Learnsignal

Strategic Case Study

Mock Exam 1
Saefwell
May_Aug 2024

1
Questions

2
 Task 1 – SCS Mock Exam 1

Sabine Anselm, CFO, steps into your office and closes the door:

"I need to speak to you in the strictest confidence about a serious issue which has arisen this week. I
have sent you an email last evening in this regard also. The Board will meet later today to discuss
this. Before that, I would appreciate your advice.

Firstly, explain and evaluate the likely outcome for Saefwell of each of the following scenarios:
● The ransomware is triggered and our data files are corrupted
● The ransomware is triggered and the attacker abuses client data
● We pay the B$50 million in cryptocurrency and the ransomware is not triggered
[subtask (a) = 33%]

Secondly, in terms of the threat, what are the responsibilities the Board as a whole
[subtask (b) = 33%]

We have also observed that Saefwell’s share price has been falling steadily for the past 2 weeks. In
the absence of any other logical market information that could have triggered this decline, I feel this
could be a result of the person making the ransomware threat short selling our shares.

Evaluate the possibility that a steady decline in our share price could be because of short selling by
the person making the ransomware threat

[subtask (c) = 30%]

3
 Task 1 Reference Material
From: Greg Hainge, Chief Executive Officer
To: all Directors
Subject: Ransomware threat

Hello

Saefwell’s Head of IT Security has just received an anonymous email that threatens to encrypt all our
data files at the Data Centre unless we pay a ransom of B$50 million in cryptocurrency.

We frequently receive this type of threat against our systems. We evaluate them all and respond in a
manner that reflects the credibility of the threat. In this case, the email contains technical details of
our hardware and software systems, suggesting that the person making the threat is highly skilled in
IT security and has been able to access our systems. Because of this, our Head of IT Security believes
that this is a credible threat.

If our files are encrypted then it will be impossible to access them in any way unless they are first
decrypted. It is unlikely that we will be able to decrypt the files. It is also possible that the attacker
could copy the files, including client data, before encryption.

We have a hot backup site that mirrors our Data Centre, but our Head of IT Security believes that the
backup files are at the same risk of encryption as the files in the Data Centre.

The email gives us 48 hours to pay before the ransomware is triggered. We have been warned not to
contact the Police.

Regards
Greg Hainge

4
 Task 2 – SCS Mock Exam 1
The following morning, Sabine Anselm, CFO, comes to your office again:

“I have printed out a news report that has just gone online. The Board is still considering the matter.
I hence need your advice on the following matters:

Firstly, evaluate the ethical considerations for and against informing the Police rather than paying
the ransom.
[subtask (a) = 30%]

Secondly, discuss our cyber security objectives of availability and confidentiality given the
implications of the ransomware threat and explain how any shortcomings could be rectified.

[subtask (b) = 20%]

Thirdly, are there any additional commercial risks in us using cryptocurrency for this transaction?
[subtask (c) = 20%]

Finally, discuss the various options available to the Board in terms of resolving this issue.
[subtask (d) = 30%]

5
 Task 3 – SCS Mock Exam 1
Three months have passed. A police complaint was made and the hackers were arrested. There
have been no further repercussions from the security breach and nobody was dismissed over the
incident, although a review of IT security and controls was conducted and numerous
improvements made.

John Sokosi asks you to join him in his office and says:

Bai Jing, Director of Physical Security Services, has ascertained that Eric Reday was employed part-
time as a security guard in Barrland and all he had was a learner’s license. But he still drove a
Safewell vehicle without authorization.

Pratima thinks that we should terminate Eric Reday’s contract and hand over Bai Jing’s findings to
the Barrland Health and Safety Executive. She also thinks we should explain to the Barrland
Telegraph that Eric Reday was driving without authorisation. She is furious that we are in the
headlines today and would like us to distance ourselves from the incident. Greg agrees, but Sabine
thinks that this is an over-reaction and has suggested we should be supportive of the Reday family
and accept liability for the incident, even though Eric Reday was driving the vehicle without
authorisation.

