Cyber crime is most associated with fraudsters taking money off ordinary gullible computer users, but now evidence has emerged that cyber crooks are shifting up a gear and lawyers, financial advisors and accountants have become the target of choice.
Those professionals involved in mergers, acquisitions and other business deals are most at risk, according to sources at Glasgow-based law and insurance expert Weightmans LLP.
As global cyber-crime rises, organisations which possess market-moving electronic data are being targeted with insider traders trying to gain information on businesses.
Weightmans say that the FIN4 attacks which recently came to light in the US have highlighted a major problem which could just as easily hit Scottish dealmakers.
FIN4 hackers found their way into the data banks of more than 100 organisations and companies on Wall Street, and as a result, data security has been tightened there, meaning the cyber criminals will look to other markets including Scotland.
The FIN4 techniques were pervasive and intrusive. Since mid-2013, FIN4 group has targeted large pharmaceutical companies and their advisors, embedding malicious code in emails to track discussions about merger activity.
Weightmans stated: “Since they were discovered, investigations have suggested that insider dealing has evolved. The sheer scale and sophistication of its evolution are frightening and the ability via such attacks to manipulate markets on a global scale is potentially apocalyptic.”
Seonaid Busby, a partner at Weightmans said: “Although this sounds like the plot of Hollywood’s next blockbuster, putting the hype to one side, the message for all professionals entrusted with confidential information by their clients is clear.
“They are effectively being asked to handle highly valuable assets. Think of them then as currency and make no mistake, they are vulnerable to theft.
“If someone loses a client’s money, they can expect to be sued; for some professionals, lawyers for example, regulatory sanction is also likely. Equally, therefore, you should expect the loss of a client’s information or data to be no exception to a similarly tough response.”
Yet according to Weightmans, professionals are not taking their exposure seriously enough.
Busby said: “Professional indemnity policies typically guard against any civil liability. As a result, many policyholders believe such cover ought to be wide enough to guard against cyber risks. In many cases though, this isn’t true.”
According to Weightmans, the scale of loss may well exceed the indemnity limits up to which most professionals insure. Secondly, while professional indemnity policies guard against liability to third parties, they are much less likely to protect the policyholder against first party losses.
In the event of a cyber-attack, these can be substantial and might include the costs of repairing damage to computer systems, business interruption, forensic investigation to identify where hackers gained entry, notifying clients that there has been a breach and their data may been compromised, PR to limit reputational harm and even extortion.
So should professionals suddenly rush out to buy a cyber-policy? Not according to Busby: “For a start, not all cyber policies are the same. The correct starting point is to profile the business activities, identifying the risks inherent in them and potential loss scenarios. That in turn should highlight any exposures, which can then be checked against the protection offered by the current insurance programme.
“At this point paying particular attention to policy wordings, identifying any gaps in cover, is vital. Do not limit the review to any professional indemnity policy either. It’s also important to consider whether cover might be available under any other policies, such as D&O (directors’ and officers’ liability insurance), property or fidelity.”
The Scottish Government is coordinating a national response to cyber crime and last night a Scottish Government spokesman said: “We’d urge Scottish businesses and the general public to remain vigilant to the threats and risks of cyber criminals on the internet.
“The Scottish Government is working closely with partners to reduce and minimise the threats from cyber-crime and to build the resilience of individuals, organisations and businesses to tackle the threats.
“We will be consulting on a new Cyber Resilient Strategy for Scotland later this year which aims to ensure that our infrastructure and people continue to be protected and that Scotland’s economy continues to reap the rewards of doing business online.”
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here