25 January, 2018
Fraudsters are targeting confidential information held by businesses more than money, stock or other physical assets, a security consultancy has reported.
Kroll said that 29% of senior executives surveyed as part of its global fraud and risk report for 2017/18 said their company was defrauded of information in the last year. Slightly fewer respondents said their business had suffered theft of physical assets or stock, it said.
It is the first time since Kroll began reporting on fraud a decade ago that information fraud has been cited as more prevalent than cases of fraud by theft of physical assets or stock, the company said.
The Kroll report, seen by Out-Law.com, set out the results of a summer 2017 survey of 540 senior executives from businesses based around the world that operate in a variety of different sectors.
The report highlighted the growing cyber risk to businesses. According to it, 86% of the executives said their company had experienced a cyber incident or the theft, loss of or attack on information in the past 12 months. In addition, 70% of the survey respondents said there had been at least one security incident at their company in the last year.
Overall, 84% of businesses fell victim to at least one instance of fraud in the past year, according to the report.
Many businesses experienced financial and/or reputational damage as a result of fraud, Kroll said. Approximately two-thirds of the senior executives surveyed said their businesses experienced reputational damage where they experienced fraud or a cyber or security incident, while 23% of the respondents said that they believe their company lost at least 7% of revenue as a result of fraud in the past year.
Junior employees, former staff members and suppliers were cited as the most common perpetuators of fraud by survey participants.
Civil fraud and asset recovery expert Alan Sheeley of Pinsent Masons, the law firm behind Out-Law.com, said businesses need to consider their liabilities "at all levels" as a result of the changing nature of fraud.
"It may be obvious to commercial businesses to seek to enforce criminal sanctions against the perpetrators and to protect from future attacks, however, businesses, directors and senior managers must also take account of the potential civil liabilities which may arise against them, following a cyber fraud attack," Sheeley said.
Civil liabilities may arise, for example, from cases of fraud where a hacker steals customer information from company systems, emails those customers with false invoices under the pretence of the company and then collects the money deposited, he said.
"Close examination of any indemnity clause providing for the company to pay losses to the customer as a consequence of a breach of the contract, and any available exclusion clause, may be necessary," Sheeley said.
"It might also be argued that the company had a duty of care to ensure that the invoicing process did not fail, and it breached that duty of care by allowing the company’s system to be hacked. Much, of course will be determined by the facts concerning the nature of the relationship between the parties and the contractual documentation that is in place," he said.
Sheeley said that businesses that fail to keep personal data secure may also face liabilities under data protection laws, and could face further liabilities for breaches of the Supply of Goods and Services Act 1982. In addition, in some cases claims for a breach of directors' duties under the Companies Act 2006 could also be raised, he said.
"Faced with potential civil liability, businesses may wish to consider steps for recovery of the monies from the perpetrators of the fraud," Sheeley said. "The civil remedies available might include the issue of court proceedings against a fraudster in deceit, conspiracy, dishonest assistance, unjust enrichment and knowing receipt. More draconian and immediate measures such as obtaining search and seize orders, and freezing and Norwich Pharmacal orders may also be considered so as to prevent dissipation of assets by the fraudster."
"UK businesses and organisations must improve their ability to deal with cyber fraud attacks and prevention is, of course, central to mitigating the risk. However, when the worst happens, businesses and organisations should defer to an agreed response plan which should include engaging their legal advisors as soon as possible to advise on the potential liabilities they may face, as well as the options available to them to recover monies," he said.
For further information, please contact:
Alan Sheeley, Partner, Pinsent Masons
alan.sheeley@pinsentmasons.com