Pratima has asked me to attend an emergency Board meeting later this afternoon, to establish what
action, we should now take. Once a decision has been taken the rest of the Board will be informed of
the plan. I need your advice on:

Describe some internal controls which could have prevented this accident from occurring.
[sub task (a) = 33%]

I received a letter yesterday from one of our majority shareholders, asking us for clarity on our risk
management strategy. They currently hold 20% of our share capital.

We already have a Risk Committee but, considering recent events and the letter, would you
recommend any changes to this committee? [subtask (b) = 33%]

Please explain to me the relationship between the recent movement in our share price and our beta.
[subtask (a) = 33%]

6
 Task 3 – Reference Material

Barrland Telegraph
18-year-old in coma following “avoidable” Saefwell accident

Eric Reday, who works on as a security guard with Saefwell, is in

intensive care at Capital City Hospital after a driving incident. The
Telegraph has learned that he was crushed for several minutes
between the vehicle and the ground before help arrived.

A spokesman for the Reday family said: “Eric has been working part-
time to pay his college tuition. He went to work one day and didn’t
come home because of Safewell’s sloppy attitude towards safety. We
pray for his recovery from this avoidable tragedy.”

7
Answers

8
 Task 1 – SCS Mock Exam 1
Requirement 1 – scenario planning

Data files are corrupted

The immediate impact would be that all customer data will be inaccessible, and Saefwell will be
unable to contact its clients. This could cause senior management to panic and simply cease trading,
which could lead to the end of the company.

If the directors announce a temporary shutdown, with no explanation given, then the creators of the
malware may make further contact and agree to supply the decryption key in return for the ransom.
In that case, it would probably be worth making that payment to restore operations and keep the
company in business.

In the medium term, it may be possible for Saefwell to admit the problem and establish a basic but
workable system quickly. The clients have details of the software used, so it may be possible to seek
their cooperation and get that aspect of the system running very quickly. Customers’ files will have
been lost, but Saefwell’s sales depend on clients making contact. A basic ordering system could be
put in place, and clients could be asked to pay for each order by card, so the loss of their files will not
be a major hindrance. Clients could be asked to download fresh software and continue to work as
before. The biggest concern will be calculating the correct amounts to pay for the period
immediately before the malware attack.

Customer data is abused

In the short term, the abuse of data, such as client credit card numbers, will cause a great deal of
uncertainty about whether they are at risk. With the files encrypted, it will be impossible for
Saefwell to make direct contact with clients, especially one-off orders, which will make the
uncertainty even worse.

Clients may decide to switch allegiance to a different service provider, such as Pavrobot. This is
especially bad news in this industry because clients tend not to switch from one platform to another
under normal circumstances, and so any lost customers may be unlikely ever to return to Saefwell.

The lack of access to the data files will make it difficult for Saefwell to assist or support its clients in
any negotiations with the credit card companies. This may further discourage clients for supporting
any relaunched service offered by Saefwell and could also discourage credit card companies from
agreeing to work with that relaunched business.

Saefwell may be subject to legal penalties for failing to maintain the security of companies’ private
and personal data. Commercial organizations are generally subject to strict regulations about the
way they store and secure personal data, and this breach could leave it open to prosecution.

Ransom paid

Presumably, the Board will not publicize the payment of B$50m at the time of payment. There
would be no reason for them to do so. The payment will have to be reflected in the statement of
profit or loss, which could lead to questions from the shareholders because it would increase

9
operating costs. The shareholders would be unlikely to be satisfied with the reasons for this payment
because, in the absence of any catastrophic events, it will appear that the board has been tricked
into paying the ransom.

The decision to pay is likely to encourage further threats and demands for even larger payments. The
perpetrators who threatened the malware attack now know that Saefwell’s Board was willing to pay
in response to a threatened attack. Once the initial payment appears in the financial statements,
then other potential attackers will also be motivated. Saefwell is going to have to spend a
disproportionate amount on IT security and sweeps of the system to ensure that there are no
vulnerabilities.

