Hack attacks, ransom threats and theft of money through fraudulent transactions are all becoming a stark reality for legal professionals and law firms around the world.
According to the South African Banking Risk Information Centre (SABRIC), South Africa currently has the third-highest number of cybercrime victims worldwide – with the country losing on average R2,2-billion a year to cyber-attacks.
Samantha Varela, a Legal Risk Advisor at Aon South Africa says that conveyancing attorneys specifically are in the sights of cyber criminals and bearing the brunt of the bulk of cyberattacks. The Attorneys Insurance Indemnity Fund (AIIF), now known as the Legal Practitioners’ Indemnity Insurance Fund NPC (the LPIIF), has been notified of at least 110 cyber-scam related claims worth over R70-million since 1 July 2016.
“In a recent case, the sellers of a property approached the court for an order that the conveyancing firm be held liable for their losses after they fell victim to a cyber scam in which they had apparently instructed their conveyancers via email to transfer the proceeds from the sale of their property to a different account. It turned out to be a fraudulent account and the sellers lost R268 348.
“The case was dismissed, with the judge stating that despite the fact that the conveyancers did not pay the money into the sellers’ account, their failure to do so was not due to their negligence. From this case, we can clearly see that the allegation of negligence based on a cyberattack is incredibly difficult to prove, and leaves all parties severely compromised,” notes Varela.
Determining professional negligence
Taking this into account it is important to establish how professional negligence in the context of a cyberattack is determined. “The test for negligence in South African courts is clear: the court will weigh up the conduct of the reasonable professional, to that of a similarly qualified professional, with a similar set of skills, qualifications and qualities,” explains Varela.
Very often it is not the lack of legal knowledge that leads to professional negligence claims in the legal fraternity, but rather non-adherence to basic office management protocols and good governance processes. The main reasons for claims attributed to a lack of supervision can be as a result of:
* Lack of a diary system;
* Lack of internal controls;
* Failure to adhere to office procedures;
* Taking on matters where experience is lacking; or
* Failure to obtain proper instructions.
“If these issues are addressed and processes and procedures designed around them, one can begin to manage the implications that they may have on the business,” says Varela.
Insurance implications
“When it comes to cybercrime, there are many misconceptions around the insurability of these types of risks. Cybercrime is a very complex risk from an insurance perspective, simply because there are so many permeations of it,” adds Varela.
Following are a few examples of cybercrime impacting the legal field:
* Privacy or network security breach;
* Funds transfer fraud;
* Theft of funds held in escrow;
* Corporate identity theft;
* Telephone hacking;
* Push payment fraud; and
* Unauthorised use of computer resources.
The Legal Practitioners’ Fidelity Fund (LPFF), provides professional indemnity insurance cover to legal professionals practicing in South Africa. This policy does not, however, cover claims related to:
* Any liability for compensation arising out of or in connection with the insured’s trading debts;
* Misappropriation or unauthorised borrowing of trust money or property by the insured or employee or agent of the insured; or
* A risk which is insured or could more appropriately have been insured under any other valid and collectible insurance available to the insured.
“Cyber liability insurance is intended to cover the costs, expenses and liability associated with the prevention of access to data or theft of data when the insured’s computer system is breached. The policy will not, however, cover the actual theft of money in your care, custody and control,” explains Varela.
A commercial crime policy, on the other hand is needed to provide cover for the theft of money or property which is in the care, custody and control of the insured as a result of:
* Theft by an employee;
* Fraud committed by an employee; and
* Third-party computer fraud (not by an employee).
“Finding an insurance solution that addresses, at least in part, the myriad of threats faced by the legal fraternity from a cyber event is a task best undertaken with a specialist broker by your side. It is paramount to take special note of exclusions and to have a clear understanding of what cover is provided by different insurance policies, as you are likely to need a combination of solutions that are able to address your specific risk exposures,” urges Varela.
Risk management
A comprehensive insurance schedule also needs to be underscored by a comprehensive risk management programme.
In most instances it’s a case of implementing practices and procedures that will raise awareness of various schemes such as avoiding clicking on e-mail or hyperlinks from unverified sources, in addition to providing adequate supervision and monitoring of staff across the board.
With the proper checks and balances in place, a legal professional can verify a change in banking details or any other fundamental aspects of a matter.
In conclusion, ensuring that a legal professional is aware of and understands the implications of cyber and commercial liability, having stringent risk management procedures in place, making sure that a professional has a well-informed specialist broker by their side and staying abreast of the unfortunate trends facing their industry will go a long way in addressing the far reaching implications of cybercrime.