By John Kunzler ,
31/03/2022 · 5 minutes read
There are approximately 1.2 million residential conveyancing Land Registry transactions per year in the UK, according to HM Revenue and Customs.
Based on Marsh’s experience, solicitor’s professional indemnity claims notified every year are estimated at under 20,000, less than half of which relate to conveyancing. This suggests that the conveyancing process is at least 99.9% reliable, with conveyancers doing an effective job, overall. The trouble is that 0.1% — or less — and the cost and risk that goes along with it.
Having worked through risks associated with right to buy, buyer-funded developments, ground rents, and Friday afternoon frauds, conveyancers face a new concern — the potential impact of ransomware attacks, and whether these will trigger cover under the Solicitors Regulatory Authority’s (SRA) Minimum Terms and Conditions policy. Accordingly, there have been calls for a wider uptake of cyber insurance to mitigate this risk. And while such policies are not necessarily a cure all, arguably, buying a cyber policy is a sensible step.
A firm accepting conveyancing instructions has control over ensuring the client is well advised, and minimising the risk that the firm is wrongly blamed for things that might go wrong. However, this raises the question of the firm’s duty in relation to achieving completion, especially in the face of ransomware attacks.
Law firms are not guarantors of the client’s transaction, but nor are they likely to be immune from criticism in every case, if delays occur due to a ransomware attack. However, to establish the extent of duty, breach, and reliance, the retainer — as set out in the engagement letter — and the firm’s disaster recovery processes are sensible places to start. Given the increase in ransomware attacks, it is advisable for law firms to inform clients about their risks to completion, particularly that:
While the focus of this article is residential conveyancing, other areas of conveyancing, such as commercial property work, may have specific vulnerabilities in relation to ransomware or service interruption. This is yet another reason to insist that retainer letters are sent in all cases and updated, as appropriate, to manage risk.
In addition, firms are recommended to ensure that their readiness and how they will recover and minimise the impact of an attack is an explicit part of their risk culture.
The risk that multiple completions may not take place due to a cyberattack is a real and significant threat to a business. Therefore, firms should consider ways to treat the risk, so that it is managed adequately. Reliance on insurance alone is inadequate. Firms are also advised to develop resilience by planning, modelling, and checking efficacy of processes to combat the risk.
Conveyancers who prepare now are likely to significantly improve their ability to cope with a crisis situation.
Answers are likely to vary, depending on the size and complexity of the business. Recording how the above questions are answered can help ensure proper consideration. It should also be noted that the SRA is entitled to ask for evidence of how the risk was managed, as part of its regulatory oversight role.
For many firms, a “playbook” setting out how incidents would be dealt with across the whole business, and with specific applications for different areas of practice/departments, may be sensible.
Time spent on these activities may feel like writing a fire safety plan and performing a drill with the hope that you never have to find out how effective the steps are in an actual attack. However, cyberattacks can have a very serious adverse impact upon businesses that are unprepared, making such preparation a worthwhile activity.
Marsh has reviewed cyber claims suffered by businesses and analysed common failures that played a part. With a view to helping clients reducing risk, we have produced a note on twelve key recommended controls. When an organisation implements the recommended controls, they will be better able to prevent, or be equipped to respond to, the majority of cyberattacks in a way that minimises their impact.
If you have any questions about cyber insurance, please contact your Marsh adviser.