A firm of solicitors recently experienced a break-in at their premises. The firm’s offices were secured as usual at close of business. During the course of the night, intruders gained access to the office. It appears that the raid had as its objective the removal of as much electronic equipment as the thieves could carry away. They removed hard disks, monitors, cabling, software and caused damage to the office. None of the equipment has been recovered.
- Confidentiality breach?
- Accounts Rules Compliance problems?
Even where procedures have been agreed for the backing up of accounting records, experience shows that, in practice, those procedures are sometimes allowed to lapse with the result that back-ups are taken much less frequently than intended. If the latest back-up tape is continually left in the computer, there is a risk that the precious tape will disappear along with the hardware in the event of a burglary.In that event, there may be severe practical difficulties in demonstrating compliance with the Accounts Rules because of the loss of equipment and up to date back-up. This situation could continue until replacement hardware and software is obtained, the latest accounting information loaded from the latest back-up available and postings brought up to date. Replacement software may not always be available straight away and this may compound the delay.
- Accounting problems generally?
- Software costs?
- Re-work and lost productivity
Inevitably, partners and others will end up investing substantial time dealing with all of the above.
Lessons to be learnt
The consequences of the recent theft have led to a reappraisal of the firm’s risk management procedures. It is unlikely that thieves would have wanted, or been able, to remove paper files to such devastating effect and the risk controls which have now been put in place take far more account of the potential consequences of a break-in and theft of computer equipment.The ‘paperless office’, now being contemplated by some practices, will create even greater dependence on the availability of firms’ IT systems. Security arrangements and contingency plans therefore become increasingly important.
For firms involved in investment management with records held electronically, it could be enormously disruptive and damaging to be unable to access up to date information on shareholdings, particularly if the problem occurs around the end of the tax year or a Budget involving eg Capital Gains Tax changes.
- Physical security
Review security arrangements at a very basic level – making sure that those persons with office keys are aware of their duties regarding securing the premises and setting any alarm systems. Practices without approved building alarm systems should perhaps review whether such a system might be a worthwhile investment. Installation may also help to gain a reduction in office insurance premiums.
- Systems back-up procedures
Audit/review/test back-up procedures to ensure that they are effective. Allocate responsibility for such procedures. Provide appropriate guidance and training to the staff concerned.
Secure, off-site storage of back-ups must be an essential element of a practice’s back-up procedures.
Review insurance arrangements to ensure that the scope of cover and the sums insured are adequate and check, specifically, the events in which business interruption cover will apply and the period for which that cover will operate. For some types of cover, insurers require to have details of the firm’s equipment and it is therefore essential that insurers are advised timeously of any acquisitions of new equipment/software.
- Contingency planning
Have a plan in place describing, prioritising and allocating responsibility for the action to be taken in the event of a theft, fire, flood etc. and records being lost or destroyed.
The plan should include a list of contact details of those who may be able to provide assistance according to the type of event. This might include –
- the police
- the firm’s office insurers
- the Master Policy insurers (per Marsh), at least on a precautionary basis – it may be that loss of systems and data will result in claims
- particularly if the firm’s accounting records have been compromised, the Society’s Chief Accountant.
- the firm’s accountants
The information in this page is (a) intended to provide guidance on matters of practical risk management and not on issues of law and (b) is necessarily of a generalised nature. It is not specific to any practice or to any individual and should not be relied on as stating the correct legal position.
Alistair Sim is Associate Director in the Professional Liabilities Division at Marsh UK Limited (e-mail: Alistair.J.Sim@marsh.com)
Charles Sandison is a Consultant with the Business Risk Consulting Division at Marsh UK Limited (e-mail: Charles.Sandison@marsh.com)