Fraud and Cybersecurity

Cybersecurity of organizations

Commercial fraud is a scourge that is difficult to prevent and detect. The ubiquity of information technologies, the constant accumulation of data and the fact that discussions are increasingly virtual have created vulnerabilities that have allowed malicious organizations to diversify their fraudulent practices or made them harder to prevent.

Cyber-risks essentially include all threats that exploit vulnerabilities inherent in technological environments or processes. The last ten years have witnessed the growth of organized cybercrime that has mounted attacks on several fronts: phishing, spear-phishing, network intrusions and social hacking, all aimed at hijacking and monetizing identities, personal information, corporate data or trade secrets, and perpetrating sophisticated frauds. Among the various scams that have emerged lately are the “CEO Scam” or “Business Email Compromise” involving fraudulent international transfers of funds.

As the old saying goes, “An ounce of prevention is worth a pound of cure.” An organization should therefore consider the following prevention strategies and review the following processes:

• Heightening awareness among company employees is essential in order to remind all staff members to be constantly vigilant and to use critical thinking in responding to any unusual request.
• Implementing internal control processes aimed at preventing fraud and including a provision for verifying that a request is legitimate, limited access to sensitive data, a framework for delegating authority in the case of money transfers, and the need for two signatures to approve any transfer over a certain amount.
• The need to consult an in-house auditor or key individual such as in-house legal counsel, to validate the legitimacy of specific types of requests. Because of the nature of their duties, those people are already in an ideal position in their role as confidentiality watchdog.
• A review of internal processes is fundamental, in terms of both financial governance and technology systems. An organization must endeavour to limit public disclosure of sensitive information, particularly on the Internet and social media, which have international reach.
• Consulting with legal advisors is crucial in order to properly structure mechanisms to be put in place for limiting risk exposure.

That being said, an organization that is a victim of fraud has legal remedies available to it for obtaining compensation or limiting the harm, as the case may be. Those remedies include the traditional applications for injunctions and seizures before judgment, which are familiar to civil law practitioners in Quebec. An injunction enables the organization against which the fraud was committed to obtain a court order or orders compelling or enjoining a specific act. A seizure before judgment can be used by an organization to seize an identified item or items of property if there is reason to fear that recovery of the debt would otherwise be jeopardized.

In addition, in order to identify the precise extent of the fraud and obtain and preserve the evidence that is needed in order to succeed at trial, or freeze the assets of the perpetrators of the fraud, lawyers can bring applications for what are described by the courts as “extraordinary” remedies or “nuclear weapons” of the civil law: Anton Piller, Mareva and Norwich orders.

In spite of the rising tide of fraud and embezzlement in Quebec society, we can see that our civil law is evolving and adapting, and offering victims remedies that are better suited to their needs.