Security Intelligence

Security for Professional Services Firms in High-Risk Markets | CloseProtectionHire

Q: "What are the primary security threats to professional services firm staff working in P1 markets?"

"Three threat categories dominate for professional services firm staff (auditors, management consultants, lawyers, and advisors at Big Four and major consultancy firms). First, kidnap for ransom: professional services staff in P1 markets earn salaries that place them at the upper end of visible wealth in those environments, and their association with major international firms (Deloitte, KPMG, McKinsey, BCG, Clifford Chance) creates a perceived employer ransom-paying capacity. Express kidnapping targeting professional-class individuals in Nigeria, Colombia, Mexico, and the Philippines is documented. Second, client confidentiality targeting: the work of audit, advisory, and consulting teams -- M\u0026A transaction details, regulatory investigation findings, sensitive financial data, board-level strategic plans -- is of significant value to competitors, market actors, and in some jurisdictions to state-affiliated actors. Laptops and devices are targeted. Third, local regulatory and legal risk: consultants operating in markets with restrictive business practices laws or data localisation requirements face personal criminal exposure if they handle data or conduct investigations in ways that are lawful in their home jurisdiction but prohibited locally."

Q: "How does client confidentiality create security targeting risk for consultants?"

"Major consulting and audit engagements -- hostile M\u0026A advisory, regulatory investigation support, strategic market entry work, government advisory contracts -- involve access to information of significant value to third parties. M\u0026A advisory work in particular: a consultant who knows that a publicly traded company is the subject of an acquisition bid is in possession of material non-public information, and is therefore a target for anyone seeking to trade on that information. The security risk is that the device carrying that work is a very high-value theft target. Beyond financial information, consulting work for government clients in defence, infrastructure, or telecommunications may attract state-sponsored interest. The NCSC and FBI/MI6/BfV January 2023 advisory on PRC economic espionage specifically references advisory and consulting relationships as collection vectors."

Q: "What security measures apply to Big Four and consultancy fieldwork in high-risk environments?"

"Fieldwork in P1 city environments -- site visits for operational audits, factory inspections, infrastructure assessments -- should apply: pre-visit threat assessment using FCDO/OSAC advisories for the specific location; vetted local transport (not public taxis or ride-sharing); a check-in protocol with a named in-office contact and a missed-contact response procedure; device security (encrypted device, no sensitive data stored locally where possible, VPN); a fieldwork buddy system or minimum two-person teams for high-risk visits; and MEDEVAC and travel insurance confirmation. ISO 31030:2021 sets the standard for corporate travel security risk management that applies to professional services firm travel programmes."

Q: "How serious is the risk of personal criminal liability for professional services firm staff conducting investigations in P1 markets?"

"Very. Several P1 countries have laws that create criminal exposure for foreign investigators or advisors who conduct activities that would be lawful in Western jurisdictions. PRC: the Counter-Espionage Law (2023 revision) criminalises collecting data on matters related to national security with broad and undefined scope. The 2023 detention of Mintz Group researchers in Beijing is the most prominent example -- five national staff detained. Russia: Federal Law 144-FZ regulates private detective activity; foreign investigators conducting background checks or site assessments without a Russian private detective licence are potentially in violation. Nigeria, the Philippines, and others: specific anti-money laundering investigation and reporting obligations create personal liability for professional advisors who assist clients in non-compliant activity. Pre-engagement legal review of the specific investigation or advisory mandate in each jurisdiction is mandatory before fieldwork begins."

Q: "What device security measures apply to consultants working on sensitive engagements?"

"The standard device security protocol for professional services staff working on sensitive engagements in high-risk markets combines the personal device security best practices (VPN, full disk encryption, strong passwords, multi-factor authentication) with engagement-specific controls. For M\u0026A and regulatory work: engagement files should be stored on encrypted firm systems with access restricted to named engagement team members, not synced to personal cloud accounts, and not accessed on public Wi-Fi without VPN. For travel to China, Russia, or other high-surveillance markets: the clean device protocol (travel-specific device with no access to production systems, rebuilt before travel, factory reset on return) is NCSC and FBI guidance. For field audits where physical device security is a risk: device encryption with remote wipe capability enabled, and the decision about whether local data storage is necessary at all for the specific task."

