Brokers, advisers and their PI policies
On 17 February, FAnews published a newsletter “Think twice before emailing banking details”, based on a press release in which Anri Dippenaar, Head of Compliance at Masthead said if you’re familiar with the recent Johannesburg High Court ruling that ordered a local law firm to pay a cybercrime victim R5.5 million – plus interest – and punitive legal costs, you might think twice before hitting the send button.
A brief recap
On 16 January 2023, Judge Phanuel Mudau ruled in favour of Judith Hawarden, who took law firm ENSafrica to court after she paid R5.5 million into what she believed was the firm’s trust account.
Unbeknown to Hawarden, her email account had been hacked. This allowed the cybercriminals to intercept emails from ENS and change the firm’s banking details to their own. Hawarden’s legal team argued that ENS should have properly warned her about the danger and prevalence of BEC in the conveyancing industry before she made any payments to them, and they should have communicated their bank details in a safe manner, using more secure means to communicate.
ENS’ legal team, on the other hand, stated that Hawarden herself had been negligent in not confirming the account details. ENS also stated if they were found guilty, the ripple effect of the judgment would extend to “all businesses who send their invoices, with their banking details, to their clients by email, which is a near-universal practice for all firms and indeed all businesses to do so”.
Judge Mudau said the cybersecurity experts who testified in court agreed that email is not secure, that PDF documents can be manipulated, and several cybersecurity measures were available at the time which “would have averted the fraud”. “ENS was at fault on the basis of negligent conduct,” he explained.
Would PI even cover this?
The judgment could be overturned if ENS appeals, however, it currently sets a precedent applicable to all businesses that use email to send banking details.
We then asked our readers if they believe ENS was at fault on the basis of negligent conduct, to which one reader responded, and posed a very interesting question.
“It is a hard one to judge who was at fault. We are all so busy trying to do our business that we miss small things like an error in the email address… It is very scary that this can be done to a company the size of ENS. The question is, would your PI even cover this?” Asked Craig.
FAnews approached a few experts for their comments on the question posed.
Understanding the scope of cover
“We do not think that the decision against ENS is a surprise at all. We don’t think it is a “shift” as the article seems to imply. We think it was simply a matter of time and now a court has ruled. As Leppard, we know the cyber and email interception and falsification exists. We have experienced numerous issues with emails being intercepted and detail changed, with some producing claims, some not,” said Steve von Roretz, Chairman of Leppard and Associates.
“It would be very important to understand the scope of cover for the legal profession. The Legal Practitioners Indemnity Insurance Fund (LPIIF) in simple terms does not cover liability arising out of a cyber event. I believe the more responsible PI products for lawyers would all cover such an event. Some through specific cyber covers, some, like the Leppard policy, as part of the policy. But all the policies would have coverage subjectivities relating to the cyber exposure and these would orientate around risk management of the exposure from, up to date IT protections, to protocols concerning identification and authentication. Some PI insurers require absolute compliance with the protocols but some, like Leppard, require evidence that a protocol is in force and has been communicated to all staff, prior to the cyber event,” continued von Roretz.
This court decision, according to von Roretz, will have an impact such that the PI policies will require a protocol that “works both ways”. “This means that the business must check when, by example, they pay third parties and change bank details AND now will need to ensure that if they tell someone to pay based on some document, they also need to ensure there is a reverse authentication and identification protocol.”
PI policies and exclusions
“The above equally applies to brokers and advisers and their PI policies. As to advice to brokers and advisers. Leppard is precluded by law from giving advice but our opinion about sending or relying on email communication and attachments is to never trust anything you receive, so double check everything. It is not enough to rely on one process but rather add to the process through independent authentication AND ensure that your customers, when paying anything to you or under your instruction, are informed and authenticate back to you before making any payment. This may seem yet another layer of complexity, but it is critical and will pay a handsome dividend in the long run,” concluded von Roretz.
Lisa Swaine, Partner at Webber Wentzel, said in the ENS case, it was the client's system that had been hacked. “ENS was liable to pay the amount lost to its client as a result of the hack. Whether a PI policy will provide cover for an attorney's negligence in sending banking details by email will depend on the terms of the particular PI policy but, based on the PI policies I have dealt with, in this instance, a PI policy will probably cover the attorney's liability.”
“However, if, on the other hand, it was the attorney's computer system that was hacked, cover would, ordinarily, be excluded as most, if not all, PI policies contain an exclusion of cover for liability in instances where the insured's system was hacked or compromised. I say "ordinarily" because some insurers provide an extension which, if purchased by the insured, may provide the cover required. A separate Cyber Liability policy would probably provide cover for the attorney's liability in these circumstances,” added Swaine.
Amanda Schoeman, PI Manager at SHA Specialist Underwriters said, “This will not be covered under a PI policy as claims arising out of theft, fraud and dishonesty is specifically excluded, and it contains a strict Cyber Liability Exclusion as well. As there is no specific cover in the market that would provide cover in this instance, cover has generally been extended under Misappropriation of Trust Funds cover for this specifically. This extension, however, has a very robust deductible structure and it is linked to the insured, as a minimum, having due diligence procedures in place before making payments to verify banking details and the like. This only provides protection to circumstances where the insured has fallen victim and not their clients. Cover cannot be extended to protect their clients where those clients are the victims of cybercrime.”
Applying the principles to FSPs
Schoeman added, “It is not clear how brokers could be held liable, other than where they are selling something like Cyber Liability to their clients, but they can only advise to what the intention of the cover is as the policy response would be determined by the specific circumstances of an incident, policy terms, conditions and exclusions.”
“An FSP is, in terms of Section 2 of the General Code of Conduct for Authorised Financial Services Providers and Representatives, required to act with the required due skill care and diligence in the best interests of the client. Whether or not this is something that itself could trigger a complaint against an FSP, is difficult to say, as each complaint is considered in respect of its own merits, and there are numerous factors that are considered when investigating a complaint in respect of the financial service rendered. FSP’s receive and transfer money for clients in a similar manner to legal practitioners. Applying the principles from the ENS judgment – there appears to be a basis for arguing that taking reasonable steps to advise and protect the client against hacking and interception would be recommended,” commented the FAIS Ombud.
“Some best practices that financial services providers could consider are – to try to use secure communication channels such as encrypted messaging platforms or secure file-sharing services to exchange sensitive information with clients. They should also ensure that the client's identity is verified before sharing any confidential information; they should educate clients about phishing scams and advise them to be cautious about sharing sensitive information over email. Clients should be encouraged to verify the authenticity of the sender's email address and to avoid clicking on links or downloading attachments from unknown sources; and lastly, financial services providers should consider implementing security protocols such as two-factor authentication and password management to protect their clients' sensitive information,” concluded the FAIS Ombud.
A concerning precedence
“We have seen some instances where attorneys do make a statement on their “onboarding” documents and invoices stating that it is unlikely that banking details will be changed, and their clients should verify with the firm should they receive instructions to change or find different banking details on any instructions. In light of this latest judgment, companies should consider to, at least, include something similar along with a notice that they will not be legally liable should their clients use the incorrect banking details. In addition to this, the court did not deal with the general legal liability that should apply as a standard across all professions in this respect. This is, therefore, a much bigger issue and, if this judgment is upheld, could create a concerning precedence for all businesses and professions and it might be a requirement going forward to only send banking details on secure platforms,” concluded Schoeman.
Writer’s thoughts
As mentioned above, it is not enough to rely on one process but rather add to the process through independent authentication AND ensure that your customers, when paying anything to you or under your instruction, are informed and authenticate back to you before making any payment. Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts [email protected].
