Current risk management priorities: reports suggest property transactions are being targeted by cyber criminals, and exercising break options continues to be an area of risk for the profession

What are the top risk management priorities currently?

Marsh: Frauds, scams and cyber risks continue to be risk management priorities for the profession, and are arguably the top risk priorities currently.

A recent piece in the Financial Times, “Property cyber crime is escalating” (24 July 2015, by Lucy Warwick-Ching), reports how “fraudsters are aggressively targeting solicitors that handle property sales because of the large sums of money involved in these transactions”. According to the report, the Solicitors Regulation Authority is receiving a growing number of reports of firms either being contacted by fraudsters or falling victim to fraudulent activity. The majority of these frauds and attempted frauds in England & Wales take one of two forms, both of which have been experienced in Scotland and have been the subject of risk alerts issued by Marsh and by the Society.

One type targets online banking. It involves fraudsters contacting law firms pretending to be from the bank’s fraud team and, by a carefully executed con trick, eliciting password/PIN details that enable the fraudster to access and steal from the firm’s online banking account.

The other involves interception of email exchanges between law firm and client with the fraudster sending an email with bank transfer instructions which appear genuine, are relied on and payment of substantial sums in to the fraudster’s bank account. According to the Financial Times report, in England & Wales, most of these email frauds target settlement of property transactions with large sums of money involved. The report cites a recent case in which £333,000 was remitted to a fraudster’s bank account.

It is believed that fraudsters use technology which is capable of scanning large volumes of email traffic to identify individual emails containing bank account details. It is also suspected that fraudsters take advantage of the fact that the time pressures involved in property transactions mean that there is less likelihood that emails will be scrutinised and anomalies spotted or queried.

Although the Financial Times piece reported on the targeting of property transactions, the email interception fraud risk applies equally to any area of practice involving remittance of funds.

What risk management actions should solicitors be taking?

Marsh: In summary, follow the guidance provided in the series of risk alerts issued by Marsh and by the Society, and in previous issues of this column. Refer, for example, to the guidance in the articles “Frauds and Scams – increasing awareness” (Journal, November 2014, 44), “Are you a cyber risk?” (Journal, February 2015, 44), and “Unlucky Fridays” (Journal, July 2015, 44). As a minimum, risk controls need to address the following points:

  • Whenever a client provides bank account details/instructions for the first time (or changes details/instructions), it’s essential that these are verified.
  • If the client has provided new details/instructions by email, when contacting the client for confirmation be sure to do this by a different form of communication, e.g. telephone or letter. This minimises the risk that a fraudster who has provided a fraudulent payment instruction is also in a position to provide false validation by intercepting your request for confirmation.
  • If bank account details need to be sent by email, if practicable send them by encrypted message with a password.
  • Risk alerts have provided guidance in relation to online banking frauds. This guidance was directed at firms’ cashroom and finance team colleagues, but critical points which are relevant to all of us are:
  • Banks will never ask you to disclose your PIN.
  • Email or telephone requests for password/PIN information should NOT be answered.

It should be assumed that fraudsters are very skilled in the planning, timing and execution of every aspect of their activities. Michael Blüthner Speight’s article in the July issue refers to the “Friday afternoon scam”, so-called because it is completion time for many conveyancing transactions. The timing takes advantage of the potential distraction of other challenges and priorities.

Recently, a large English practice was the victim of a fraud where an email purportedly from a partner (but actually from a fraudster) instructed the firm’s finance team to effect a transfer of funds. The email and its language were evidently so convincing that risk-aware colleagues acted on the fraudster’s email instruction after believing it to be genuine.

As well as effective IT and practical risk controls, it is an essential part of firms’ risk management that all colleagues maintain the highest levels of risk awareness and vigilance. Consider:

  • circulating bulletins and alerts to all colleagues;
  • delivering fraud risk awareness training;
  • encouraging, or requiring, all colleagues to undertake Marsh Information Security and Frauds & Scams training modules and assessments.

Consider also the online course, Cyber security for Legal & Accountancy Professionals, developed by the UK Government as part of its National Cyber Strategy, with the support of both the Law Society of England & Wales and ICAEW (cpdcentre.lawsociety.org.uk/course/6707/cyber-security-for-legal-and-accountancy-professional).

What other issues should be considered risk management priorities currently?

Marsh: Break options and service of break notices in relation to commercial leases continue to justify risk management focus.

Past Journal articles have flagged the risks associated with the exercise of break options in commercial leases. In the event of an error or omission on the part of the tenant’s solicitors in the drafting or service of a break notice, any claim can be very costly, reflecting the exposure to annual rent and other outgoings for an unwanted period (of years) of the lease.

In adverse commercial property market conditions, there is a greater likelihood of landlords taking advantage of the slightest discrepancy in a tenant’s exercise of a break option. This has been apparent in the Master Policy claims experience of recent years. While the frequency has not been significant, the claims which have arisen have tended to be very costly.

In principle, increasing demand for commercial premises to rent ought to have a favourable impact on the risk of claims arising out of ineffective break notices. However, it doesn’t mean the risk of claims arising out of the exercise of break options no longer exists. Claims continue to arise.

The claims experience suggests that the safest approach is to ensure, perhaps with the assistance of a checklist, compliance with:

  • the precise letter of all the requirements for exercising the break option;
  • time limits;
  • correct method of service;
  • correct addressee;
  • correct address for service of notice;
  • any conditions attached to the exercise of the break option.

Reference is made to “Breaking up is hard to do” (Journal, September 2009, 42). That article encouraged readers to review their firms’ procedures in the light of the potential pitfalls it identified. Consider reviewing the article now and assessing the effectiveness and consistency of your firm’s approach to drafting and service of break notices.

Alistair Sim and Marsh

Alistair Sim is a former solicitor in private practice, who works in the FINPRO (Financial and Professional Risks) National Practice at Marsh, global leader in insurance broking and risk management. To contact Alistair, please email alistair.j.sim@marsh.com

The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.

Marsh Ltd is authorised and regulated by the Financial Conduct Authority.

Share this article
Add To Favorites