The importance of cyber risk management for law firms has received increased international attention following on the widely covered data breach at the Panamanian law firm, Mossack Fonseca & Co, in April 2016. The ransomware attacks against some large international law firms in recent years have also received extensive media coverage.
The Legal Practitioners’ Indemnity Insurance Fund NPC (LPIIF) claim statistics show that South African law firms have been the target of cybercriminals for over a decade. The modus operandi in the claims notified is similar, with an e-mail purporting to be from the intended recipient of funds being sent to the party making the payment. The fraudulent e-mail gives the details of a fraudulent bank account into which the law firm is then induced to pay the funds. This is commonly referred to as a ‘business e-mail compromise’ fraud. Examples of the modus operandi and the questions giving rise to the liability on the part of law firm can be gleaned from the judgments in Jurgens and Another v Volschenk (ECP) (unreported case no 4067/18, 27-6-2019) (Tokota J) and Fourie v Van der Spuy and De Jongh Inc and Others 2020 (1) SA 560 (GP)). This, however, is only one type of cyber-attack. Other methods of cyber-attack include –
The cyber-attacks have become more sophisticated over time and technological advancements, together with the current offsite and virtual working environments, have also provided a fertile ground for the cyber criminals to increase their attacks on law firms. The modus operandi has also become more sophisticated. For example, the LPIIF was recently made aware of an incident where a professional indemnity (PI) claim had been settled and the capital amount paid to the plaintiff’s legal practitioner. When the party and party costs were due to be paid, the correspondence ‘supposedly from the plaintiff’s legal practitioner’ included a document, which purported to be issued by one of the large commercial banks as proof of the account into which the funds were to be paid. The vigilance on the part of the LPIIF panel attorney and the staff in his office prevented the funds from being paid into the fraudulent account. The panel attorney had also phoned the plaintiff’s legal practitioner to alert him to this attempt to defraud him and his client.
In another incident, an information and technology service provider with whom there is an existing contractual relationship issued an invoice for services rendered. The service provider’s account has always been held with bank ‘X’. Shortly thereafter, a letter purporting to be from the service provider was received with instructions to make payment into a bank account with ‘Y’ bank. The reason for the change in banking details, claimed the fraudulent letter, was the problems with bank X’s system. This occurred soon after problems with ‘double-debits’ had been experienced by certain customers of bank X, which was covered in the media. The ‘explanation’ for the request to change banking details, thus seemed, at the time, to be reasonable. Once again, vigilance on the part of the staff in the finance department identified the potential fraud and contacted the service provider who was shocked to learn of the attempt to defraud it.
These two examples of recent cases show the extra vigilance required to avoid falling victim to cyber-attacks.
The national crime statistics released by the South African Police Service (SAPS) for the 2010/2011 to the 2019/2020 reporting periods show an increase of 0,1% in the category grouped collectively as ‘commercial crime’ (www.saps.gov.za) in the most recent reporting period. The SAPS statistics, unfortunately, do not give a breakdown of the granular detail in the commercial crime category to show the proportion of cybercrime related matters in relation to the broader commercial crime category. It is thus not possible to ascertain, from the national crime statistics, the number and value of cybercrime related crimes reported or the targets of this type of crime in South Africa (SA). The production of a detailed breakdown (as has been done with contact crimes and those involving violence, for example) of the cybercrime statistics, showing the respective profiles of the perpetrators and the victims, the monetary values involved, whether the losses are potential or actual, geographical spread and the modus operandi would have given a detailed picture of the extent to which legal practices have been targeted by cyber criminals. It is also not known to what extent law firms are reporting cybercrime incidents to the SAPS. This information will be valuable in an assessment of the cyber risk and in developing appropriate measures to mitigate the risk. It will also assist the insurers in conducting appropriate underwriting exercises on this type of risk in order to appropriately price the risk and determine the terms of cover.
