The Government’s Chief Information Officer brought in overseas experts to secure its IT systems two years before last September’s cyberattack, allegedly breaching procurement policy in doing so, documents released under public access to information showed.

The documents revealed that Daron Raynor gave the go-ahead for a Cabinet Office contract with a private company and only afterwards sought permission for the bidding process to be waived.

Records released to a Pati requester showed the alleged code breach was reported by the Office of Project Management and Procurement to the Head of the Public Service, who had to decide whether disciplinary action or a report to another agency was appropriate. The outcome is not known by The Royal Gazette.

A document showed it was explained to the OPMP that it was an “oversight” as Mr Raynor was only a few months into his Civil Service position, after he was hired in October 2020. He previously worked in the United States.

The Royal Gazette contacted Mr Raynor this week, but he said he was unable to comment on the issue because of the terms of his Civil Service contract. He declined to comment further.

A sole-source waiver for the contract with Canada-based Info-Tech Research Group was eventually approved when further information was shared with Cheryl-Ann Lister, then the Acting Financial Secretary.

Lawyers in the Attorney-General’s Chambers had previously expressed alarm at the deal and advised that it be terminated and redrafted.

A Cabinet Office spokeswoman said last week that no regulations were breached. She confirmed that Info-Tech was paid more than $800,000 from the public purse over three years.

The Pati disclosure, shared with the Gazette, revealed the reasons Mr Raynor gave for hiring Info-Tech — a company he had worked with previously — to ramp up security within government IT systems.

In July 2021, an application to the OPMP that was understood to have been written by Mr Raynor said the contractor was urgently needed because the Department of Information and Digital Technologies was in “constant firefighting mode” and had a lack of security procedures.

Mr Raynor, in a June 17, 2021 e-mail to Elaine Blair-Christopher, the Director of the OPMP, wrote that his department “would like to partner” with Info-Tech, adding that he knew the company well.

He said the estimated cost for the first year was $281,209.50.

Mr Raynor did not mention in that e-mail that he had already approved a contract with Info-Tech for that amount three months earlier, an act that allegedly violated the Government’s procurement policy.

Mr Raynor wrote: “I personally had much success with Info-Tech in my previous employment and found their service second to none (they work with governments and companies all over the US, Canada, Australia, etc.).

“I have not found another consulting service to be as knowledgeable and hands-on as Info-Tech. They have helped me in my career and I would like for them to help our IDT managers with their career development also.”

Ms Blair-Christopher replied a week later, when she said there were “several questions”.

The OPMP director wrote: “Why can't an open bidding process be done for this high-value procurement, per Section 13 of the code? This would allow for an open and transparent approach to be followed.

“How is the best value for money being obtained for Government from this purchase and how will it impact the Government and the people of Bermuda?”

She asked: “How many years is IDT planning to use this company’s services?”

Ms Blair-Christopher wrote: “What type of contract will be used? Has the Attorney-General vetted the contract …? … Is there room for negotiations?

“Have any contracts been signed or any services provided to the Government already from this vendor? What is the consequence if a waiver is not granted?”

Ms Blair-Christopher added that the Cabinet had to approve all single-source awards worth more than $100,000 and all other competitively bid contracts over $250,000 before a contract could be executed.

In early July 2021, IDT submitted a waiver application form, noting a contract with Info-Tech was already signed because of an “oversight” on the CIO’s part.

The application, which was unsigned but believed to be written by Mr Raynor, argued that Info-Tech should still be hired without the need for a tendering process and recommended the contract run for three years at a total cost of $886,512.95 to the taxpayer.

It said that it was “imperative” that Info-Tech stayed on board.

The application said that IDT had been “without leadership for approximately three years” and was “in desperate need of assistance”.

It went on: “Many staff are also frustrated due to the lack of communication within the department. Everyone appeared to be working in silos.

”All of these issues seem to spill over with some staff members, resulting in inappropriate outbursts during meetings, staff almost coming to physical altercations at times, and lack of trust with fellow officers.

“It is necessary to employ Info-Tech … to assist with the task of turning the IT department around.

“They are highly specialised in IT services that will provide swift results. It is imperative that we contract them for at least three years.”

Referring to the signing of the contract in March, the application said: “This oversight was due to the newly appointed CIO’s lack of awareness of procurement processes and procedures.”

Ms Blair-Christopher wrote on August 6, 2021: “We can understand that there is a need for IDT to be upskilled and organised and it appears it will need outside resources to achieve this.”

However, on August 10 she told Mr Raynor: “OPMP objects and does not endorse this procurement process as it breaches several sections of the code and the [Government’s] financial instructions.”

She added: “This is unacceptable procurement and business practices to request retroactive approval or amend a contract for over 200 per cent over the original amount.”

Records show Mr Raynor submitted two further waiver requests in August and September 2021.

In his August application, he wrote: “Since I was hired, I’ve observed the lack of processes and procedures as it relates to project management, IT governance, application and support.

“There is also a lack of security procedures, documentation, and logging important information.”

Both waiver requests were questioned by Ms Blair-Christopher and she reported Mr Raynor’s alleged breach of the code to the then Head of the Public Service, Derrick Binns, in September 2021.

The proposed contract was approved by Ms Lister the following month. The former acting Financial Secretary wrote in an e-mail to the OPMP director that having being provided with “much more comprehensive” information, she had no objection to a sole-source waiver.

A Cabinet Office spokeswoman said: “All necessary approvals were granted. Note that no regulations were breached. The procurement code is a policy and not a regulation.”

She would not comment on the outcome of any inquiry into the alleged code breach by the CIO. She said: “Mr Raynor still holds the substantive post of Chief Information Officer. ”

The spokeswoman added: “Any additional details regarding his employment are confidential and we do not disclose personnel matters.”

• On occasion The Royal Gazette may decide to not allow comments on a story that we deem may inflame sensitivities. As we are legally liable for any libellous or defamatory comments made on our website, this move is for our protection as well as that of our readers