Risk Update – ‘Cyber Fraud Claims’ – What steps can you take?
Many of you will be aware of the nature of several frauds aimed at solicitors’ practices in recent months, with extensive media coverage highlighting this problem, ranging from your own trade press to the BBC. You may even have been a potential victim yourself as the subject of an attack by the fraudsters. Once the fraud is discovered, will you be insured either by your professional indemnity policy or by your Cyber Liability policy, if indeed you have bought or are considering buying that type of insurance cover?
You may have the benefit of cover for the loss of clients’ funds under your PII policy, though that can depend upon the circumstances – you may have seen the case recently aired by the BBC in which PI insurers have seemingly refused to indemnify on the grounds that they regard the firm concerned as having been complicit in facilitating the transfer of funds. Furthermore, even when cover does apply here, the future availability of PI insurance, and of course Cyber Liability cover, could become difficult.
If the worst were to happen and PII cover in particular were to be unavailable, you would have to begin the process of closing your doors.
This bulletin therefore provides a dual focus – on the insurance issue (on which more later) and on a continuing threat which has also become apparent – that of the fraudster, after having initially accessed your systems, emails etcetera, coming back again in a further attempt to commit fraud, albeit perhaps in a slightly different way from their first attempt. What steps can you take to prevent this happening for a first or, just as seriously, a second or a third time?
For PII cover to continue to be available to you, it will be essential to explain – in detail – the action taken to prevent fraud, all the more so if it has already happened. While it may not yet be in the public domain, PI insurers will almost certainly be looking for minimum levels of IT security to be in place before they will consider offering cover. This scenario already applies where a request for Cyber Liability cover is made, by way of specific questions within the proposal form, and these minimum requirements are only likely to develop further.
Let’s take the example of fraudsters having accessed your emails and successfully diverted client monies into a bank account which they control.
Once they have access to your emails, the fraudsters will themselves contact your clients by email when they know a transfer of funds is about to take place. Imitating and using similar language as already used by you, they will respond to your clients in such a manner in order to ensure that suspicions are not aroused, using an email address with a domain name remarkably similar to your own but crucially changing perhaps a single letter or digit. Your client may therefore not notice anything untoward, while the fraudster will manage your own Inbox to ensure the same applies to you. From then on, the transfer of funds to the fraudster’s bank account takes place. Having suffered a loss, you will no doubt bring in a specialist to identify and eliminate the problem, secure the vulnerable elements of your systems, avert potential similar losses in respect of other clients undertaking similar transactions, and look at future protection.
However, recent expereince indicates that the fraudster, having been successful, WILL return, possibly adopting a slightly different method. To combat these first and subsequent attacks, you will have to consider working with a suitable IT Security Consultant to look at the specific risk management measures to be taken, inter alia:
• secure software, hardware, anti-virus software, firewall, daily scans, etc;
• audits of your IT systems and services, for example emails, banking, cloud services, passwords and so on.
Prevention of such scams in the first place is very important though should it nonetheless happen, it is essential you take immediate steps to prevent recurrence. MFL Professional, as advisers to the legal profession including Manchester Law Society, would look to work with you by providing practical assistance and advice for the implementation of a suitable insurance solution in the form of professional indemnity insurance which dovetails with Cyber Liability cover, which will respond quickly and in a pro-active manner, including from the security aspect, to enable you to continue to practice. More stories are likely to reach your trade press over the coming weeks and months of firms ultimately having to close their doors after having been hit by cyber fraud and being unable to obtain insurance cover going forward, this aside from those subject to SRA Intervention.
We have been requested to assist in a number of such cases, albeit at the very end of the October 2015 renewal season, as firms were about to find themselves in the Extended Indemnity Period. It is too late to wait until your PI renewal is almost upon you before addressing these issues; by considering them now and seeking to dovetail your PII with the Cyber Liability cover that may available, you would be in a far stronger position when your PI renewal next comes around.
At this point we strongly advise you to tread carefully. We are aware of a number of ‘Cyber Liability’ insurance policies having been launched recently by a host of insurers. However, our investigations reveal that in the majority of cases little or no thought has been given to the operation of the third party liability in terms of possible cross over with firms’ professional indemnity policies.
This will lead to problems with the handling and mitigation of fraudulent incidents: who will investigate and deal with the matter, bring in security specialists and so on? In turn, a badly handled crisis could haveserious repercussions down the line for you, perhaps the additional fraudulent claims mentioned above, SRA involvement, reputational problems and other ramifications.
In saying this, we have established that at least some insurers offering Cyber Liability cover have actually given some thought as to how their policy will respond given the possible duplication of (third party) cover under the PII policy, whether the latter is held by themselves or not.
If you have concerns about these developments or indeed have already faced them and had limited help from your professional advisers, then we would be happy to discuss the position further with you either by telephone or by meeting at your office.
This article does not present a complete or comprehensive statement of the law, nor does it constitute legal advice. It is intended only to highlight issues that may be of interest to MLS members and solicitors. Specialist advice should always be sought in any particular case.
Richard Gledhill, Executive Consultant – Financial Lines
T: 0161 237 7725
M: 07984 879124
John Jones, Development Executive
T: 0161 237 7739
M: 07872 501955
Disclaimer: MFL is happy for articles to be used in reputable publications, websites and companies in a public domain.
Third parties that haven’t directly received this article in the form of an electronic press release must receive express permission from MFL, the sole owners of all of this website’s marketing and PR content.
To receive permission to use this article or to make further enquiries, contact MFL’s Marketing and Development team.