Requirement 2 – Board responsibility

The Board must accept a collective responsibility for all aspects of the management of the company.
It is acceptable to delegate some of the tasks associated with a particular issue to a designated
director, but any recommendations that come from the director must then be considered by the
Board, and the Board must accept collective responsibility. This threat is a serious strategic matter
that could threaten the viability of the company if the wrong decisions are made. None of the
directors can argue that they should not be involved in making decisions or that they should not be
accountable
for the outcome. Otherwise, there could be serious agency problems because Board members will
have valid concerns about the impact on their careers if they are associated with a decision that
turns out to have bad consequences for the company.

It would be legitimate for the Board to delegate specific tasks and decisions to Dr Hassan Khattaf,
Director of Research, because he should have the necessary skills and experience to lead the Board
on specific technical matters. Software development and maintenance falls under his remit.

It is, however, unrealistic to believe that he will be able to deal with this problem single-handedly.
He will have to delegate much of the detailed work to managers who are more current in the system
as it stands. The Board can rely on advice from IT experts within the company and can focus on the
strategic decisions that have to be made based on that technical advice.

This decision is far too important to leave it to an individual director to decide. At best, this threat
could lead to an unnecessary outlay of B$50m and, at worst, it could lead to the collapse of the
business. Leaving that decision to him would put him under extreme stress and could lead to a
reaction rather than a considered response. The Board needs to debate the merits of the different
courses of action that are open and must ensure that the final decision is acceptable to the entire
Board, even if a consensus is not reached.

Requirement 3 – share price

This could be an example of a strong form of market efficiency, which means that all information is
incorporated into the share price, regardless of whether it is publicly available. One way in which a
steady and persistent decrease in the share price could occur would be if someone was selling
shares on the open market, despite the declining price. This could be explained by someone in
possession of inside information, who knows that the price will soon fall much further, who wishes
to profit from short selling. This involves selling shares that have been borrowed from a third party,
hoping that the price fall occurs in time, and then buying the shares required to close out the

10
position when the fall occurs. If the price fall is as large as expected, then it will be possible to buy
shares to replace those that were borrowed and still be left with a sizeable surplus from their sale.

The persistent price fall could be consistent with a hacker who plans to attack Saefwell, selling
shares in advance of that attack. The adverse publicity caused by a successful attack would make the
share price plummet, and so it would be possible to buy shares cheaply on the open market. The
hacker could be planning to use the short sale as an additional way to benefit from the malware
attack, perhaps in case we do not pay the ransom. Selling Saefwell short and triggering the malware
will benefit the hackers over and above any ransom that the company pays, but only if the attack
occurs before the short sales have to be closed out. If it is assumed that the decreasing share price is
linked to the threatened attack, then the assumption is consistent with the threat being real.

There is no guarantee that any short selling is linked to this threat, there could be other inside
information that is triggering short sales. The same behavior could be caused by someone who knew
about some other problems that were about to emerge. For example, an employee of a competitor
could know that the competitor has plans to launch an exciting new service on a specific date, but
that information is being kept confidential until the launch date.

Insider trading is a serious crime, and it might be more difficult to profit from such a blatant short
sale as this without getting caught. The authorities will be suspicious if Saefwell suffers a major
cyber-attack and short-selling positions are closed out immediately afterwards.

The declining share price may not be due to short selling and may not be a sign of strong-form
efficiency. It may be attributable to a shareholder who has a large investment and wishes to
liquidate that position. Announcing the sale of a large block of shares will always depress the share
price, and the shareholder will not get the full market price for a large shareholding, even if the sale
is motivated by a desire to rebalance a portfolio or to release cash for some strategic purpose.
Shareholders with large blocks generally do their best to sell them in small blocks in the hope that
the market will not pay too much attention.

Whatever the reason for the fall, it might have nothing to do with sales. Share prices respond to new
information reaching the market, and the market can adjust prices without waiting for purchases
and sales to adjust through supply and demand. While it is unlikely, there could have been a
succession of news events that the market has perceived as negative over the past two weeks.

