Baker Tilly

Baker Tilly is a professional services organization headquartered in the United Kingdom and part of the global Baker Tilly International network. The firm delivers assurance, tax, and advisory services to a diverse client base spanning multiple industries. Its operational structure includes specialized subsidiaries, such as Act21, which focuses explicitly on corporate social responsibility (CSR) services. Act21 provides software and data platforms designed to help organizations manage sustainability and social impact reporting, serving major entities across both public and private sectors. This subsidiary model allows Baker Tilly to address niche market demands while leveraging the broader network's resources. The parent organization's role involves overseeing these subsidiaries and maintaining overall service quality and client relationships. Baker Tilly's positioning in the professional services landscape is characterized by this blend of generalist offerings and targeted specialist units. The existence of Act21 underscores a strategic emphasis on the growing field of CSR and sustainability advisory. The firm's reach is facilitated through its international network connections, though specific scale metrics are not detailed in available information. Its service portfolio reflects an adaptation to evolving regulatory and stakeholder expectations in corporate governance.

On February 13, 2024, Act21 suffered a cyberattack that encrypted its systems and disrupted client access to its software and data platforms. Initial investigations conducted with cybersecurity experts found no evidence of data exfiltration, though the timeline for full system restoration was uncertain. The incident did not compromise the real-time operational activities of Act21's clients because the affected platforms are not integral to their core business functions. Baker Tilly, as the parent company, managed the incident response and ensured that all affected organizations were notified of the service disruption. This event highlights the cybersecurity risks faced by even non-core operational service providers within larger professional services groups. The transparent communication with clients across public and private sectors demonstrates a standardized incident notification protocol. The attack targeted a subsidiary with a specific technology focus, illustrating how threat actors may pursue specialized service providers to access broader client ecosystems. Recovery efforts involved external cybersecurity expertise, indicating a reliance on specialized support for severe incidents. The situation underscores the importance of distinguishing between service availability and critical business continuity for clients of such platforms. Baker Tilly's handling of the Act21 breach reflects an organizational approach to subsidiary-specific cyber incidents within its overall risk management framework.