Blog

Ransomware risk: Steps to mitigate cyber fraud in residential conveyancing

The potential impact of ransomware attacks remains a major concern for conveyancers. What steps are needed to mitigate this risk?

There are approximately 1.2 million residential conveyancing Land Registry transactions per year in the UK, according to HM Revenue and Customs.

Based on Marsh’s experience, solicitor’s professional indemnity claims notified every year are estimated at under 20,000, less than half of which relate to conveyancing. This suggests that the conveyancing process is at least 99.9% reliable, with conveyancers doing an effective job, overall. The trouble is that 0.1% — or less — and the cost and risk that goes along with it.

Having worked through risks associated with right to buy, buyer-funded developments, ground rents, and Friday afternoon frauds, conveyancers face a new concern — the potential impact of ransomware attacks, and whether these will trigger cover under the Solicitors Regulatory Authority’s (SRA) Minimum Terms and Conditions policy. Accordingly, there have been calls for a wider uptake of cyber insurance to mitigate this risk. And while such policies are not necessarily a cure all, arguably, buying a cyber policy is a sensible step. 

Importance of the retainer

A firm accepting conveyancing instructions has control over ensuring the client is well advised, and minimising the risk that the firm is wrongly blamed for things that might go wrong. However, this raises the question of the firm’s duty in relation to achieving completion, especially in the face of ransomware attacks.

Law firms are not guarantors of the client’s transaction, but nor are they likely to be immune from criticism in every case, if delays occur due to a ransomware attack. However, to establish the extent of duty, breach, and reliance, the retainer — as set out in the engagement letter — and the firm’s disaster recovery processes are sensible places to start. Given the increase in ransomware attacks, it is advisable for law firms to inform clients about their risks to completion, particularly that:

  • There could be delays due to cyber incidents that may not be the firm’s responsibility. For example, there could be interruption to service, following a cyber event.  
  • If an incident occurs, the firm has procedures to ensure continuity, and provided they are reasonable, any delays in service that prevent completion may not necessarily be the firm’s legal responsibility.
  • The firm will do what it reasonably can to ensure completions occur as scheduled, but it does not guarantee that they will take place.
  • Insurance is available in relation to delayed and failed completion, and it is recommended that clients consider obtaining such protection, especially given the risk that any party in a conveyancing chain may become unable to complete at short notice.

While the focus of this article is residential conveyancing, other areas of conveyancing, such as commercial property work, may have specific vulnerabilities in relation to ransomware or service interruption. This is yet another reason to insist that retainer letters are sent in all cases and updated, as appropriate, to manage risk.

Building resilience

In addition, firms are recommended to ensure that their readiness and how they will recover and minimise the impact of an attack is an explicit part of their risk culture.

The risk that multiple completions may not take place due to a cyberattack is a real and significant threat to a business. Therefore, firms should consider ways to treat the risk, so that it is managed adequately. Reliance on insurance alone is inadequate. Firms are also advised to develop resilience by planning, modelling, and checking efficacy of processes to combat the risk.   

Conveyancers are recommended to:
  • Test backups for Land Registry and banking access.  
  • Ensure availability of key documents for completion, and alternative methods for completion, perhaps even in person.

Conveyancers who prepare now are likely to significantly improve their ability to cope with a crisis situation.

Law firms are recommended to consider:
  • How to stay abreast of emerging and changing hazards, including the risk of ransomware attacks.
  • Actions that need to be taken as a result of sensing changes in risk.
  • Whether processes to decide on a response are adequate.
  • How the adequacy of the response can be tested and monitored.

Answers are likely to vary, depending on the size and complexity of the business. Recording how the above questions are answered can help ensure proper consideration. It should also be noted that the SRA is entitled to ask for evidence of how the risk was managed, as part of its regulatory oversight role.

For many firms, a “playbook” setting out how incidents would be dealt with across the whole business, and with specific applications for different areas of practice/departments, may be sensible.

Time spent on these activities may feel like writing a fire safety plan and performing a drill with the hope that you never have to find out how effective the steps are in an actual attack. However, cyberattacks can have a very serious adverse impact upon businesses that are unprepared, making such preparation a worthwhile activity.  

Marsh has reviewed cyber claims suffered by businesses and analysed common failures that played a part. With a view to helping clients reducing risk, we have produced a note on twelve key recommended controls.  When an organisation implements the recommended controls, they will be better able to prevent, or be equipped to respond to, the majority of cyberattacks in a way that minimises their impact.

If you have any questions about cyber insurance, please contact your Marsh adviser.

Related articles