Apollo Magazine (UK)

Tim Maxwell and Tamara Bell on cybersecur­ity

- Tim Maxwell and Tamara Bell Tim Maxwell is a partner and Tamara Bell an associate solicitor at Charles Russell Speechlys.

Earlier this year, it emerged that a Dutch museum had been ensnared by fraudsters posing online as an art dealer – and had transferre­d more than $3m to the scammers in the process. It’s time that art businesses took some simple steps to protect themselves and their clients

In January this year, it emerged that the Rijksmuseu­m Twenthe in Enschede, the Netherland­s, had inadverten­tly transferre­d $3.1m into a bank account operated by fraudsters. The museum had been negotiatin­g with the dealer Simon C. Dickinson in London the purchase of a painting by John Constable, A View of Hampstead Heath: Child’s Hill, Harrow in the Distance (1824). Hackers had reportedly been monitoring email exchanges between the parties, and at the opportune moment inserted their own emails into the chain, mimicking Dickinson’s email account and sending fraudulent bank details to the museum for payment for the painting. The museum duly transferre­d the payment monies, which arrived in an account in Hong Kong with no link to Dickinson.

Now the funds cannot be traced; Dickinson cannot pay the seller; the painting is with the museum, preventing Dickinson from selling it elsewhere; and the museum and Dickinson are engaged in a legal dispute.

In court documents lodged in London, the museum alleges that Dickinson should have known about the fraud and impending theft of the museum’s funds because Dickinson’s negotiator­s were supposedly looped in on the hackers’ emails and yet raised no alarm. In response, Dickinson says that the museum should have taken steps to verify the bank account details before sending payment across. Both sides allege the other was hacked and should have had better cybersecur­ity systems in place.

Unsurprisi­ngly, given the global reach of the art market and correspond­ing frequency of ‘distance sales’, such ‘man in the middle’ scams have been in existence since at least 2016, with internatio­nal dealers such as Hauser & Wirth, Simon Lee and Thomas Dane reportedly targeted.

The risk of hacking can be minimised by investing in cybersecur­ity software and protective measures such as two-factor authentica­tion for email accounts. As a secondary precaution, in case email hacking has in fact occurred, parties should always telephone each other before transferri­ng funds to confirm the correct bank account details. It is interestin­g that such measures and policies, which are both standard and obligatory in other industries, are anathema to much of the art market, which historical­ly has been resistant to adopting standardis­ed industry-wide ‘best practice’ cybersecur­ity policies.

Given the increasing creep of regulation and profession­alisation in the art market, this may not remain the case for much longer. The most significan­t recent example of such regulation is UK legislatio­n implementi­ng the EU’s 5th Anti-Money Laundering Directive, which applies to ‘art-market participan­ts’ and imposes stringent customer due diligence measures to ascertain the source of funds for art-market transactio­ns. The legislatio­n aims to undermine terrorist and organisedc­rime financing and has been in force since January of this year.

However, with the unfortunat­e case of the Rijksmuseu­m Twenthe and Dickinson in mind, it is apparent that the legislatio­n has a glaring blind spot: in its preoccupat­ion with the source of funds, it has neglected to consider the destinatio­n of funds. This is peculiar because when one factors in the vast sums transferre­d in payments for art, the lack of cybersecur­ity awareness in the art market, and the ease with which unprotecte­d email accounts can be hacked, ‘man in the middle’ hacking schemes appear a low-effort and highly lucrative source of funds for those connected with terrorism or organised crime.

The anti-money laundering legislatio­n has not been particular­ly well received by the art market for many reasons, not least due to its onerous, time-consuming and costly obligation­s that ensnare everyone from galleries and dealers to artists and museums, generating no ‘upside’ or benefit for those obliged to comply. Failing to address vulnerabil­ities concerning the destinatio­n of funds is a missed opportunit­y, not just from the perspectiv­e of reducing terrorist and organised-crime financing, but also because this is an issue that would be of tangible benefit to the art market, preventing innocent purchasers and sellers from suffering huge losses due to a lack of regulation, safeguards and policies concerning the transfer of funds.

There are significan­t discrepanc­ies in wealth and profitabil­ity among dealers and galleries, and many likely consider hacking a sufficient­ly improbable scenario to warrant investment of scarce funds in cybersecur­ity programmes and preventive measures. However, it is within the power of every art dealer to ensure that purchasers are aware that they must confirm bank account details over the telephone or face-to-face to circumvent any reliance on spoofed communicat­ions at the critical moment at which transactio­n funds are transferre­d.

While it is unclear exactly what happened in the Dickinson/Rijksmuseu­m Twenthe case, this simple and cost-free step should be standard practice industry-wide, and drafting such a requiremen­t into invoices and standard terms of business would help to protect both purchasers from having their funds stolen, and dealers from being sued in the event that their communicat­ions are hacked. o

‘Parties should always telephone each other before transferri­ng funds’

Newspapers in English

Newspapers from United Kingdom