identified in the current system. Sally
Tang should be prepared to accept responsibility for this plan, even if she delegates
elements of its preparation to members of her IT Security team.
4 KA PL AN P U BLI SH IN G
MO C K E X AM J AN SW E R S
Marking guide:
Trait
Identify Level Descriptor Marks
actions
No rewardable material 0
Level 1 Identifies some actions 1-3
Level 2 Explains briefly main strategic actions 4-6
Level 3 Explains fully main strategic actions 7-10
Strategic Level Descriptor Marks
implications
No rewardable material 0
Level 1 Identifies implications 1-3
Level 2 Explains briefly main strategic implications 4-6
Level 3 Explains fully main strategic implications, with justification 7-10
(b) Recommend objectives for Sally Tang for first 24 hours = 13 marks
Trait
Objectives Level Descriptor Marks
No rewardable material 0
Level 1 Identifies possible objectives 1-2
Level 2 Discusses relevant objectives 3-4
KA PL AN P U BLI SH IN G 5
CIM A S TR AT E GI C L E V E L CA S E ST U D Y ( F EB R U AR Y 20 24 )
Task 2
Market efficiency
In an active and well-regulated stock exchange (like the one in Tessland), share prices
generally move in response to information. Good news about a company generally pushes
the share price up, and bad news leads to the share price falling.
In a perfectly (strongly) efficient market the prices would move in response to any
information at all – even private information. Strong form efficiency is a theoretical idea that
doesn’t usually apply in the real world. Most real world stock markets are semi-strongly
efficient, which means that share prices only respond to information that is made public.
Application to Robobryce
The markets have always been aware that Robobryce is exposed to the threat of a breach of
its IT systems, because IT risks appear in the Principal Risks document. Therefore, the
current share price already reflects that threat.
It could be argued that the share price will not be affected in the long term because the
recent events simply confirm that the market’s concerns were valid. The share price will
undoubtedly dip in the short term, but that will not necessarily be a permanent decrease.
The nature and extent of the data breach could reveal some fresh information to the
markets and that could have a permanent impact on the share price.
The markets might have assumed that any serious breach would be countered by IT security
and that the threat was minimal. The fact that all AMRs supplied by Robobryce in the last
two years could be disabled may suggest that the threat to IT systems is more serious than
had been anticipated and that potential hackers are more resourceful than had been
thought. The nature and extent of this attack could undermine the market’s confidence in IT
security and could lead to a significant and long-term decrease in the share price of
Robobryce and all companies that depend on IT in this way.
Paradoxically, the ransomware attack could serve to reassure the markets, depending on
Robobryce’s handling of this potential crisis. If the company takes swift and effective action
and manages to reassure users that everything is under control then the markets may decide
that the threat of a systems hack is less severe than had first been thought. The markets may
decide that IT breaches are specific risks that can be addressed by proper diversification and
that there is no need to seek a higher rate of return because of this potential risk.
The share price is unlikely to rise, but it may recover from initial concerns and return to its
previous equilibrium level.
6 KA PL AN P U BLI SH IN G
MO C K E X AM J AN SW E R S
The response of Robobryce’s customers to this crisis will also have an impact on the share
price in the long term. The inevitable adverse publicity and expressions of irritation by
customers is not, in itself, a cost to Robobryce because it does not directly affect cash flows.
The share price will only respond if customers decide to stop buying AMRs, affecting future
revenues for Robobryce, or if Robobryce is forced to compensate customers by offering
refunds and / or replacement AMRs.
In the short term, those concerns will create uncertainty and that could depress the share
price, but the share price will hopefully recover in the medium to long term when Robobryce
addresses the concerns and, hopefully, manages to eliminate them.
The Board holds the primary responsibility for setting strategic direction and ensuring
implementation throughout the company. While it is common to delegate tasks to lower
management levels, these managers operate within the framework established by the Board
and implement the decisions made by the board. Any breach of controls or systems can be
traced back to the Board's oversight, irrespective of the sophistication of the breach.
The Board have listed IT in the principle risks as number four, it may be that stakeholders
would consider this a higher priority, at present, there is no dedicated IT director at
Robobryce, this may be considered an oversight of the board, and that not enough attention
has been given to the severity of cyber security.
Users affected by the breach may suffer losses and seek compensation, potentially holding
the Board responsible.
In the public eye, blaming the breach on poor governance, particularly in terms of a lax
control environment, might gain traction. Media coverage often focuses on relatable human
aspects, such as the harm caused to victims, rather than delving into complex discussions on
IT security.
There have been weaknesses in Robobryce's control systems that allowed the hackers to
gain access and that could invite criticism toward the Board for not addressing such threats.
