Cyber fraud is perhaps the biggest issue facing the financial sector today, but it is not limited to banking and finance: government reports show that four-fifths of the UK’s large businesses fell victim to a security breach last year.
Law enforcement agencies worldwide are struggling to respond to the overwhelming threat. It is easy to understand the public frustration at the low number of cyber criminals being brought to justice.
In response, we are seeing a trend of businesses considering both civil and criminal legal proceedings. A private prosecution can sometimes be the answer and is available to any victim of fraud. Private prosecutions can also run in parallel with civil proceedings in the UK. The same approach is a growing trend in some overseas jurisdictions.
However, private prosecutions should not be used as a tactical tool, but as a serious weapon. A private prosecution requires funding and the Director of Public Prosecutions (DPP) can take over the case and/or close it down. There is also the issue of confiscation, a complex area of law where recently the Supreme Court has been deciding how the Proceeds of Crime Act should be fairly and proportionately applied.
Some cyber crime law enforcement initiatives have also run into problems. The Action Fraud initiative was famously dubbed “No Further Action Fraud” by Stephen Greenhalgh, London’s deputy mayor for policing and crime. However, claims of an apparent “lack of appetite” by police officers to investigate cyber crime are, in my opinion, unfounded.
As someone who works closely with the police, as part of the City of London Crime Prevention Association and the City of London Safer City Partnership, I am able to say with some authority that there is huge enthusiasm within the police force to tackle cyber fraud.
For instance, last year the Metropolitan Police implemented Project Falcon, allocating more than 300 specialist police officers to the task of investigating and prosecuting cyber-related fraud. Earlier this month, the City Of London Police’s National Fraud Investigation Bureau, in partnership with the National Cyber Crime Unit, coordinated an intensive national action against cyber crime, which resulted in 57 arrests in just one week.
However, with the City of London Police estimating that last year more than one million incidents of online fraud went unreported, the financial services industry is arguably not as engaged with the battle as it could be.
Cyber crime is particularly difficult to investigate and prosecute because criminals have been allowed to prosper in what is an unregulated digital highway.
By that I mean anonymity is a powerful stealth weapon for criminals, a modern day cloak and dagger. Protecting the integrity of digital evidence and the speed in which it is gathered is pivotal to successfully prosecuting fraud. Often, the regional detectives investigating these crimes have neither the resources, nor the expertise, to gather evidence as quickly as is necessary.
It is through a partnership between business and law enforcement that we will turn the tide in the fight against cyber crime. It is important that businesses understand the role they must play in the prevention of cyber crime. Lawyers, in my view, are in the best position to bridge the gap between the business community and law enforcement.
However, with 85 per cent of cyber crime going unreported, it would seem that, instead of working with the authorities, some business sectors are choosing to turn a blind eye.
It may be that businesses are concerned with the effect that reporting security breaches may have on their reputation, and are choosing not to report crimes for commercial reasons. However, with the EU General Data Protection Regulation (GDPR) being adopted later this year and coming into force in 2017, they will soon have no choice but to report cyber breaches.
Under the GDPR, the obligation to report cyber breaches will become compulsory for financial services organisations and those that fail to manage these breaches in a responsible manner leave themselves open to the possibility of fines and sanctions.
Forward-thinking businesses will therefore soon be adopting a partnership approach to cyber risk management.
Don Randall is a senior consultant at Bivonas Law