11
 Task 2 – SCS Mock Exam 1
Requirement 1 – ethical dilemma

The principle of objectivity would require the Board to act without bias or the influence of other
people overriding professional judgment. This principle would suggest that the Board should have
chosen whichever response would have maximized shareholder wealth. The decision to inform the
Police will always have been a contentious one because it would never have been clear whether
doing so would have benefitted Saefwell. Making the report could have encouraged the hackers to
have triggered the malware to destroy evidence or to demonstrate their capability to other
businesses. The fact that hindsight shows that the Police investigation resulted in the arrest of the
hackers and discovered that the threat was based on a bluff is not relevant. The Board should have
been free to make that decision based on the economic interests of Saefwell and the directors
should not have been biased by a desire to protect their reputations.

The principle of integrity requires that the Board should have been straightforward and honest in
making this decision. This appears to have been the case because there is very little commercial logic
associated with paying the ransom. There would have been no benefit from paying the B$50m
because the hackers could easily have demanded further payments. The hackers are criminals who
wish to earn money from extortion, and so any promises that they make about leaving the company
unharmed should not be trusted. It could be argued that the only real advantage to paying the
B$50m would have been that the Board could then have argued that everything possible was done
to prevent a catastrophic attack on the IT systems, which is not consistent with protecting the
company’s interests.

The principle of confidentiality suggests that the Board should not have disclosed professional
information unless necessary. Informing the Police could be viewed as a breach of that principle
because it could have led to unhealthy disclosure. It could have been preferable for the Board to
have engaged IT security consultants to investigate the threat and seek a satisfactory outcome. The
Police would prioritize the identification and arrest of the hackers, even if that meant acting in a
manner that led to the malware being triggered. The Police also had an incentive to release details
of a successful arrest, which could draw attention to the possibility that Saefwell’s system is
vulnerable to attack.

The principle of professional behavior would require compliance with laws and regulations and
avoiding reputational damage. This would tend to imply that anyone who was aware of a criminal
act should inform the appropriate authorities to have the matter investigated. It could be argued
that voluntarily paying a criminal in the manner demanded by the hackers would mean that the
Board was implicated in a criminal act, through collusion. Reporting the matter to the Police will
create the possibility of the matter being resolved in Saefwell’s favour without risking the Board
being accused of any crime. From a reputational point of view, paying the ransom will increase the
risk for all other companies because the criminals will have been encouraged by their successful
attack on Saefwell.

12
Requirement 2 – cyber security

Saefwell faces significant IT risks, both in terms of its own operations and in respect of the design
and installation of automated warehouse systems that rely heavily on software for the operation of
autonomous products. Saefwell has systems in place for the management of IT risks. Those systems
are kept under constant review and are updated as necessary to minimize IT risks.

The Board appears to have been taking it for granted that availability is guaranteed by the inclination
that the company maintains a backup at a remote site. In the worst possible case, the Board has
assumed that the backup copy can be activated and brought online almost instantly, and so business
will not be lost. The ransomware incident highlighted a credible threat that malware that would
encrypt data at the primary site could also encrypt the backup data, thereby depriving Saefwell of
the data held on its systems. The hot backup can be relied on to protect against data loss due to
disruption of hardware, such as a fire at the primary data center. It appears that the constant
updating that ensures that the backup data is current also creates a vulnerability. It seems likely that
protecting the data against physical loss has left it at greater risk of electronic destruction through
the abuse of the links used to maintain copies.

The availability objective will have to be reviewed in the light of this event, with thought given to
adding a further layer of security so that the threat arising from the link between the two sites is
countered. Perhaps the need to protect availability requires a compromise over the policy in terms
of hot backups. It may be more efficient to make backup copies of data files at regular intervals and
for the backups to be scanned thoroughly for any malware. Such a system would mean that the
backup data files would be less up to date, and they would have to be updated before the backup
could be brought online. This may not be a bad compromise if it also means that the Board can be
confident that their backup files are available to them.

