Cyber-crime – ‘You’ve been hacked!’

Cyber crime is becoming too common to ignore and every agent is a potential target. But what can you do? Richard Reed talks to experts who deal with it every day.

Hacking image

You arrive at the office bright and early after the Christmas break, sit down at your computer and casually hit the power button. That’s when the nightmare starts. You’re gripped with fear as you read the message that flashes up on screen: “You’ve been hacked. Your computer systems are frozen until you pay £500,000 in Bitcoin. Unless you pay this ransom within five days, all your client account information will be sold to the highest bidder.”

Your legs turn to jelly as you consider the possible consequences – rental payments that could be compromised; completions that won’t take place; the leaking of confidential client information, the potential fines that could follow… The loss of reputation, the legal costs… it doesn’t bear thinking about.

You phone your IT provider, but a few hours later you are no further on. He’s had a look, but says he can’t help you – you need a cyber security expert.

In a panic, you phone your insurance broker. “We’ve got cyber cover, haven’t we?” “I’m afraid not,” she says.

Deep down inside, there’s a gut-wrenching fear that this could be the end of your This is the scenario being played out all too frequently across an industry that is surprisingly complacent about protecting itself from cyber attacks. Just a few weeks ago, hundreds of property sales were left in limbo after conveyancing tech firm CTS was hit by a cyber incident, in an apparent carbon copy of an attack on conveyancer Simplify in 2021.

There have been many more attacks that have gone unreported as firms scramble to keep information out of the media in a bid to protect their reputation. Research released by insurer Hiscox in October found the property industry was the most at risk from cyber attacks, while 53% of businesses in all sectors had experienced an attack over the past year – up from 48% in 2022.

Despite the figures, it’s a risk that many estate agents are still complacent about, according to Oliver Wharmby, Client Director at cyber specialist Mint Insurance Brokers. “Ten to 15 years ago it was financial services that was being targeted, but everyone has tightened up in the regulated sector. Estate agents are not regulated so they are left to their own devices when it comes to cyber security, and I think a lot of them have got their heads in the sand, and don’t quite appreciate the risks that they face,” he explains.

I think a lot of them have go their heads in the sand. Oliver Wharmby, Mint Insurance Brokers.

“A lot of them have really quite old security systems – they are not updating them, they are not updating passwords, they don’t have multi-factor authentication.

“We run risk assessments all the time for our policyholders, a simple non-invasive scan of their domain, and it highlights vulnerabilities. You would be absolutely amazed – some of these risk assessments we are getting back for quite well-established companies are showing major gaps in their IT. That means that at any given moment, they could be shut down.” Estate agents are not regulated so they are left to their own devices when it comes to cyber security.

Targeting data

Natasha Barrow Arthur J GallagherNatasha Barrow, Head of Affinities at broker Arthur J Gallagher, agrees. “It is a risk that is becoming more important for organisations, as we live in a world where cyber-related incidents are common,” she says. “Cyber criminals are constantly evolving their means of attack and therefore all businesses must have preventative measures in place as well as a robust incident response plan.

Cyber criminals are constantly evolving their means of attack and so all businesses must have preventative measures in place as well as a robust incident response plan. Natasha Barrow, Arthur J Gallagher.

“While businesses cannot prepare for every eventuality, they can increase protection against cyber exposure by monitoring and strengthening their digital defences. In addition, it is vital that a business keep employees up to speed with cybersecurity training as we know that one of the biggest threats to any organisation’s cyber security is human error, which equates to 95% of all data breaches.”

Wharmby stresses that it’s important for agents to understand that they are being targeted because of the data they hold. “They hold some quite sensitive data like passport numbers, bank account details, address details, contact names, phone numbers. They may have alarm system codes, details around proof of funds. That is quite sensitive information. They are holding onto all that information and it may not be secure, it may not be encrypted.”

He says that having cyber insurance in place can literally be the difference between your business surviving an attack or going under.

“If they get hacked and they ring up and say, ‘Have we got cyber?’ and we say ‘No’, they are stuffed,” he warns. “We had a client who was down for two weeks, and as they were using internet calls – VOIP – they couldn’t even make or receive calls; they had no access to their IT systems; they were shut down, basically.

You can’t trade, you can’t complete property transactions and you’re reliant on a forensic engineer to get your business back up and running.

“You’ll have an ICO investigation, you may have an ICO fine if your cyber security is not adequate, you may then have a third-party claim from anyone where you have not protected their confidential information properly.

“While you are juggling all that, your business is shut down, you can’t trade, you can’t complete property transactions, you can’t manage portfolios and you’re wholly reliant on a forensic engineer to get your business back up and running. If they can’t, are you going to pay a ransom? We know some big corporates recently have paid ransoms – very meaningful numbers.

“You need to know that on a Monday morning, when your emails are down and your screen is flashing ‘You’ve been hacked’, that you can pick up the phone and within a matter of minutes you’ve got a forensic team parachuting in their experts to sort you out.”

Natasha Barrow points out that the Information Commissioner’s Office (ICO) can impose fines of up to £17.5m or 4% of a business’s annual turnover for a serious breach, meaning the financial impact of cyber attacks could prove substantial to estate agents, especially if they are relatively small. As well as experiencing a loss of income through fines, businesses could also face additional costs such as legal fees.

“As well as the direct financial implications, cyber events carry a reputational risk which could prove costly and time consuming,” she says.

