Skip to content

Products & Services for Law Firms:

Professional Indemnity Insurance - Fraud and IT Risk

Professional Indemnity Insurance - Fraud and IT Risk

Is your head in the cloud?

With the MoJ website being taken down on 11 February 2014 by hackers through a distributed denial of service (DDOS), it is clear that even a perceived strong system is far from immune. Whilst this may have been an attempt to disrupt HM Government work, it is not too farfetched to imagine the disruption a cyber attack would impose on a law firm and its clients.

Change is good?

All firms have had to become more agile and client facing in terms of technology, in just a few short years, in order to keep up with the needs of clients and business.

Whilst cyber crime is an easily and often misused term to describe many serious organised criminal activities, solicitors remain in a unique position by dint of their client account and the substantial professional duty to protect client privilege and confidentiality. As such, firms remain (as in the world of money laundering) rather attractive to organised crime and occasionally vulnerable to less sophisticated criminals.

The classics witnessed in the 1980s of lawyers sat on the Euston train with files all beautifully spine labelled with the client name may have been replaced by occasional inappropriately frank mobile calls and now tablets, but the risks remain. You may have embraced cloud computing. Your lawyers and staff may use their own devices for client work and for your business. You and your clients are almost entirely dependent on the constant availability, accuracy and confidentiality of ICT. Long gone are the days when lawyers gathered around fax machine the size of a fridge.

It is ironic, but not entirely beyond belief, to hear a rumour that in Moscow there is a desire to return to the typewriter so there is no e-trace and metadata following a document forever in time.

National Fraud Authority (NFA)

Action Fraud is managed by the NFA working with the National Fraud Intelligence Bureau ( NFIB) managed by the City of London Police for reporting fraud and internet crime on 0300 123 2040. This provides a central point of contact for information about fraud and financially motivated internet crime.

According to the NFA for the financial year ending April 2013, Action Fraud received 58662 cyber enabled frauds, but found that around one quarter of victims do not report the crime. The NFA cautiously estimated that fraud by organised criminals was around £18.9 billion. Action Fraud put the costs overall to the UK economy in 2012 at £73 billion, of which £6.1 billion was to individuals.

Those within the police specialist service readily say that the fraudsters are always coming up with ever more sophisticated ways to make money and as such, the police (and legitimate business) need to be ever smarter in protecting UK Plc from domestic and international crime.

In the Midlands there is the Midlands Fraud Forum providing a network of people directly involved in the business of combating fraud and enabling a sharing of best practice. Many lawyers are amongst its members.

So, what does the elephant in the room look like?

The common issues include BYOD (bring your own device), where technology is not necessarily subject to the same protocols and security as your own; phishing – where fake emails request personal information; advanced fee fraud (still there after all these years); malware attacks; malicious use of 3G routers and key board mouse, enabling fraudsters posing as IT engineers to fix and control computers remotely via a code.

Gold mining data of customers at one of the leading banks has shaken confidence in that brand and highlights the reputational risk a law firm has with the care of client data.

Recent reports indicate that the Midlands may be a fraud hotspot, with potentially more reported fraud than the whole of Scotland, Wales and NI combined in 2013 according to research by BDO, costing the region over £200M - and much more when unreported fraud is included. The growth in transparency of law firms and their finances via the SRA may mean that more is discovered.

Law firms are far from immune, as seen recently with the Home Affairs Select Committee being told by the Information Commissioner Christopher Graham of potential breaches of the Data Protection Act caused by rogue private investigators instructed by those firms. A cautionary note if a law firm, or indeed anyone else, instructs a (currently) unregulated business to investigate cyber crimes.

Identity Fraud

According to the Fraud Prevention Service over 4M people in the UK have been a victim of ID fraud , with a range of immediate financial loss, but a far longer and tragic tale of destruction before one can restore finances and credit ratings.

Client identity checks

All firms will these days ensure that before they act for a client they take all the advised and fundamental steps to know who their new client is.

So, when your client instructs you by email to transfer funds, is it still your client that is emailing you? It may be worth checking whether emails go straight to deleted items. Do some cross checks. Call the client to verify before your accounts system sends electronically the funds to the third party or see the client face to face.

Cyber Security Information Sharing Partnership

SME law firms have recently been invited to meet the leaders of the CISP set up by the Cabinet Office by The Law Society to enable sharing of information and intelligence on cyber security threats, including virus spyware and denial of service attacks. This is one of a number of initiatives available to law firms to raise awareness of what, potentially, could bring down a firm, large or small.

Taking risks - that's business development surely?

It is inherent that to grow a business one has to take a risk. Here however, for a law firm it is about the fundamental protection of the interests of the client and as a consequence, the preservation of your firm and its hard won reputation.

Active Risk Management

Change can be very tricky to control and has its own speed and agenda. Having a considered an active anti-fraud policy is a step forward. Review regularly. Your COLP and COFA will have a keen interest from a business and personal perspective.

Test the penetration of your systems and websites. By doing so you can be better positioned in discussions with your IT providers to support your best practice and reduce your exposure to fraud.

A penetration test/vulnerability audit from a reputable and market known provider gives you some peace of mind and may give you some risk transfer. It will also support the culture applauded by your A- rated PI Insurers that you actively deal with risk and have considered the dangers of cyber crime.

Contemplating the detailed questions on your proposal form at regular points through the year will enable the completion of that form to be more measured and proactive. In itself, this regular objective review of systems will go some way to ensuring your IT systems work just for your firm and your clients benefits, rather than the next criminal, be it organised or opportunistic.

Wesleyan’s Professional Indemnity Team can be contacted on:

0800 107 8171

This article is a general guide and is not a substitute for professional advice. No responsibility can be taken for any loss incurred by anyone acting or failing to act on the basis of this article.

'WESLEYAN’ is a trading name of the Wesleyan Group of companies.

Wesleyan Assurance Society and Wesleyan Bank Ltd are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Wesleyan Financial Services Ltd, Wesleyan Unit Trust Managers Ltd, Practice Plan Ltd and DPAS Ltd are authorised and regulated by the Financial Conduct Authority.  Advice about investments, insurance and mortgages is provided by Wesleyan Financial Services Ltd.

Click for more information about the Wesleyan group of companies.

© 2021 Wesleyan Assurance Society