The challenge lies in foreseeing and managing risks, even those with uncertain forms, such
as hacking. While it may be argued that precise predictions were challenging, seeking advice
from IT experts could have potentially mitigated these risks.
Robobryce's now needs to communicate with all customers involved as suggested by Sally,
so that they can ensure their own security over their systems and mitigate the losses , any
varied messaging to users regarding the breach intensifies criticism of its governance.
Inconsistencies in the information provided to affected and unaffected users might generate
KA PL AN P U BLI SH IN G 7
CIM A S TR AT E GI C L E V E L CA S E ST U D Y ( F EB R U AR Y 20 24 )
confusion and frustration among stakeholders and the media, potentially amplifying
pressure on the directors.
If there is no immediate release of information, as suggested by Filiz Yildiz, this risks further
security issues and may exacerbate public distrust regarding the company's governance in
handling the breach.
8 KA PL AN P U BLI SH IN G
MO C K E X AM J AN SW E R S
Marking guide:
Trait
Information Level Descriptor Marks
No rewardable material 0
Level 1 Identifies understanding of data breach as an issue. 1-3
Level 2 Discusses the impact of data breach on future perceptions 4-6
of the company.
Level 3 Offers a clear and comprehensive discussion of the impact 7-9
of data breach on future perceptions of the company.
Trait
Responsi Level Descriptor Marks
bility
No rewardable material 0
Level 1 Explains the need to accept responsibility. 1-2
Level 2 Discusses the Board’s responsibilities. 3-5
Level 3 Offers a clear and comprehensive discussion of the Board’s 6-8
responsibilities.
Percepti Level Descriptor Marks
ons
No rewardable material 0
Level 1 Identifies the link between perceptions and reality. 1-2
Level 2 Discusses the link between perceptions and reality. 3-5
Level 3 Offers a clear and comprehensive discussion of the link 6-8
between perceptions and reality.
KA PL AN P U BLI SH IN G 9
CIM A S TR AT E GI C L E V E L CA S E ST U D Y ( F EB R U AR Y 20 24 )
Task 3
While the consultants promise to prevent any further unauthorised access, it is crucial to
approach this claim realistically. Cybersecurity is an ongoing process that requires constant
vigilance and adaptation to emerging threats and new hardware and software is being
developed to assist hackers in breaching systems continuously. The claim of absolute
prevention might be overstated; instead, a commitment to minimising risks and promptly
addressing any breaches might be a more realistic promise.
While their consultants come from military and intelligence service backgrounds, checks are
needed to assess if they have expertise with preventing data breaches in corporate
environments like Robobryce's. Experience dealing with similar incidents and successful
interventions in preventing future breaches is essential for substantiating their claim.
Samson Consultants state that they will conduct penetration tests to identify vulnerabilities
and will remedy any findings. It is important that they not only identify weaknesses but also
efficiently and effectively mitigate them to reduce the risk of future breaches. Penetration
testing is likely to identify weaknesses caused by Robobryce’s employees and some of those
findings will be easier to remedy, ensuring all the users are fully trained for instance. It is
unlikely that this testing will uncover all breaches in the IT security as some are designed to
stay undetected and never be uncovered.
Samson Consultants' claim to prevent any further access to Robobryce’s software. However,
they can only deal with threats that they are aware of, and therefore the consultants will
need to be fully up to date with any specific threats as they develop so that they can protect
the systems. This is unlikely, as often the threats are not discovered until the breach has
happened and are not always publically available. Having said that the consultants may
employ ethical hackers that will be knowledgeable of new developments.
It would be crucial for the consultants to delve deeper into potential cyber issues that may
not be immediately detected and addressed; such as social engineering, a supply chain
attack or employee incompetence, they then need to understand how they will mitigate
these risks. It would be highly unlikely that they will be able to eliminate the risks altogether.
10 KA PL AN P U BLI SH IN G
MO C K E X AM J AN SW E R S
Conducting an annual review of the security system is unlikely to be sufficient as the only
proactive measure , Cyber threats are rapidly evolving and therefore the threats should be
continuously monitored and a system review may be more effective taking place either
quarterly or every six months.
When considering outsourcing the board need to consider the expertise gained against the
continuous cost and the risks of outsourcing, As Robobryce depend heavily on IT and already
have systems in place to manage the IT risks it may be more appropriate to recruit a suitable
skilled IT director and develop an in house team.
Currency risks
The three types of currency risk are transaction risk, economic risk and translation risk. If it
enters the contract with Samson Consultants, Robobryce will face transaction risk (the risk
that the exchange rate moves between agreeing to make the payment and the payment
date) and economic risk (a longer-term risk caused by currency movements over a number
of years).
