The local legal sector, specifically conveyancing attorneys, is facing the brunt of cyberattacks according to Aon South Africa.
Naturally, it’s not just attorneys at risk, the South African Banking Risk Information Centre (SABRIC) recently published its annual crime statistics. This report saw digital crime increasing across the board with digital banking fraud costing South Africans an estimated R262 million.
That having been said, legal professionals appear to be a prime target.
“In a recent case, the sellers of a property approached the court for an order that the conveyancing firm be held liable for their losses after they fell victim to a cyber scam in which they had apparently instructed their conveyancers via email to transfer the proceeds from the sale of their property to a different account. It turned out to be a fraudulent account and the sellers lost R268 348,” says legal risk advisor at Aon South Africa, Samantha Varela.
“The case was dismissed, with the judge stating that despite the fact that the conveyancers did not pay the money into the sellers’ account, their failure to do so was not due to their negligence. From this case, we can clearly see that the allegation of negligence based on a cyberattack is incredibly difficult to prove, and leaves all parties severely compromised,” Varela adds.
How professional negligence is determined
So how would a court prove negligence?
According to Varela, courts would weigh the conduct of a professional against that of a similarly qualified professional with similar skills, qualifications and qualities.
According to the advisor, rather than legal knowledge, it’s the professional’s failure to adhere to office management protocols and good governance processes that can lead to negligence claims.
Lack of a diary system, lack of internal controls, failure to adhere to office procedures, taking on matters where experience is lacking and failure to obtain proper instructions are all cited as the reasons for negligence claims being filed against a firm.
“If these issues are addressed and processes and procedures designed around them, one can begin to manage the implications that they may have on the business,” Varela says.
Insuring against cybercrime
Naturally, insuring against cybercrime is a must have for legal firms but it’s not as simple as picking a policy and signing up.
“When it comes to cybercrime, there are many misconceptions around the insurability of these types of risks. Cybercrime is a very complex risk from an insurance perspective, simply because there are so many permeations of it,” Varela says.
The risks a firm faces are numerous. Whether it be a network breach or theft of funds held in escrow, criminals are often looking for anything they can get their hands on.
While the Legal Practitioners’ Fidelity Fund offers professional indemnity insurance cover for legal professionals, it does not cover the following claims:
- Any liability for compensation arising out of or in connection with the insured’s trading debts;
- Misappropriation or unauthorised borrowing of trust money or property by the insured or employee or agent of the insured;
- A risk which is insured or could more appropriately have been insured under any other valid and collectible insurance available to the insured.
To cover the loss of money following a cyberattack, Varela suggests a firm take up a commercial crime policy.
“Finding an insurance solution that addresses, at least in part, the myriad of threats faced by the legal fraternity from a cyber event is a task best undertaken with a specialist broker by your side. It is paramount to take special note of exclusions and to have a clear understanding of what cover is provided by different insurance policies, as you are likely to need a combination of solutions that are able to address your specific risk exposures,” the advisor says.
Risk management is a vital puzzle piece
Together with a comprehensive insurance policy, Varela says a risk management programme should underscore a firm’s insurance efforts.
This involves educating employees to avoid clicking suspicious links as well as monitoring staff across the board. We’ve spoken about zero-trust architecture before and we feel that this is a good model for most businesses, legal entities included.
The goal is to equip employees with the knowledge they need to understand the risks they, and the company face on a day-to-day basis.
Through this, managing the risk of cybercrime becomes somewhat easier though we hesitate to say any firm is 100 percent safe from cybercrime.
With that having been said, many hands make light work and the more folks that know what to look for should cybercriminals come knocking, the less risk there is that an employee does something that could have been avoided.[Image – CC 0 Pixabay]