The confidentiality threat appears to have been caused by theoretical concerns arising from internal
conversations within Saefwell. The fact that the threatened disruption was a bluff makes it more
difficult to tell whether there is a credible threat to the confidentiality of data. Saefwell must ensure
that confidentiality is fully maintained because it is likely to lose business if its customers have their
personal data abused. The company will also be subject to possible sanctions because of the laws
relating to the safeguarding of personal data.

The nature of Saefwell’s business means that it would not be possible to always guarantee the
absolute protection of confidentiality. The system is accessible through websites and apps and is
linked to client systems. All those links make it difficult to ensure that unauthorized access to data
will never occur and that files will never be abused. It may be necessary for Saefwell to plan for the
possibility of minimizing the disruption associated with any successful breach of confidentiality. For
example, stored payment details might include customers’ credit card numbers, but not the three-
digit reference number on the back of the card. This would make it difficult for hackers to abuse
personal data.

Requirement 3 – using cryptocurrency to pay the ransom

Volatility of the market

Cryptocurrency is highly volatile. There can be wild and unexpected swings in the market which lead
to the value of cryptocurrency dropping by hundreds, sometimes thousands of dollars per coin.
Therefore, if we were to use cryptocurrency for this transaction, this may lead to very high currency

13
transaction risk, driven by the 7-day payment terms and the time we take to decide on our response.
Today, 3,500 coins equate to B$22.75 million but if the price of coins has increased to say B$10,000
per coin by tomorrow (not impossible for cryptocurrency), the transaction has suddenly become
much more costly. Even between making the decision to pay and the payment being made –
perhaps only minutes in real time – the value of this transaction could have swung wildly, both
upwards and downwards. The uncertainty here is certain to be beyond the risk appetite of our
investors.

Unregulated currency

Many regulators still do not understand how to police or regulate this area. Governments and
banking institutions currently cannot regulate cryptocurrency for transactional use. This may be bad
for us, as we are a quoted company that operates in a well-regulated and active stock exchange in a
developed country. This means that it is highly likely that everything we do is heavily regulated and
closely scrutinized. Auditors may have a negative opinion of this transaction, for example, or
regulators may be critical if there is a sense that paying untraceable payments via the blockchain, to
criminals, is unethical conduct.

Requirement 4 – resolving this issue and ensuring it does not occur again

Internal audit

We have an independent internal audit function and the Chief Internal Auditor reports to the
convener of the Audit Committee, in accordance with corporate governance best practice. It may be
that this function can offer a solution by conducting a special investigation into the controls which
have been breached and reporting their findings to the board. Special investigations of this kind do
fall within the remit of an internal audit department, but the very specialised nature of this situation
(security coding etc) may lie beyond their field of expertise.

White hat hacker

Some businesses employ white hat hackers who deliberately try to breach a system to identify weak
spots. We could do the same, effectively paying legitimate hacking experts to find the breach for us.
This could be expensive but it will be an independent assessment of the problem, conducted without
bias, and may be the most successful and objective way to isolate the issue before taking
appropriate action. It may also be the quickest solution as it will avoid the politics of trying to resolve
differing versions of events.

Using the service of a 3rd party data security company

The function of this company would be to install copies of our software at their secure computer
centre, duplicate the data, scan for any malware in our data files and maintain a hot back up of our
data that will be always monitored and kept safe. Now this may be an expensive affair, so cost
benefit analysis is vital. However, as the size of the company grows, the cost maybe justified.

Appointing an IT Director

Given the nature of our industry and the growing profitability of Intelligence led Security Services, it
is surprising that we do not have a dedicated IT Director to oversee the IT strategy of the company.
Our risk register lists IT as the key risks, so we should be able to assign these to someone in the

14
Board. Else, it would be better to enhance the review work on the Internal Audit department, with a
more detailed focus on IT matters.

Hiring one more NED with an IT operational focus

We currently have 5 EDs and 4 NEDs. So, hiring another NED would be a good idea to balance the
board. An IT expert would bring in a diverse skill set to the board and be able to provide guidance on
the kind of audit checks the internal audit function can proactively carry out.