“Along with reviewing digital defences and staff training, it’s important to have a response plan in the event of an attack or outage. We work with clients to put this in place so that all employees know what to do if an incident occurs. This can prevent delays in fixing the problem and help with mitigating any potential further damage.”

Huge legal costs

Levi Redman Hamilton FraserLevi Redman, Commercial Account Handler at Hamilton Fraser, says many agents are totally unprepared. “There is still quite a lack of awareness of knowledge of the need for cyber and data insurance,” he observes. “A lot of agents don’t have cover in place, unfortunately. The legal costs alone can be massive with things like this.

The hackers might be able to access personal data on some of their clients, and they might potentially have to pay compensation to the victims. There may be fines as well. Levi Redman, Hamilton Fraser.

“The risk of cyber attack has multiplied over the years – it’s something that is becoming more and more prevalent – a lot of people assume it’s just the big companies it happens to. Of course, you only hear about the big companies as they are newsworthy, but a lot of them target smaller companies quite regularly and you just don’t hear about it.”

He warns that simply being unable to use their computers for a few days can be a hammer blow for firms.

“The hacker might have caused some damage or corrupted the computer systems and programs, there are all sorts of costs that might come into it,” he explains. “Then there is the extortion, which is going to be the main factor in the ransom demand.

“Costs can start to build up when you consider other things they may have to pay out for – the hackers might be able to access personal data on some of their clients, and they might potentially have to pay compensation to the victims. There may be fines that come with that as well, depending on the breach and whether they were as well protected as they should have been.”

He says that firms that don’t have cyber cover in place are playing with fire. “It could easily be the end of any business if they experience a cyber attack,” he states.

How insurance helps

Natasha Barrow says cyber cover can help manage a cyber incident in a number of ways, including:

  • Legal services to support with the legal and regulatory consequences
  • Digital forensics and incident response to help determine the existence, cause and scope of the incident on the affected computer system and help ensure the cyber-criminal no longer has access to the IT systems
  • Ransomware negotiations, notifications to affected 3rd parties, a specialist team to help notify and protect the customers, suppliers and stakeholders that may have been impacted by the breach
  • PR and crisis management guidance to help manage the business reputation during and after an incident.
Security protocols

Both Oliver Wharmby and Levi Redman stress that firms will be expected to have protocols in place to help prevent potential attacks – and that if you fail to do so, you could be left uninsured. “If they haven’t answered those questions truthfully or they haven’t lived up to their responsibilities, then obviously they have the real risk of not having a claim paid out,” says Redman. “Those assumptions would be things from the basics [eg strong, secure passwords] to having encryption on all your computers, laptops and USB sticks – anything that holds or processes personal data; that you back up your data weekly off-site; and that you have anti-virus software in place and regularly apply updates.”

Wharmby agrees that insurers will expect you to meet minimum requirements in terms of security, and unless you satisfy those you won’t even get cyber cover from the specialist insurers he deals with.

“But it’s in your interest to meet those requirements because it’s your business at the end of the day,” he explains.

“I always say to clients, ‘If you had a vintage car you would take it to a specialist mechanic who understands it; so it gets properly looked after. Why would you not do the same for your business? It’s your livelihood and it’s keeping a roof over your head, why would you not make sure you are protecting it with proper cyber security systems and cyber insurance.”


Oliver Wharmby gets inside the heads of cyber criminals

“People are complacent – staff are probably going to be buying Amazon orders and looking at eBay on their work systems, and they are likely to get emails coming through. They will click on a link and inadvertently allow third-party access.

Oliver Wharmby Mint Insurance Brokers
Oliver Wharmby

Once they have gained entry to your systems, the hackers will probably sit there for months, if they can, until proper password updates take place. And even then they can still get in – if they want to get in, they will get in.

They will typically hold you to ransom on a Wednesday and give you 24 or 48 hours to pay a ransom.

They will typically familiarise themselves with the day-to-day operations, who has got authority, who is in accounts, who is signing off payments, who the third-party contractors are, what the busy periods are.

Typically, they are quite strategic in the way they hold agents to ransom – they tend to know that Friday is an important day in the sales sector, being completion day, and the end of the month is quite an important day as well – you’ve got payday, if you can’t pay your staff they are going to shut you down.

They will typically hold you to ransom on a Wednesday and give you 24 or 48 hours to pay a ransom, otherwise they will threaten to send emails out to your database. Emails will get sent to tenants, saying, ‘We have changed our bank details, please pay your rent into the following account’.

These are emails that are sent from your firm’s email address – because they have been hacked they are able to send emails from the company’s server. The disclaimer on the bottom will even say ‘Please beware of cyber threats, don’t make payments unless you are absolutely sure of the authenticity of the email’. The tenant has no reason to believe they are not genuine.

The hackers know full well that businesses will be shut down over the Christmas period and they are tactically going after companies while they are shut down to cause maximum damage and cover as much ground as they can while the businesses are dormant.

They will be downloading email inboxes without you knowing, they will be going into sensitive files and taking data, and then they will hold you to ransom.

They are criminals, these guys, and no-one is catching them – they operate in lawless territories and they are very, very clever, organised gangs that have access to lots of sophisticated tools and kit, and they’ve been doing it for a long time now. They are working with teams of people that are incentivised and motivated. We are not talking about a 17-year-old guy in his bedroom at his parents’ home anymore.


(inc Hamilton Fraser standalone policy)

Hamilton Fraser add-on policy – £140 for £100,000 of cover; cover also available up to £1 million.
Mint – a typical standalone policy will cost £500 for a business with £500,000 of income.

What's your opinion?

Back to top button