Professional Indemnity Risk Alert: Increase in Fraud and Cyber Crime
We have seen a recent rise in cyber crime targeted at law firms, specifically account takeover, identity fraud, and scams.
Although we recognise that this issue is not novel, we believe greater vigilance is required, as there has been a noticeable increase in activity reported to us in the last few weeks.
Examples of very recent law firm cyber attacks include:
- Global law firm (two incidents):
- (1) Client’s email was hacked and the firm was fraudulently induced to pay monies to a fraudulent bank account.
- (2) Firm sent a third-party invoice to the client for payment. The email was intercepted, account details changed, and the client was urged to make payment into a fraudulent bank account.
- UK law firm reported a £1.3 million property identity fraud – very similar in nature to Dreamvar versus Mishcon de Reya.
- UK law firm was tricked by a short series of scam emails into paying away almost £500,000 in proceeds of conveyancing to a fraudulent bank account.
In wider society, we are also seeing increasingly sophisticated cyber attacks against corporations and individuals.
An increase in cyber attacks has been predicted for some time based on the perception that remote working security and practices are weaker than office-based approaches.
Changes to Insurance Coverage
As a result of regulatory concern about the risk of insurer insolvency from unintentional cyber cover, insurers are looking to remove such non-mandatory coverage from traditionally broadly worded professional indemnity policies. We will be commenting on this further in our next Risk Dimensions newsletter.
Loss of client data and business interruption are high severity, high probability events that are already on the risk registers of many firms. However, we believe that firms should now re-think their approaches on the basis that the threat level has increased, and the mitigants available (such as insurance) may cost more, or not be available. Normal safeguarding routines should also be reviewed and exercised.
Raise awareness: Share this note and the resources below with your management group, and ask them to ensure their teams are all aware of the elevated risk.
Shrink the attack surface: One barrier, which may help prevent some situations for UK-based firms, is to disallow internet connections to any of the firm’s systems from IP addresses outside the UK. This is not always simple, but many security systems have basic settings that default to allowing connections unnecessary for the normal operation of a UK-based firm. These can often be configured to prevent connections from ranges of IP addresses.
Bring forward plans: If security improvements and/or drills are scheduled for later in the year, bring them forward to now, if possible.
Check your insurance: Review your cover with your broker, particularly in relation to cover for theft.
Available resources on these issues include:
- COVID-19: Cybersecurity Checklist for Remote Working
- Fraud and Scams – How to Protect Your Business
- Dreamvar: The Final Chapter?
- Hybrid Working: Covid-19 and the Rise of Cyber Fraud
- QBE: Fraud Prevention Toolkit
- Cyber Security: Top 12 Tips to Protect Against a Cyber Attack
- Cyber Security: Social Engineering
- Cyber Attacks on Solicitors Firms and Cyber Insurance – The SRA’s Thematic Review on Cyber Security
To find out more about Marsh professional indemnity insurance, click here.