15
 Task 3 – SCS Mock Exam 1
Part 1

Appropriate supervision

It seems that an unlicensed and unauthorized person has been able to drive a vehicle on our
premises. This should never have been allowed to happen. On-site supervision through a clear chain
of command should have prevented Eric from accessing or starting up the vehicle. Keys should be
locked away under the control of a supervisor and only issued to qualified personnel. All staff should
know that it is a severe disciplinary matter and a potentially sackable offence if any authorised
person is found to be passing keys to unauthorised personnel. Drivers should work in teams or in a
buddy system so that they are never alone – this increases the likelihood that unauthorised usage
would be reported.

Staff training

All staff, including qualified and unqualified drivers on the production line, should be subject
to annual refresher training on site safety and the potential dangers of driving company vehicles
without the proper qualifications and training. Not only should this deter unqualified individuals
from
driving vehicles themselves, but it should also increase peer pressure against this kind of conduct
from
others. When the training session is complete, each staff member must have to sign a form at the
end,
either an online form or in-person (depending on the form of training) to agree to the fact that they
have attended the training session and are therefore responsible should something happen which
they could have prevented. Bai Jing should build this process into individual learning objectives for
all members of staff.

Physical controls

It may be possible for our vehicles themselves to be fitted with additional security controls so
that they are inoperable to anyone who is not authorised. Perhaps fingerprint recognition, facial
recognition or simple PIN codes could be required before the vehicles will operate, for example. It
may also be possible for geofencing technology to shut off the vehicles automatically if they are
approaching an obstacle at a certain speed or angle. Additionally, the vehicles should always be
stored in a locked pen when not in use and only the site supervisor should be physically capable of
releasing vehicles from the pen.

Part 2

Spread of responsibilities

16
On the risk committee currently, we have 3 Non-Executive Directors. All three of these Non-
Executive Directors are also on 2 other committees. This may mean that they are spread too thin to
be able to commit what they need to commit to the risk committee for it to be effective. I would
suggest that we recruit several additional Non-Executive Directors to the Board to spread out the
responsibilities on committees a bit more. Additionally, good corporate governance suggests that
there should be a minimum of a 50:50 split between Executive and Non-Executive Directors on the
Board. However, our ratio is currently 5:3, as Chairman is not described as being “independent”. This
move towards recruitment of more Non-Executive Directors would help towards this.

Executive directors

As a quoted company, Saefwell has certain corporate governance principles that it is required to
adhere to. One of these principles suggests that there should be mixed representation between
executive and non-executive directors on the risk committee. Now the only members of our risk
committee are NEDs. The reason we require executive directors on the risk committee is so that the
risk committee can better understand the operational issues the company faces. To do this we need
to have people on the board who are involved in the day to day running of the business. I would
suggest Bai and you join the Committee for this reason.

External representation

There may also be merit in recruiting external advisors with certain specialisms to sit on the Risk
Committee. Considering what has happened, a qualified health and safety professional would add
significant insight to the committee. Additionally, because we “face significant IT risks” we should
consider appointing an external cybersecurity expert to attend Risk Committee meetings. In 2018 an
independent study concluded that companies like - ABB, Fanuc, Mitsubishi, Kawasaki and Yaskawa –
“could easily be hacked” and that the risk was very high in terms of both probability and impact.

Part 3

Semi-strong form efficiency market

As we are a quoted company in a developed country, we operate in a semi-strong form efficiency

market. This means that our share price is reflective of all publicly available information, as I have
mentioned above. If analysts and brokers have already predicted that the situation over Eric Reday is
likely to drive investors away, then much of this bad news may already be factored into the share
price
as it is. Therefore, this argument suggests that when significant investor do sell their shares, this will
have minimal impact on our share price. Ultimately however, I believe if they were to sell their
shares at this time, it could cause our share price to fall even lower than it is now as the supply of
our shares on the market would exceed demand.

