Buying and selling a home can be stressful at the best of times, without the additional worry of disruption to any digital processes. There was understandable concern, then, when headlines in November referred to a major security breach affecting buyers and sellers using online estate agency Purplebricks.
The agency had advised its customers to use a firm of conveyancers, Premier Property Lawyers, and Premier's parent company Simplify Group suffered the cyber attack that led to the breach. Customers were reported to be unable to complete transactions and were being left in limbo.
In the months preceding the breach, COVID-19 restrictions and the stamp duty holiday had increased demand for digital transactions, including electronic conveyancing, or e-conveyancing. As a result of the breach, however, the process is now regarded as more vulnerable to cyber attack. But is it actually so risky?
E-conveyancing is a widely used process around the world. The New South Wales Government, for instance, provides this useful definition.
'Electronic conveyancing… is an efficient, accurate and secure way of conducting the settlement and lodgement stages of a conveyancing transaction. It replaces many of the paper and manual processes traditionally involved in property transactions.'
E-conveyancing 'allows lawyers, conveyancers, and financial institutions to interact and transact together online. Within the digital environment, information can automatically feed in from the original source and populate all documentation while the system cross-checks [it]. Documents are created, signed, and lodged within the online environment, and parties also complete all necessary steps to settle the transaction within that online environment.'
Both online and traditional estate agencies, along with their customers, depend on conveyancers to process transactions and liaise with various parties such as lenders, search companies and HM Land Registry. Like every other profession, conveyancing has become increasingly digitised and reliant on case management systems. It frequently uses digital tools to communicate with banks, other conveyancers and land registries, among others.
All such systems are vulnerable to cyber attacks in various forms. For example, many attackers aim to profit from direct ransom payments, or from selling data such as bank details or credit card information on the so-called dark web. These can disrupt systems in different ways, but operations can be interrupted or stopped entirely for significant periods of time.
At a major cyber security conference in 2012, the then FBI director Robert Mueller said: 'I am convinced that there are only two types of company: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.'
Although his remarks are now a decade old, they are more relevant than ever. We all need to consider and enforce digital security with the same vigour as we have always done with physical premises. All professions must protect themselves and their customers from business interruption, financial loss and reputational damage.
The attack that affected Purplebricks' customers targeted part of the system that supports the overall homebuying and selling process, and was not specific to conveyancing. Such attacks are as likely to affect any other kind of firm or organisation providing services to consumers, businesses or government bodies.
For the broader built environment sector, the lesson from the Purplebricks incident is not to challenge the concept of e-conveyancing, or the models of digital estate agencies for that matter. Instead, we need to recognise the critical importance of securing and protecting our own IT systems and ensuring that other organisations on which we rely are taking similar measures.
In many respects, the built environment is not as digitally mature as other sectors. Consequently, the Purplebricks incident represents an early warning – if one were needed – that the sector must make data and system security integral to its everyday business.
Firms must have infrastructure and procedures in place to ensure that their own systems – and others they depend on – are protected. They also need to develop and test plans to minimise the disruption caused by any cyber attack, and manage communications with all affected parties and other stakeholders, including regulatory bodies where relevant.
Digital IDs to identify homebuyers and sellers, property packs to provide trusted information and other tools are already available to ensure that digitisation is less rather than more risky. Well-developed and well-governed IT systems, supported by well-trained staff, can and should make e-conveyancing as safe as conventional practice.
Related competencies include: Data management and Legal/regulatory compliance