Security for Big Four, management consultancies, and professional services firms operating in high-risk markets: consultant KFR risk, client confidentiality targeting, P1 city office security, and fieldwork protocols.

6 May 2026

Written by James Whitfield

Speak to the Team

Professional services firms – the Big Four accountancy and audit firms (Deloitte, EY, KPMG, PwC), the major management consultancies (McKinsey, BCG, Bain, Oliver Wyman, Roland Berger), and specialist advisory firms (Kroll, Teneo, Ankura, Control Risks) – operate globally, including in the highest-risk markets. Their staff face a security environment that combines the personal risk factors of any high-profile professional with the specific targeting risk created by the commercially sensitive nature of their work.

The Fieldwork Security Problem

The professional services model depends on fieldwork: site visits, client interviews, document reviews, and physical inspections in client operating environments. In P1 markets, this creates a security gap that does not exist for corporate executives who travel to a single known destination for a specific business purpose.

Consultant mobility. A management consultant on a transformation engagement may visit six different client facilities in a week – factories, distribution centres, government offices, and head office locations across a city or region. The diversity of locations, the unpredictability of schedules (set largely by client requirements), and the concentration of sensitive data on devices and in notes creates a more complex security management problem than a single executive with a defined itinerary.

Local hires and fixer risk. Professional services fieldwork in P1 markets frequently uses local translators, drivers, and research assistants engaged on a short-term basis. These individuals have access to the engagement team’s schedule, location, and in some cases to engagement content. Vetting standards for locally engaged support staff should apply the same baseline as for any contractor with access to operational information – but in practice, the speed of engagement mobilisation often means vetting is limited to verbal reference checks.

After-hours exposure. Consultants staying in hotels for extended field engagements in P1 cities face the full hotel security risk environment. Valuable devices are in the room. The engagement team is away from firm security infrastructure. Hotel security in P1 cities varies substantially, and the standard business hotel security posture is not designed for the theft risk created by high-value data assets.

Client Confidentiality as a Targeting Vector

The information held by professional services firms is, in many cases, more valuable than the physical assets of the companies they advise. This creates a targeting dynamic that is specific to the sector.

M&A advisory. A firm advising on a corporate acquisition holds the target’s financial data, valuation models, and the timeline and terms of a transaction that will affect publicly traded share prices. This is a textbook MNPI (material non-public information) situation. Competitors, market actors, and professional short-sellers all have an incentive to obtain this information before public disclosure. The device containing an M&A model or a board presentation is therefore a very high-value theft target in any location where the firm or its staff are known to be working.

Regulatory investigation. Audit firms conducting FCA, SEC, or DOJ-instructed investigations into client conduct hold information that the subject of the investigation has a direct financial interest in suppressing. The security threat model for regulatory investigation teams includes not just device theft but targeted surveillance, social engineering of team members, and, in some jurisdictions, direct interference with the investigation process.

Government advisory work. Professional services firms with government advisory mandates – defence sector consulting, infrastructure planning, regulatory reform – work with information that may attract state-sponsored collection interest. The NCSC advisory on PRC economic espionage specifically identifies advisory and consulting relationships as vectors for intelligence collection: the consultant who has access to government planning documents is a softer target than the government official.

P1 Market Fieldwork: Jurisdiction-Specific Risks

Nigeria. Lagos and Abuja are significant professional services markets, with all Big Four firms and several major consultancies having established offices. The express kidnapping risk for professional-class individuals – identifiable by firm markers, corporate vehicles, and luxury hotel accommodation – is material. The Apapa port corridor and the highways serving industrial areas carry a disproportionate share of the robbery and kidnapping incidents affecting business travellers. Local drivers engaged through firm-approved providers (not street hailing) and check-in protocols for all field movements are the minimum standard.

China. The March 2023 detention of five Mintz Group national staff in Beijing for due diligence activities is the most significant indicator of the legal risk for professional services fieldwork in China. The Counter-Espionage Law (2023 revision) and the Data Security Law (2021) create broad criminal exposure for research, data collection, and advisory activities that touch on matters the state defines as related to national security – a definition that has been applied to include commercial market research and corporate background investigations. Pre-engagement legal review of the specific mandate is essential. The clean device protocol applies to all China travel for all firm staff.

