I recently attended a conference at which I had an interesting conversation with a legal insurance broker, who told me that cyber insurance remains one of the most popular insurance policies with legal providers – a policy which covers lawyers from losses arising from loss of data and damages to systems following cybercrime attacks. This is in part the result of the SRA’s decision to exclude first party cyber losses from the professional insurance minimum terms and conditions. He told me however that as well as this type of policy being popular, claims were also high which had made some underwriters nervous and had led also to premiums for this type of policy increasing.
The broker told me that he had seen many service providers fall victim to cyberattacks, as attacks are constantly changing and becoming ever more sophisticated. However, some criminal activities, such as Friday afternoon fraud, where hackers email clients purporting to be the service provider asking for completion funds to be sent to a different bank account, which affects conveyancing firms and their clients, are still unfortunately common.
The broker’s view was that whilst in the past criminals obtained their ill-gotten gains by holding up post offices and wages vans, these days they are far more likely to be sat behind a computer transacting fraud.
The conversation made me think that it is worth me confirming what our approach is to dealing with complaints about cybercrime issues, and to remind everyone that we have issued detailed guidance on this subject in our document “Our approach to dealing with cybercrime” which can be found on our website.
At the Legal Ombudsman, we recognise that service providers are victims in a cybercrime attack as well as their unfortunate clients, who in some cases we have seen have lost significant amounts of money following an attack. However, we do expect firms to take reasonable safeguards and have processes in place to mitigate the risk of a successful attack. We recently determined a complaint which serves as a cautionary tale of when a service provider fails to do this.
Mr B’s solicitor was hacked, and he ended up transferring his house deposit to a fraudulent bank account after receiving a modified email from a hacker posing as his solicitor. After transferring the money Mr B emailed the firm asking them to confirm receipt.
The firm did not check their accounts to see whether they had received the money until a week later, which was when the hack came to light. Mr B immediately contacted his bank who got in touch with the fraudster’s bank. They were able to recover some of Mr B’s money but due to the time that had passed, the rest had already been transferred out of the fraudulent account. The bank confirmed that had Mr B contacted them sooner they would have been able to recover more of his money.
During our investigation we discovered the solicitor dealing with Mr B’s house purchase primarily worked from home from her own device. However, the firm did not have any policies in place for homeworkers and how they should safeguard information and no checks were carried out on the solicitors systems to ensure they were secure. Mr B also received no warnings about the risks of cybercrime.
As well as having insufficient systems and policies in place, the firm were also found to have delayed checking receipt of Mr B’s money. They were directed to pay the difference between what was lost and what the bank were able to recover.
Our jurisdiction allows us to investigate service issues. On the one hand, it isn’t a service issue for a service provider to be the victim of cybercrime. On the other hand, however, if offering a service to customers we would expect a service provider to take all reasonable precautions and to follow any guidance and warnings from their Approved Regulator to protect themselves, and their customers, as much as possible from the threat of cybercrime. In Mr B’s case, that did not happen.
The two questions we always ask when determining a cybercrime complaint are whether the service provider took all reasonable steps to protect themselves and their client from the risk of an attack, and then did the service provider take all reasonable steps to deal with the cybercrime when they became aware of it.
In terms of remedying complaints where we find that the service provider failed to take appropriate steps to safeguard them and their client, we are likely to direct that the service provider reimburse losses suffered by the client as a consequence of the attack and also pay compensation for any distress, inconvenience or worry caused to the client. In some cases, we referred the matter to the Approved Regulator as a possible misconduct issue. The Law Society, Solicitors Regulation Authority and Bar Council have each produced useful and detailed guidance on this issue and I would recommend that all service providers review these and familiarise themselves with what their regulator expects.
Our view is that all service providers can mitigate the risk of an attack by taking appropriate steps to safeguard their systems and have appropriate processes in place, to reduce the risk of both service provider and clients like Mr B becoming a victim of this type of crime in the future.