Insurance risks and cyber crime
South Africa’s legal professionals have become major targets in cyberattacks that have seen billions of rand lost to criminals each year
Hack attacks, ransom threats and theft of money through fraudulent transactions are all becoming a stark reality for legal professionals and law firms around the world.
According to South Africa’s Banking Risk Information Centre (SABRIC), the country has the third-highest number of cyber-crime victims worldwide, with an average of about R2,2 billion a year lost to cyberattacks.
Samantha Varela, a legal risk advisor at insurance company Aon South Africa, says that conveyancing attorneys, specifically, are in the sights of cyber criminals. She says the Attorneys Insurance Indemnity Fund (AIIF) – now known as the Legal Practitioners’ Fidelity Fund (LPFF) – has been notified of at least 110 cyber-scam-related claims worth over R70 million since July, 2016.
“In a recent case, the sellers of a property approached the court for an order that the conveyancing firm be held liable for their losses after they became victims to a cyber scam in which they had apparently instructed their conveyancers via email to transfer the proceeds from the sale of their property to a different account. It turned out to be a fraudulent account and the sellers lost R268 348.
“The case was dismissed, with the judge stating that, despite the fact that the conveyancers did not pay the money into the sellers’ account, their failure to do so was not due to their negligence. From this case, we can clearly see that the allegation of negligence based on a cyberattack is incredibly difficult to prove, and leaves all parties severely compromised,” Varela notes.
Varela says that in light of the judgement, it is important to establish how professional negligence in the context of a cyberattack is determined. “The test for negligence in South African courts is clear – the court will weigh up the conduct of the reasonable professional, to that of a similarly qualified professional, with a similar set of skills, qualifications and qualities,” she explains.
Very often it is not the lack of legal knowledge that leads to professional negligence claims in the legal fraternity, but rather non-adherence to basic office management protocols and good governance processes. The main reasons for claims attributed to a lack of supervision can be as a result of:
• Lack of a diary system;
• Lack of internal controls;
• Failure to adhere to office procedures;
• Taking on matters where experience is lacking; and
• Failure to obtain proper instructions.
“If these issues are addressed and processes and procedures designed around them, one can begin to manage the implications that they may have on the business,” says Varela. She adds: “When it comes to cybercrime, there are many misconceptions around the insurability of these types of risks – they are very complex from an insurance perspective, simply because there are so many permeations.”
She says the following examples highlight the types of cybercrime currently impacting the legal field:
• Privacy or network security breach;
• Funds transfer fraud;
• Theft of funds held in escrow;
• Corporate identity theft;
• Telephone hacking;
• Push payment fraud; and
• Unauthorised use of computer resources.
Varela says that although the LPFF provides professional indemnity insurance cover to legal professionals practising in South Africa, the policy does not cover claims related to liability for compensation arising out of, or in connection with, the insured’s trading debts. Nor does it cover misappropriation or unauthorised borrowing of trust money or property by the insured, an employee or agent.
“Additionally, it doesn’t cover a risk, which is insured – or which could more appropriately have been insured – under any other valid, collectible insurance available to the insured,” she says. According to Varela, cyber liability insurance is intended to cover the costs, expenses and liability associated with the prevention of access to data or theft of data when an insured’s computer system is breached.
“The policy will not, however, cover the actual theft of money in the legal professional’s care, custody or control,” she explains. “For that, the insured will need a commercial crime policy, which provides cover for the theft of money or property, which is in the care, custody and control of the insured; as result of theft by an employee; through fraud committed by an employee; or through third-party computer fraud committed by someone who is not an employee.”
Varela advises that finding an insurance solution that addresses, at least in part, the myriad of threats faced by the legal fraternity from a cyber event is a task best undertaken using the services of a specialist broker.
“It is paramount to take special note of exclusions and to have a clear understanding of what cover is provided by different insurance policies, as one is likely to need a combination of solutions that are able to address specific risk exposures.”
She recommends that a comprehensive insurance schedule be underscored by a comprehensive risk-management programme. “In most instances, it’s a case of implementing practices and procedures that raise awareness of various cyber schemes – such as avoiding clicking on e-mails or hyperlinks from unverified sources – in addition to providing adequate supervision and monitoring of staff across the board. With the proper checks and balances in place, a legal professional can quickly verify a change in banking details or any other fundamental aspects of a matter,” she says.
In conclusion, Varela says by ensuring awareness and understanding of the implications of cyber and commercial liability, and by implementing stringent risk-management procedures, legal professionals – and others – will be in a better position to stay abreast of the trends that impact the sector, simultaneously helping to address the far-reaching implications of cyber crime.
• The increasing frequency and voracity of cyber concerns are mirrored in Aon’s 2019 Global Risk Management Survey, where participants ranked cyberattacks and data breaches sixth out of ten top risks facing organisations.
• According to Kaspersky Lab, malware attacks in South Africa increased by 22 percent in the first quarter of 2019 compared to the first quarter of 2018, translating to around 13 842 attempted cyberattacks a day.
• Further, an IBM security study by the Ponemon Institute indicates that a data breach in South Africa costs an average of R36,5 million.
• According to Verizon’s 2019 Data Breach Investigations Report (DBIR), 43 percent of cyber attacks target small businesses.