Russia. Following the February 2022 Ukraine invasion, the major Western professional services firms suspended or wound down Russia operations. Staff involved in Russia-related work from outside Russia face sanctions compliance obligations and the risk of being designated as hostile actors by Russian authorities for advisory work that assists sanctions enforcement or Russia-critical investigations.

Colombia and Mexico. Both markets have significant professional services presence, and both have documented express kidnapping and robbery risk for professional-class individuals. In Mexico, CJNG presence in Jalisco and other states creates an extortion risk for firms with office or fieldwork presence in affected areas. Local security advisor input for project-specific fieldwork planning is standard practice at the major firms.

Office Security for P1 Market Operations

Professional services firm offices in P1 cities face the same workplace security considerations as other corporate offices, with the additional factor that the data environment in the office – active engagement files, client data, regulatory investigation materials – creates a more valuable target than a standard corporate premises.

Access control. Biometric or card-based access control for all office areas, with a specific access restriction protocol for active investigation and M&A project rooms. Visitor management that does not allow unsupervised visitor access to open-plan work areas.

Clean desk and screen lock policy. Engagement materials should not be visible to visitors or passers-by. Screen lock policies (auto-lock after 2-3 minutes) are standard in high-security offices and should be mandatory in P1 city offices.

Counter-surveillance awareness. In P1 cities with state-sponsored economic espionage activity, professional services offices may be subject to physical surveillance – observation of who enters and exits, vehicle surveillance, and TSCM (technical surveillance countermeasures) threat. Offices conducting sensitive work in high-priority state-espionage markets should have periodic TSCM sweeps conducted.

ISO 31030:2021 and the Duty of Care Framework

Professional services firms with significant international fieldwork programmes have a duty of care obligation to travelling staff under ISO 31030:2021 (Travel Risk Management) and the applicable national health and safety legislation. The firm’s travel risk management programme should include:

A tiered risk assessment for all international travel destinations
Mandatory pre-travel briefings for P1 and elevated-risk destinations
Vetted accommodation and transport in high-risk markets
MEDEVAC and K&R insurance arrangements
An incident response capability

For the travel risk management framework that applies to the full corporate travel programme, see our corporate travel security policy guide. For the technical surveillance countermeasures applicable to sensitive office environments and hotel rooms during high-stakes advisory work, see our TSCM guide. For the data room security architecture applicable to professional services firms advising on M&A transactions – VDR access controls, counterparty espionage risk, document watermarking, physical due diligence room controls, MAR insider list obligations, and post-transaction access revocation – see our security for M&A data rooms and due diligence guide.

Summary

Key takeaways

Professional services staff are express kidnap targets in P1 cities: visible salary markers and employer KFR capacity

A Big Four partner visiting a client site in Lagos, Nairobi, or Manila is identifiable by visible professional markers -- firm-branded laptop bag, corporate hotel, business-class travel, firm-registered vehicle -- that signal both personal wealth and the employer's capacity to pay a ransom. The express kidnapping and vehicle hijack risk for this profile in P1 cities is material and requires active security planning, not standard corporate travel booking.

M&A and regulatory advisory work makes laptops and devices high-value theft targets

A laptop containing material non-public information on a pending acquisition or a regulatory investigation finding is worth far more to a motivated thief than its hardware value. Device security -- full disk encryption, VPN, no unsupervised public location use, and the decision to not carry sensitive data locally -- is the primary mitigation.

The Mintz Group China detention case is the definitive reference for professional services firms operating in PRC

Five Mintz Group national staff were detained by Beijing police in March 2023 while conducting due diligence for a client. The case demonstrates that activities considered standard investigative practice in Western markets -- background checks, company research, document review -- may be treated as illegal under China's broadly scoped Counter-Espionage Law and Data Security Law. Legal review before any China-market advisory or investigation engagement is not optional.

Fieldwork buddy systems are the minimum standard for P1 city site visits

Consultants visiting manufacturing sites, warehouses, infrastructure facilities, or government offices in P1 cities should not travel solo. A minimum two-person team, with a named in-office check-in contact and a specific response protocol for missed check-ins, is the baseline. For high-risk environments (northern Nigeria, some areas of Colombia or the Philippines), security escort is appropriate.