Translation risk relates to foreign assets and liabilities, so would not be relevant here.
• a one off amount of S$ 600 million (approximately T$ 200 million if exchange rates
stay constant) in three months, and
• an annual amount of S$ 240 million (approximately T$ 80 million) starting in about
16 months’ time, and
• a monthly amount of S$ 75 million (approximately T$ 25 million) starting in about 4
months’ time.
These amounts are payable in S$, so if the exchange rate between the S$ and our currency
the T$ changes, the amounts will be either more or less expensive than we have forecast.
The absolute best way of eliminating the transaction and economic risk related to all these
payments would be to negotiate with Samson and to get them to invoice in T$ instead (thus
eliminating the risk from our point of view by taking the risks on themselves). It is unlikely
that they would agree to this!
Economic risk
The fact that the Southland economy is weak suggests that the S$ currency is likely to
weaken (economic risk). If it does then future payments are likely to decline when converted
into T$ and so there is a greater likelihood of an upside risk than a downside. The weaker
currency may encourage exports and so it could be desirable for Southland’s Government to
allow the exchange rate to remain in Robobryce’s favour. Unfortunately, there could also be
a risk that the Southland Government will act to strengthen its currency in order to promote
confidence and that could lead to a sudden increase in the cost of settling these invoices.
Therefore, it may be reckless for Robobryce to simply accept these risks in the hope that
they are all upside.
KA PL AN P U BLI SH IN G 11
CIM A S TR AT E GI C L E V E L CA S E ST U D Y ( F EB R U AR Y 20 24 )
Transaction risk
The invoice for S$ 600 million that is due in three months is a significant amount that is
subject to transaction risk. Therefore, it is worth hedging in order to reflect the fact that
even a small percentage strengthening in the S$ could lead to a substantial additional cost in
absolute terms. The cheapest and easiest way to hedge this risk would be to use a forward
contract to commit Robobryce to an agreed payment in T$ for the S$ that it will require in
three months. That would cost Robobryce the opportunity to benefit from any upside in the
event that the S$ weakens during the three months. Robobryce could alternatively purchase
a call option that would give it the right, but not the obligation, to buy S$ at an agreed price.
Options have the disadvantage of being priced according to market expectations of future
movements. The premium paid for the option would be more expensive if Robobryce
expected to benefit from exercising it.
The monthly and annual payments are ongoing commitments and so they are more difficult
to hedge in the longer term. The cost of active hedges using financial instruments is likely to
increase in line with market expectations and so it may not prove cost-effective to manage
the transaction risk on each payment separately.
For the monthly payments, it would probably be best to meet the payments by converting
T$ at spot on a monthly basis, in the hope that any fluctuations cancel over time.
The risks associated with the annual payments should be evaluated on an annual basis and a
decision should be made as to whether to hedge on the basis of expected volatility over, say,
the three months prior to the settlement date.
12 KA PL AN P U BLI SH IN G
MO C K E X AM J AN SW E R S
Marking guide:
a) Evaluate the claim by Samson = 20 marks
Trait
Consultant Level Descriptor Marks
No rewardable material 0
Level 1 Identifies the consultant’s interest. 1-3
Level 2 Discusses the consultant’s interest in making such a claim. 4-6
Level 3 Offers a clear and full discussion of the consultant’s interest 7-10
in making such a claim.
Emerging Level Descriptor Marks
No rewardable material 0
Level 1 Identifies the residual vulnerabilities and emerging threats. 1-3
Level 2 Discusses the residual vulnerabilities and emerging threats. 4-6
Level 3 Offers a clear and full discussion of the residual 7-10
vulnerabilities and emerging threats.
Trait
Risks Level Descriptor Marks
No rewardable material 0
Level 1 Identifies the payment pattern as an issue. 1-2
Level 2 Discusses the implications of the pattern of payments. 3-5
Level 3 Offers a full discussion of the implications of the pattern of 6-9
payments.
Recomme Level Descriptor Marks
ndation
No rewardable material 0
Level 1 Identifies a response. 1
Level 2 Identifies a relevant response. 2-3
Level 3 Identifies and justifies a relevant response. 4
KA PL AN P U BLI SH IN G 13
CIM A S TR AT E GI C L E V E L CA S E ST U D Y ( F EB R U AR Y 20 24 )
CORE ACTIVITY
A B C D E TOTAL
TASK 1 20 13 33
TASK 2 17 16 33
TASK 3 13 20 34
TOTAL 20 26 17 20 16 100
Blueprint 15 - 25 15 - 25 15 - 25 15 - 25 15 - 25
14 KA PL AN P U BLI SH IN G