Risk review 2015, risk forecast 2016
A review of the risk headlines which featured in the risk management column during 2015, and a look forward to 2016 with a forecast that cyber risk issues will dominate the risk agenda
So what were the issues that dominated this column during 2015? Some familiar themes, some encouraging trends, and some concerning developments too.
Along with the concerning developments covered later, more familiar areas of risk remain a consistent feature of risk management discussions and articles and continue to give rise to claims. The year in these articles both kicked off and concluded with familiar themes, the most commonly recurring claims and “back to basics” risk management.
In true turn of the year style, in his article “How did that claim arise?”, Tim Edward counted down his Top 10 most common types of claims, from his experience both as a member of the Pursuers’ Panel and as a Master Policy panel solicitor.
At number one he put failure to ensure clear definition of instructions by clarifying the scope of the engagement with the client. The resolution? “What you are agreeing to do for the client (and what you are not agreeing to do) should be specified clearly in the initial scope of engagement letter, and that should be updated if the scope changes.” No surprises there. Sounds very simple but, typical of new year’s resolutions, it requires discipline to ensure it is put into practice.
No surprises either in the December issue. Book-ending the year’s articles and themes, Linda Moir, of Master Policy lead insurers RSA, focused on claim defensibility: how your file can put you and the Master Policy insurers in the best possible position to resist unmeritorious claims. While her advice contains no surprises, it is well worth reminding ourselves of the fundamentals of effective record keeping and practical risk management in the conclusion to her article.
The number of Master Policy intimations is one of the key measurements and indicators of the success of the profession’s risk management. In Russell Lang’s article in May, reporting on our 2015 Annual Master Policy Report, it was pleasing to observe that the number of intimations has continued a sustained downward trend from a six-year high in 2011-12. That trend has been maintained during 2015.
While property/conveyancing continues to dominate the Master Policy claims experience, the number of intimations reduced again in 2015, mirroring the reduction in the experience of the Master Policy overall. As the experience of lender claims diminishes, the majority arise out of issues of title examination and reporting; clients’ instructions; anticipating risks and protecting clients’ interests – all familiar themes addressed by Tim Edward in January.
Tackling these issues should mean further improvement in the claims experience in 2016, and the article “How are we doing?” (September) encouraged property practitioners to use the property/conveyancing self-assessment questionnaire on the Marsh website to assess how effectively they are addressing these key areas of risk, and the fact that property solicitors and property transactions are a magnet for criminals targeting them with fake emails and fake payment instructions.
Growing areas of risk for the profession during 2015, and forecast to be an even more serious threat, are the related risk issues of frauds and scams, and cyber risk.
Frauds and scams
Various aspects of frauds and scams perpetrated on the profession were recurring themes in this column during 2015, and justifiably so. The ingenuity and determination of criminals, in devising ways of stealing client money, call for the highest level of awareness as well as consistent adherence to targeted risk controls.
Prior to 2012, identity theft crime was the key external fraud risk concern for the profession. More recently, external frauds and scams have increasingly involved combinations of cyber crime and social engineering fraud or con-tricks. In her article “Are you a cyber risk?” (February), Nada Jardaneh referred to “cyber attacks – on humans” and explained that the weakest link in all cyber security is people. Cyber attackers and fraudsters take advantage of this by using “social engineering”, basically tricking people into departing from normal security procedures. Using inside information gained in a variety of ways, including hacking our systems, criminals aim to win our trust and persuade us:
- to reveal password/PIN information for online banking;
- to act on emails providing fake bank transfer instructions.
During 2015, the profession was exposed to large numbers of attempted frauds of these types. Examples have been flagged in this column and in risk alerts issued by the Society and by Marsh. It is credit to the profession’s response to this threat that most frauds do not succeed and that the cost to the profession, and the Master Policy claims experience, has not been considerably greater.
Cyber attacks and fraud
2015 was a year in which cyber crime continued to hit the headlines. A Government report estimates that cyber crime cost the UK economy £27 billion in 2015. Worldwide, it’s reckoned that cyber crime may now be worth more than the drugs trade.
Solicitors continue to be targeted by cyber criminals. In his article “Unlucky Fridays?” (July), Michael Bluthner-Speight of Master Policy co-insurers Zurich, warned of the increased sophistication of the scams and attacks used by cyber criminals including:
- attacks using “ransomware”, which encrypt data and demand payment for it to be released back to the firm;
- using details gained from hacking the firm to impersonate a bank or client. This is often referred to as the “Friday afternoon scam”, as it regularly targets conveyancing firms at times when they are likely to be intromitting significant amounts of money;
- using information gained from hacking to impersonate the firm to clients, for example by modifying bank account details to steal money.
Risk management priorities for 2016
Since it is principally the data or the money held by them that makes law firms a target, no firm can safely assume that it is immune. It has been suggested that there are two categories of law firm, those which have experienced some form of cyber attack and those which don’t yet know they have suffered an attack.
According to the PwC annual law firm survey for 2015, 62% of law firms reported that they had suffered a security incident (up from 45% in 2014). The way we all do business means there are likely to be increasing opportunities for criminals.
In spite of the efforts of law enforcement, this is a risk which isn’t going away and the impact of cyber crime seems likely to increase in 2016.
While this all sounds very fatalistic, the fact is we can all make a big difference to the risks to our firms, even if they are targeted, if we keep our awareness of the risks up to date and follow these:
Resolve to implement the cyber risk and fraud risk controls, suggested in the articles in the February, July and August issues, including:
- never opening any suspicious email link or attachment;
- never disclosing banking passwords or PINs;
- always verifying new bank account details received by email.
Resolve to undertake risk awareness training, including:
- the e-learning modules “Information Security – managing the risks”, and “Frauds and Scams – increasing awareness”, both available free on the Marsh website for Scottish solicitors;
- the training course “Cyber security for Legal & Accountancy Professionals”.
Resolve to review the content of the cyber security section of the Marsh website, and to consider using the free Marsh cyber risk self-assessment tool to assess the impact of a cyber event on your firm as well as the effectiveness of your cyber risk controls.
Contact email@example.com if you need a reminder of your practice’s log-in details for the Marsh website for Scottish solicitors.
Alistair Sim and Marsh
Alistair Sim is a former solicitor in private practice, who works in the FinPro (Financial and Professional Risks) National Practice at Marsh, a global leader in insurance broking and risk management. To contact Alistair, please email firstname.lastname@example.org
The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.
Marsh Ltd is authorised and regulated by the Financial Conduct Authority.