Cybercrime – minimising the risk
The continuing evolution of technology has enabled fraudsters to adapt, at an alarming pace, to take advantage of new and emerging cyber risks.
Action Fraud estimates that 70% of fraud is now "cyber enabled" and that the City of London Police is currently investigating "an estimated £600m in financial losses."
A cybercrime event has the potential to grind an operating business to a complete halt. A social landlord could lose data and, for those registered with the Home and Communities Agency, face the risk of regulatory downgrade. Given the intrusive nature of a cybercrime attack, it is understandable that the reputational consequences should be at the forefront of a social landlord's mind.
Of course, the reputational impact is usually closely followed by some kind of financial consequence (in the form of business interruption costs, the cost of seeking professional advice and the payment of fines to regulators – to name a few). As the holders and distributors of public money, social landlords also often have an obligation to seek recovery of their financial losses, meaning that these additional costs may be unavoidable.
Social landlords are a particular target for cybercriminals because they hold large amounts of personal data which can be sold on and then used for fraudulent purposes. There is, therefore, often another class of victim to a cybercrime incident; the businesses and individuals who are impacted by the leaking of the data (see, for example, the fallout of the Mossack Fonesca data leak). This heightens the risk of potential litigation against social landlords as those businesses and individuals often seek to recover their own financial losses, which in turn increases a social landlord's potential cost of responding to an incident.
A social landlord is also at risk of breaching the Data Protection Act 1998. Whilst the current provisions allow the Information Commissioner's Office to impose a financial penalty (for example Talk Talk were fined £400,000 in October 2016 for failing to prevent a cyber attack), the General Data Protection Regulation will go even further. Once implemented, a social landlord could be the subject of a maximum fine of €20 million or 4% of annual worldwide turnover (whichever is higher).
To minimise the risk of cybercrime, social landlords should consider:
- ensuring that they have sufficient insurance cover in place (with a view to minimising financial loss);
- reviewing and updating their internal IT and security measures;
- providing appropriate training to staff members on the risk of cybercrime; and
- preparing an emergency response plan to counteract a cyber attack.
Whilst external cybercrime is prevalent, social landlords are also at risk of internal cybercrime and fraud. As part of the battle against cybercrime, the Ministry of Justice is considering introducing a new corporate offence of "failing to prevent economic crime", which is likely to cover a range of offences, including fraud. If introduced, these changes will represent a significant expansion in corporate criminal liability and impose additional compliance burdens on social landlords.
Currently, corporate bodies can only be found liable for fraud in the UK if it can be proved that persons at executive or board level were "complicit" in the criminality - in this case, the fraud. Many commentators believe, however, that the current proposals on failing to prevent economic crime will be modelled on Section 7 of the Bribery Act 2010. The Bribery Act provides that a corporate body will be guilty of a criminal offence if an associated person commits bribery, unless the corporate body can prove that it had "adequate procedures" in place to prevent such conduct. Under the Bribery Act "associated persons" are widely defined and would include employees, group entities and suppliers.
In terms of "adequate procedures", these are not defined but the Ministry of Justice has published guidance on what adequate procedures might involve. Again, we would expect a similar approach to be adopted in relation to any new offence of failing to prevent economic crime. The guidance sets out the following six guiding principles that corporate bodies should have in mind when shaping and implementing an appropriate compliance programme:
- a detailed risk assessment;
- policies and procedures that are appropriate to the risks identified;
- demonstrable board level commitment and "tone from the top";
- the need for due diligence in relation to third parties;
- communication and training; and
- monitoring and review.
In addition, board members can also be held to be personally liable under the Bribery Act in circumstances where they "consented" or "connived" to an act of bribery. Neither "consented" nor "connived" are defined, but it is thought that there is a good chance that board members will be liable if they are aware that bribery is going on and do nothing to investigate or put a stop to it. It is important to bear in mind, therefore, that the introduction of the new offence could lead to a board member facing prison time if they failed to prevent fraud.
Should a fraud actually occur, in order to evidence the existence of robust systems and procedures and reduce/avoid liability, social landlords will need to proactively undertake detailed risk assessments, prepare comprehensive policies and procedures and implement a tailored compliance programme which covers both fraud prevention and fraud response. Such a programme will inevitably need to include demonstrable board level engagement, training, due diligence and monitoring.
In summary, therefore, it is vital that organisations in the housing sector take the time to reflect on and address, their potential economic crime (including cybercrime) exposure in order to facilitate the implementation of robust systems and controls, where possible, to minimise their potential economic, reputational and criminal liability.