Client confidentiality obligations require data security that goes beyond standard firm IT policy

The duty of confidentiality that professional services firms owe their clients extends to protecting engagement data from theft or unauthorised access by third parties. The security breach that exposes a client's M&A plans or regulatory position is a professional liability event as well as a data protection failure. Engagement-specific access controls, device encryption, and clear guidance on where and how engagement data can be accessed are a professional obligation, not just an IT policy matter.

FAQ

Frequently Asked Questions

Three threat categories dominate for professional services firm staff (auditors, management consultants, lawyers, and advisors at Big Four and major consultancy firms). First, kidnap for ransom: professional services staff in P1 markets earn salaries that place them at the upper end of visible wealth in those environments, and their association with major international firms (Deloitte, KPMG, McKinsey, BCG, Clifford Chance) creates a perceived employer ransom-paying capacity. Express kidnapping targeting professional-class individuals in Nigeria, Colombia, Mexico, and the Philippines is documented. Second, client confidentiality targeting: the work of audit, advisory, and consulting teams – M&A transaction details, regulatory investigation findings, sensitive financial data, board-level strategic plans – is of significant value to competitors, market actors, and in some jurisdictions to state-affiliated actors. Laptops and devices are targeted. Third, local regulatory and legal risk: consultants operating in markets with restrictive business practices laws or data localisation requirements face personal criminal exposure if they handle data or conduct investigations in ways that are lawful in their home jurisdiction but prohibited locally.

Major consulting and audit engagements – hostile M&A advisory, regulatory investigation support, strategic market entry work, government advisory contracts – involve access to information of significant value to third parties. M&A advisory work in particular: a consultant who knows that a publicly traded company is the subject of an acquisition bid is in possession of material non-public information, and is therefore a target for anyone seeking to trade on that information. The security risk is that the device carrying that work is a very high-value theft target. Beyond financial information, consulting work for government clients in defence, infrastructure, or telecommunications may attract state-sponsored interest. The NCSC and FBI/MI6/BfV January 2023 advisory on PRC economic espionage specifically references advisory and consulting relationships as collection vectors.

Fieldwork in P1 city environments – site visits for operational audits, factory inspections, infrastructure assessments – should apply: pre-visit threat assessment using FCDO/OSAC advisories for the specific location; vetted local transport (not public taxis or ride-sharing); a check-in protocol with a named in-office contact and a missed-contact response procedure; device security (encrypted device, no sensitive data stored locally where possible, VPN); a fieldwork buddy system or minimum two-person teams for high-risk visits; and MEDEVAC and travel insurance confirmation. ISO 31030:2021 sets the standard for corporate travel security risk management that applies to professional services firm travel programmes.

Very. Several P1 countries have laws that create criminal exposure for foreign investigators or advisors who conduct activities that would be lawful in Western jurisdictions. PRC: the Counter-Espionage Law (2023 revision) criminalises collecting data on matters related to national security with broad and undefined scope. The 2023 detention of Mintz Group researchers in Beijing is the most prominent example – five national staff detained. Russia: Federal Law 144-FZ regulates private detective activity; foreign investigators conducting background checks or site assessments without a Russian private detective licence are potentially in violation. Nigeria, the Philippines, and others: specific anti-money laundering investigation and reporting obligations create personal liability for professional advisors who assist clients in non-compliant activity. Pre-engagement legal review of the specific investigation or advisory mandate in each jurisdiction is mandatory before fieldwork begins.

The standard device security protocol for professional services staff working on sensitive engagements in high-risk markets combines the personal device security best practices (VPN, full disk encryption, strong passwords, multi-factor authentication) with engagement-specific controls. For M&A and regulatory work: engagement files should be stored on encrypted firm systems with access restricted to named engagement team members, not synced to personal cloud accounts, and not accessed on public Wi-Fi without VPN. For travel to China, Russia, or other high-surveillance markets: the clean device protocol (travel-specific device with no access to production systems, rebuilt before travel, factory reset on return) is NCSC and FBI guidance. For field audits where physical device security is a risk: device encryption with remote wipe capability enabled, and the decision about whether local data storage is necessary at all for the specific task.

Get in Touch

Request a Consultation

Describe your security requirements below. All enquiries are confidential and handled by licensed consultants.