Cyber risks: The facts for lawyers
Businesses are constantly exposed to the dangers of a cyber attack with hackers becomingly alarmingly sophisticated. Here, we list the key areas of concern for solicitors.
1. Loss of client money
For conveyancing solicitors, Friday afternoon is often the busiest part of the week due to this frequently being the scheduled day for completions. Increasingly, clients request that completion happens one week after the exchange of contracts, putting solicitors under pressure from clients and estate agents. This means that a solicitor must condense many weeks’ work into just one week at the same time as aiming to provide a friendly and prompt service. It is understandable that someone under such pressure might miss the warning signs that something is amiss in the transaction. A significant number of solicitors have recently been the subject of what is now called the ‘Friday afternoon scam.’ Fraudsters target conveyancing firms knowing precisely when large amounts of money will be available in client accounts for the completion of a conveyancing transaction. The Solicitors Regulation Authority (SRA) says it is receiving four reports a month of firms being tricked into giving bank details to fraudsters. The fraudsters have attacked solicitors in a variety of ways. Perhaps the most common is where internet scammers gain access to a firm’s online systems to intercept emails between firms and replace them with their own in an attempt to hijack money from client accounts. In addition, fraudsters have hacked solicitors’ telephone lines so that they can communicate with the solicitors’ bank and try to authorise payment. The outcome of these activities depends on whether the solicitor or the bank becomes aware that the individual they are communicating with is not who they purport to be. In all cases, the victims describe the fraudsters as so sophisticated that they sound genuine in the various guises they assume – pretending to be the solicitor, the bank officials or the bank’s counter-fraud team.
Another method used by fraudsters is known as “invoice hijacking”. This involves fraudsters intercepting correspondence between two parties who are contractually involved and ‘invoicing’ the target for services which have already been provided. Again the large amount of client money held on account by solicitors makes them an attractive target. One recent example involved a conveyancing transaction where the deposit for the property was being paid in tranches, which the solicitor was holding on account for the client. The client received an email purporting to be from his solicitor asking that the funds be transferred to a separate account, due to a limit being reached. The fraudster provided details of the new account to which the client sent the remaining deposit. As either the client or the solicitors’ email account was hacked, each party suggested that the fault lay with the other.
This particular case demonstrates that in addition to the loss of client money, there is the consequential loss that if there is any delay in being able to complete, there will be losses down the whole conveyancing chain. In addition, there are even more damaging issues to consider if a solicitor gets it wrong.
2. Firms targeted by fraud may face regulatory consequences
The SRA expects compliance with Principle (10) of the Code of Conduct which states: “You must protect client money and assets”. It is a fundamental requirement that clients have confidence that their money is safe in the hands of solicitors and public trust is maintained. The SRA requires that firms take the following steps to minimise breaches:
- Keep client money separate from money belonging to the firm
- Use each client’s money only for that client’s matter
- Use money held as a trustee only for that purpose
- Establish proper accounting systems to ensure compliance with the SRA.
To reduce the likelihood of your firm becoming involved in this type of fraud, you should:
- Keep your firm’s anti-virus software up to date
- Never give any access or security information to anyone over the telephone or in an email no matter how genuine they sound. Banks will have all the information they require and will not ask for it
- Inform your clients not to send funds to a new account without ringing your office and speaking to the relevant person first. Take time to explain to your clients that there is an increasing risk from fraudsters and it is important that they adopt robust internet and email security measures. Similarly, if your client sets up a standard procedure of ringing you (his solicitor) before transferring money to you, this will help to reduce exposure to these kinds of risks.
- Your clients will appreciate that you are making every effort to safeguard their assets if you instigate these procedures
- Make sure that your clients know that they should always query emails supposedly received from their solicitor, but which are actually from a different email address, particularly if the domain is different
- Review and update your client engagement letter to disclaim or limit your liability for negligence and/ or fraud as a result of a hack attack.
If you are a victim of any fraud, the key to any recovery is immediate action and you must contact:
- Your bank
- Your broker/insurers
- The Police
- The Solicitors Regulation Authority
Acting immediately helps to reduce the size of the fraud. Evidence shows that fraudsters successfully dissipate the money they steal and often move this to less friendly jurisdictions where the money cannot be traced. Your ability to respond quickly and appropriately may be enhanced via a Cyber Liability policy which is specifically, but not exclusively, designed to mitigate the losses that can arise from a hack attack. We emphasise that if you believe you have been a victim of fraud, you should contact your PII - and where purchased Cyber Liability insurance - broker(s) so that he can liaise with your insurers. You should be aware that this does not mean that any loss will be automatically recoverable from Insurers, particularly where you are relying on PII for cover. As explained above, fraud can be perpetrated in a variety of ways and insurers would need to examine the circumstances of each individual case.
Apart from loss of money, there are other considerations.
3. Loss of client data
A breach of your firm’s network security can lead directly to one of your most important assets - client data, which is worth many times more than the physical equipment it is stored upon. If such data is damaged, lost or destroyed there will be range of implications including breach of the Data Protection Act and possibly severe disruption to the operation of your business. The legal environment surrounding loss of client data is continually developing with breach notification laws due to be introduced within the next year. These require businesses that lose sensitive personal data to provide written notification to those individuals that were potentially affected. The legal obligation to notify only currently exists in some countries but this is changing and there is a growing trend towards voluntary notification in order to protect your brand and reputation. Customers who have had their data compromised will expect openness and transparency from the businesses entrusted with it.
4. The ripple effect
The repercussions of a security breach are potentially far reaching. If a firm’s computer system is brought down due to a malicious attack (or indeed an event with no criminal intent), a chain of potential losses could be triggered which include but are not limited to: loss of client’s money; loss of income due to a temporary failure to continue operating, the delay or prevention of the completion of the contract and other conveyances in the chain; possible regulatory breaches; loss of client data or loss of firm’s intellectual property; damage to the reputation and integrity of the solicitor and ultimately damage to the solicitor’s balance sheet.
5. The solicitors’ PII policy
There is a common misconception that, owing to the breadth of the Solicitors’ Minimum Terms and Conditions, this policy would cater for all possible eventualities. However, when the Law Society first formulated Solicitors’ PII, the world was a very different place and cyber exposures were neither fully appreciated nor catered for. The PII policy covers claims made by third parties arising out of the conduct of a Legal Practice during the period of the Policy. Where the underlying loss is caused by a failure in technology, due either to malicious intent or otherwise, there is no absolute Exclusion in the policy wording but the extent to which a PII policy would respond remains largely untested.
Any claim to the PII policy has to stem from a claim made by a third party and even so, insurers would scrutinise the circumstances. If, for example, it were deemed that the Assured had not taken reasonable care in keeping his firm’s software protected and up-to-date, the insurer may seek to recover damage from the Assured.
If a client’s money is lost, for which the solicitor was responsible and the loss arose from the solicitors’ negligence, then the prima facie evidence seems to suggest that the PII policy would be triggered. However, it would be naïve to rely on a policy written at a time when losses relating to IT and cyber had nothing like the significance that they have today.