Cyber crime

BEC Attacks and the Law: Can You Be Liable?

photo of niek dekker
Niek Dekker
4 Min

If your organisation is subjected to a Business Email Compromise (BEC) attack, coming to terms with the theft may be just the beginning of your woes.

In cases where you’ve been the victim of a BEC attack because someone within your own organisation, such as the CEO or CFO, was impersonated, you could end up finding yourself subjected to a lawsuit by an aggrieved third party.

In circumstances where you’re short of funds as a result of a BEC attack, and you’re unable to meet your financial obligations, those to whom you owe money may have recourse to file a lawsuit against you for negligence.

Delayed payments on your part may cause others significant harm. It may result in them being unable to meet their financial obligations to pay their suppliers, creditors, staff or others. Consequently, they may seek compensation for disrupted business operations and other losses which could take years to recoup.

Demonstrating that your organisation has taken adequate steps to mitigate the risks of a BEC attack will be key to demonstrating that you have not been negligent.

BEC attacks and the law.

Whilst lawsuits stemming from BEC attacks are not yet commonplace in Australia, that may soon begin to change. In other jurisdictions such lawsuits are occurring with increasing frequency. In the United States, negligence is included in approximately 95% of data breach class actions.

In 2016, an investment fund, Tillage Commodities Fund, sued technology company, SS&C Technology. SS&C had been contracted by Tillage to execute wire transfers related to the fund’s operations, including investor redemptions and bill payments.

In the lawsuit, Tillage claimed SS&C had processed payments to fraudsters totalling $6 million following receipt of a series of six scam emails purporting to be redemption requests on behalf of Tillage investors. As a result of the theft, Tillage claimed it faced massive losses, forcing it to temporarily take its operations offline.

Importantly, Tillage claimed that SS&C staff had been negligent in not exercising their responsibilities to verify that the redemption requests were authentic and that the bank accounts they sent the funds to actually belong to Tillage investors.

Could Australian organisations be found negligent?

Negligence lawsuits stemming from cyber incidents face a number of significant hurdles in Australia, where the courts have traditionally been reluctant to award compensation in such claims, particularly if the act occurred unintentionally.

In general, for Australian courts to award damages due to negligence, the plaintiff would need to prove harm as a consequence of the other party’s actions. They would need to demonstrate that the defendant’s breach of duty caused the harm and that there were no other intervening events. In short, it must be clear that the plaintiff would not have suffered any harm ‘but for’ the actions of the defendant.

There’s no room for complacency.

Despite the hurdles that negligence lawsuits face in Australia, a court may determine that your organisation has been in breach of its duty to take adequate measures to mitigate the risks of BEC attacks.

To reduce the likelihood that a court will find your organisation negligent, you need to be able to demonstrate that you have taken reasonable steps to avoid a BEC attack.

Some of the measures you should be taking to limit your exposure to lawsuits include:

  • Demonstrate that you have taken steps to be informed of the risks posed by BEC attacks.
  • Acquire expert IT or cyber security advice about securing your network and email applications.
  • Implement technologies, such as DMARC, that can enhance the safety of your email correspondence.
  • Establish training and awareness programs so your employees understand the risks associated with email.
  • Have controls in place to verify all electronic funds transfer payments with the intended recipient before the funds are sent.
  • Establish strong segregation of duties within your Accounts Payable team so payment details can always be cross-checked.

Finally, a platform like eftsure can help you limit the risks of BEC attacks by cross-referencing the payments you make with a database of verified bank account details. Our fully integrated platform will clearly highlight to you any suspect payments, allowing your accounting team to undertake further checks before clicking “send.”

If you implement the suite of measures outlined above, any negligence lawsuits in the event of a BEC attack are highly unlikely to succeed.

Contact eftsure today for a demonstration of the ways our platform can help your organisation stay secure.

NOTE: None of the information contained in this content constitutes legal advice. It is for general informational purposes only.

Related articles

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.