One of the challenges in dealing with cyber risk is a lack of appreciation by some legal practitioners of the nature and extent of this risk and its increasing likelihood in the current operating environment. An analysis of the data extracted from the Fidelity Fund Certificate application system shows that less than a third of practitioners have indicated that they have cyber insurance cover in place. This is a serious cause for concern considering that cyber is a risk faced by all legal practices.
Shanice Naidoo in ‘Cybercrime on the rise since start of lockdown’ (www.iol.co.za/weekend-argus, accessed 4-4-2021) reports 37% of South African businesses surveyed experienced cyber-attacks in the last year. Comprehensive statistics on the extent of cyber-attacks on legal practitioners in SA are not immediately available, but, from the available information, it can be noted that:
– unauthorised access to bank accounts (68%);
– unauthorised access to internal e-mail (47%);
– customer data being stolen (46%)
– systems being locked with ransomware (37%);
– fines and penalties related to the Protection of Personal Information Act 4 of 2013 (18%);
– 9% of the respondents indicating that there were not concerned of any of the listed threats; and
– 37% of the respondents reported having had a cyber related incident in the last year (SHA Risk Specialists 2020 The Annual Risk Review at 34 (www.sha.co.za, accessed 5-4-2021)).
‘9. Requests the Commission on Crime Prevention and Criminal Justice to establish, in line with paragraph 42 of the Salvador Declaration, an open-ended intergovernmental expert group, to be convened prior to the twentieth session of the Commission, to conduct a comprehensive study of the problem of cybercrime and responses to it by Member States, the international community and the private sector, including the exchange of information on national legislation, best practices, technical assistance and international cooperation, with a view to examining options to strengthen existing and to propose new national and international legal or other responses to cybercrime.’ The IBA has also given extensive coverage to the cyber risk for law firms. An international study conducted by the IBA (Cyber Security Bars Research (www.ibanet.org, accessed 5-4-2021)) includes a reference to the cybersecurity guidelines published by the Law Society of South Africa.
It goes without saying that cybercrime is one of the main risks that a legal practice must consider when conducting its risk assessment. The vulnerabilities flowing from the remote working environment must also be assessed. Some of the consequences of a cyber risk materialising will include the inability to operate (particularly in the face of a ransomware attack), the reputational damage to the firm and liability to third parties who may have suffered damages because of the attack.
This is also a regulatory and compliance matter. The appropriate internal controls must be developed, implemented and monitored (as required by r 54.14.7 of the Legal Practice Council Rules made under the authority of ss 95(1), 95(3) and 109(2) of the Legal Practice Act 28 of 2014) to mitigate exposure to this risk. The internal controls must include a system of verifying the banking details (and any purported change to the banking details) of the recipient before making payments as prescribed in r 54.13. If trust funds are lost in the cyber scam, the result will be a shortfall in the trust balances (r 54.14.8), the trust account being in debit (r 54.14.9), which must be immediately reported to the Legal Practice Council as required by r 54.14.10 and the shortfall rectified.
Other risk management suggestions are:
It must always be remembered that insurers price the premium of any policy and set the terms of cover according to their perception of the risk. Legal practices will be well advised to ensure that they have the appropriate measures in place to mitigate cyber risks and thus be favourably viewed by insurers.
Thomas Harban BA LLB (Wits) is the General Manager of the Legal Practitioners’ Indemnity Insurance Fund NPC in Centurion.
This article was first published in De Rebus in 2021 (May) DR 6.
De Rebus proudly displays the “FAIR” stamp of the Press Council of South Africa, indicating our commitment to adhere to the Code of Ethics for Print and online media, which prescribes that our reportage is truthful, accurate and fair. Should you wish to lodge a complaint about our news coverage, please lodge a complaint on the Press Council’s website at www.presscouncil.org.za or e-mail the complaint to enquiries@ombudsman.org.za. Contact the Press Council at (011) 4843612.
South African COVID-19 Coronavirus. Access the latest information on: www.sacoronavirus.co.za
|