Lawyers warn of rise in sophisticated cybercrime targeting white collar professions



Lawyers, financial advisors and accountants have become the cyber criminal’s target of choice, Glasgow-based Weightmans LLP has warned.

As global cyber-crime rises, the organisations increasingly at risk of attack are those involved in M&A business as they are privy to market-moving information.

This means lawyers, financial advisors and accountants are at risk and the start of a new financial year might be a good time to do a vital check of their protection the firm said.

The “FIN4”, attacks which recently came to light in the US, highlighted a major problem which could just as easily hit Scottish dealmakers.

Since mid-2013, the “FIN4” group has targeted large pharmaceutical companies and their advisors, embedding malicious code in emails to track discussions about merger activity.

Whether for financial gain or sabotage, these attacks targeted more than 100, mostly listed, companies.

Since they were discovered, investigations have suggested that insider dealing has evolved.

The firm said the scale and sophistication of its evolution are frightening and the ability via such attacks to manipulate markets on a global scale is, “potentially apocalyptic”.

Seonaid Busby, a partner at the firm (pictured) said: “Although this sounds like the plot of Hollywood’s next blockbuster, putting the hype to one side, the message for all professionals entrusted with confidential information by their clients is clear.

“They are effectively being asked to handle highly valuable assets. Think of them then as currency and make no mistake they are vulnerable to theft.

“If someone loses a client’s money, they can expect to be sued; for some professionals, lawyers for example, regulatory sanction is also likely.

“Equally, therefore, you should expect the loss of a client’s information or data to be no exception to a similarly tough response.”

However, according to Weightmans, professionals are not taking their exposure seriously enough.

Ms Busby added: “Professional indemnity policies typically guard against any civil liability.

“As a result, many policyholders believe such cover ought to be wide enough to guard against cyber risks.

“In many cases though, this isn’t true.”

There are two reasons for this. First, the scale of loss may well exceed the indemnity limits up to which most professionals insure.

Secondly, while professional indemnity policies guard against liability to third parties, they are much less likely to protect the policyholder against first party losses.

In the event of a cyber-attack, these can be substantial and manifest in various ways, including the costs of repairing damage to computer systems, business interruption, forensic investigation to identify where hackers gained entry, notifying clients that there has been a breach and their data may been compromised, PR to limit reputational harm and even extortion.

But Ms Busby advised that professionals should not rush out and buy a cyber-policy.

She said: “For a start, not all cyber policies are the same. The correct starting point is to profile the business activities, identifying the risks inherent in them and potential loss scenarios.

“That in turn should highlight any exposures, which can then be checked against the protection offered by the current insurance programme.

“At this point paying particular attention to policy wordings, identifying any gaps in cover, is vital.

“Do not limit the review to any professional indemnity policy either. It’s also important to consider whether cover might be available under any other policies, such as D&O (directors’ and officers’ liability insurance), property or fidelity.”