Ownership structure

However, we must also consider the percentage of shares that the investor currently owns
compared to others. As mentioned in the information provided, they are a 20% shareholder but we
have no information on how the remaining shares are owned. For example, there may be a
shareholder with 60% of the shares who never trades in those shares and is a long-term holder, or
the market may be fragmented with very active daily trading. As a very well-established 70+ year old
company, listed on the stock market since 1971, I would predict a high percentage of stable

17
 institutional shareholders with long term investment horizons. If these “whale” investors do not
respond to this sale, or even if they buy these shares straightaways to deepen their dividend return,
the share price could barely move.

Marking Grid

Questions Max marks

Question 1
Part (a) Ransomware threat 11 marks
No rewardable material. 0
Level 1 Demonstrates limited understanding of the situation at hand 1-4
Demonstrates reasonable understanding of the situation at hand, with one or two
Level 2 5-8
consequences
Demonstrates good understanding of the situation at hand. Explains clearly several
Level 3 9-11
risks that are related to the scenario.
Part (b) Board responsibilities 11 marks
No rewardable material. 0
Level 1 Demonstrates limited understanding of the situation at hand 1-4
Demonstrates reasonable understanding of the situation at hand, with one or two
Level 2 5-8
consequences
Demonstrates good understanding of the situation at hand. Explains clearly several
Level 3 9-11
risks that are related to the scenario.
Part (c) Shorting our shares 11 marks
No rewardable material. 0
Level 1 Demonstrates limited understanding of the situation at hand 1-4
Demonstrates reasonable understanding of the situation at hand, with one or two
Level 2 5-8
consequences
Demonstrates good understanding of the situation at hand. Explains clearly several
Level 3 9-11
risks that are related to the scenario.
Subtotal Question 1 33 marks

Question 2
Part (a) Ethical arguments for against informing Police 9 marks
No rewardable material. 0
Level 1 Demonstrates some technical understanding of ethics 1-3
Explains the situation in terms of CIMA code of ethics but with very limited 4-6
Level 2
application
Level 3 A well-rounded explanation of ethics and application of the CIMA code of ethics 7-9
Part (b) Availability and confidentiality of information 8 marks
No rewardable material. 0
Level 1 Can explain the two terms in a theoretical manner 1-3
Level 2 Can explain the two terms, compare, and contrast them 4-6
Provides a well-rounded explanation of the two terms in context of the pre-seen and
Level 3 7-8
unseen
Part (c) Commercial risks of crypto 9 marks
No rewardable material. 0
Level 1 Documents theoretical understanding of crypto without relating it to the scenario. 1-3
Level 2 Able to apply the scenario to a practical macro-environment situation. 4-6
Provides a clear explanation of how the situation have macro environment risks and
Level 3 7-8
presents some real-life example

18
Part (d) Ways to resolve the situation 9 marks
No rewardable material. 0
Level 1 Provides theoretical advice with limited application to the scenario 1-3
Level 2 Links facts of the pre-seen and un-seen but not able to provide relevant solutions 4-6
Level 3 Provides well justified options on resolution in context of tasks 1 and 2 7-9
Subtotal Question 2 34 marks

Question 3
Part (a) Internal controls to prevent accident 11 marks
No rewardable material. 0
Level 1 Demonstrates some technical understanding of internal controls 1-4
Level 2 Explains internal controls in the context of scenario but with limited application 5-8
Explains internal controls in the context of scenario with relevant suggestions
Level 3 9-11
applicable to this case
Part (b) Weaknesses of IA department 11 marks
No rewardable material. 0
Level 1 Theoretical understanding of risk committee 1-4
Level 2 Providing 1 or 2 practical suggestions for improvements 5-8
Level 3 Providing more than 2 practical suggestions for improvements 9-11
Part (c) Benefits of properly functioning department 11 marks
No rewardable material 0
Level 1 Theoretical explanation of EMH theory 1-4
Level 2 Explaining market efficiency in context of the company and pre-seen/unseen 5-8
Level 3 Explaining market efficiency in context of the company and pre-seen/unseen as well
9-11
as listing relevant facts like when the company was listed etc.
Subtotal Question 3 33 marks

Total 100

19