It’s high time art businesses beefed up their cybersecurity

In January this year, it emerged that the Rijksmuseum Twenthe in Enschede, the Netherlands, had inadvertently transferred $3.1m into a bank account operated by fraudsters. The museum had been negotiating with the dealer Simon C. Dickinson in London the purchase of a painting by John Constable, A View of Hampstead Heath: Child’s Hill, Harrow in the Distance (1824). Hackers had reportedly been monitoring email exchanges between the parties, and at the opportune moment inserted their own emails into the chain, mimicking Dickinson’s email account and sending fraudulent bank details to the museum for payment for the painting. The museum duly transferred the payment monies, which arrived in an account in Hong Kong with no link to Dickinson.

Now the funds cannot be traced; Dickinson cannot pay the seller; the painting is with the museum, preventing Dickinson from selling it elsewhere; and the museum and Dickinson are engaged in a legal dispute.

In court documents lodged in London, the museum alleges that Dickinson should have known about the fraud and impending theft of the museum’s funds because Dickinson’s negotiators were supposedly looped in on the hackers’ emails and yet raised no alarm. In response, Dickinson says that the museum should have taken steps to verify the bank account details before sending payment across. Both sides allege the other was hacked and should have had better cybersecurity systems in place.

Unsurprisingly, given the global reach of the art market and corresponding frequency of ‘distance sales’, such ‘man in the middle’ scams have been in existence since at least 2016, with international dealers such as Hauser & Wirth, Simon Lee and Thomas Dane reportedly targeted.

The risk of hacking can be minimised by investing in cybersecurity software and protective measures such as two-factor authentication for email accounts. As a secondary precaution, in case email hacking has in fact occurred, parties should always telephone each other before transferring funds to confirm the correct bank account details. It is interesting that such measures and policies, which are both standard and obligatory in other industries, are anathema to much of the art market, which historically has been resistant to adopting standardised industry-wide ‘best practice’ cybersecurity policies.

Given the increasing creep of regulation and professionalisation in the art market, this may not remain the case for much longer. The most significant recent example of such regulation is UK legislation implementing the EU’s 5th Anti-Money Laundering Directive, which applies to ‘art-market participants’ and imposes stringent customer due diligence measures to ascertain the source of funds for art-market transactions. The legislation aims to undermine terrorist and organised-crime financing and has been in force since January of this year.

The Rijksmuseum Twenthe in Enschede. Photo: Berteun Damman (Wikimedia Commons/Public Domain)

However, with the unfortunate case of the Rijksmuseum Twenthe and Dickinson in mind, it is apparent that the legislation has a glaring blind spot: in its preoccupation with the source of funds, it has neglected to consider the destination of funds. This is peculiar because when one factors in the vast sums transferred in payments for art, the lack of cybersecurity awareness in the art market, and the ease with which unprotected email accounts can be hacked, ‘man in the middle’ hacking schemes appear a low-effort and highly lucrative source of funds for those connected with terrorism or organised crime.

The anti-money laundering legislation has not been particularly well received by the art market for many reasons, not least due to its onerous, time-consuming and costly obligations that ensnare everyone from galleries and dealers to artists and museums, generating no ‘upside’ or benefit for those obliged to comply. Failing to address vulnerabilities concerning the destination of funds is a missed opportunity, not just from the perspective of reducing terrorist and organised-crime financing, but also because this is an issue that would be of tangible benefit to the art market, preventing innocent purchasers and sellers from suffering huge losses due to a lack of regulation, safeguards and policies concerning the transfer of funds.

There are significant discrepancies in wealth and profitability among dealers and galleries, and many likely consider hacking a sufficiently improbable scenario to warrant investment of scarce funds in cybersecurity programmes and preventive measures. However, it is within the power of every art dealer to ensure that purchasers are aware that they must confirm bank account details over the telephone or face-to-face to circumvent any reliance on spoofed communications at the critical moment at which transaction funds are transferred.

While it is unclear exactly what happened in the Dickinson/Rijksmuseum Twenthe case, this simple and cost-free step should be standard practice industry-wide, and drafting such a requirement into invoices and standard terms of business would help to protect both purchasers from having their funds stolen, and dealers from being sued in the event that their communications are hacked.

Tim Maxwell is a partner and Tamara Bell an associate solicitor at Charles Russell Speechlys.

From the April 2020 issue of Apollo. Preview and subscribe here.