Prior to the pandemic, online sales represented a small slice of the overall art market pie: According to the most recent Hiscox report
, in 2019, online transactions made up a mere 7.5% of the market’s $64.1 billion in sales. COVID-19, however, has forced the once-reluctant industry to rely much more heavily on online sales, with galleries rushing to develop online viewing rooms
in lieu of in-person shows and major fairs and auction houses going either entirely virtual
or, in recent months, opting for hybrid events
. According to a report
by economist Clare McAndrew from this past September, online sales accounted for 37% of gallery sales in the first half of 2020—a huge leap from 10% of all 2019 sales.
Unprecedented circumstances have engendered a new willingness to buy and sell art online, but collectors and dealers ought to be aware of the risks that come with online transactions. “Everyone is selling online, including artists, collectors, auction houses, galleries, dealers, and even art stores—each has its own unique exposures to fraud,” explained William Fleischer, president at Art Insurance Now. In order to help mitigate that risk or, at the very least, protect from potential losses, collectors would do well to make sure their seller has a thorough cyber insurance policy. “What’s increasingly happening is that when you buy a cyber policy, you have to meet certain conditions and observe a certain amount of due diligence,” said Robert Read, head of art and private clients at Hiscox. The firm began developing its cybersecurity department about 10 years ago, as breaches became more and more prevalent. “We read about it every day; people’s systems crash or they get hacked,” Read continued.
According to both Read and Fleisher, a good cybersecurity policy will ensure that a seller has followed the necessary steps to protect themselves from a possible breach
. This includes having software that protects against system breaches, firewalls, and backup servers. This, however, doesn’t account for everything. Cyber insurance policies kick in when, despite all the due diligence paid, systems are compromised. “Everyone is going to get hacked at some point—it’s how you protect yourself after the fact” that matters, said Read.
For collectors, this means being both careful and thorough
in any online interaction with a potential seller. “The more you inform yourself, the better; you can never do too much research or ask too many questions,” said Fleischer. “Be sure to check if your policy addresses your requirements like online transit coverage, method of valuation at time of loss calculations, or covering your art inventory on and off the premises.”
Policies can also vary greatly depending on specific legal jurisdictions. New York State, for example, is one of several states in the U.S. that recently passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which requires all employers to have a plan for preventing security breaches in their computers, networks, and associated vendor accounts. This means cyber insurance policies in New York State needn’t be as stringent.
Both Read and Fleischer stressed that while having a comprehensive cyber insurance policy is helpful, the field is still nascent. “It’s a continuous cat-and-mouse game, as the criminal activity continues to evolve and dealers and collectors find new solutions to deal with it,” said Read. Still, there are many ways collectors can ensure that they aren’t liable for any losses when it comes to hacks or online fraud.
“When it comes to cybersecurity, confirm if there is security in place, preventing attacks; if the second or third party provides software against breaches to their system; if there are approved certificates on their website; and if they have a separate bank wire account for just purchases,” Fleischer advised. “Be sure to have firewalls on your computer and verify before opening embedded links by looking at the URL where it is coming from. When in doubt, don’t click.”
This past January, emails between the Netherlands-based museum Rijksmuseum Twenthe and the London- and New York–based gallery Dickinson
by cybercriminals who posed as Dickinson during the sale of a
painting. The hackers convinced the museum to deposit £2.4 million ($3.1 million) into a fraudulent account, ostensibly in payment for the work. According to Rijksmuseum Twenthe, the museum had done its due diligence in ensuring their systems and vulnerabilities were secure and up to date; therefore, Dickinson was liable for the loss. Dickinson’s lawyer, meanwhile, argued that the museum should have verified the details of the account before sending the payment.
The courts ended up ruling against the museum’s claim for damages; however, Rijksmuseum Twenthe is currently still in possession of the painting despite Dickinson having received no payment for the work. This is a case study in why cybersecurity insurance is so necessary—particularly as online art transactions continue to surge due to COVID-19. Despite the fact that both parties claimed to have taken all the right precautions, they were still vulnerable.
“One of the most popular forms of fraud lately is someone impersonating someone saying the payment has been sent to the wrong bank,” said Read, explaining that the type of fraud the Rijksmuseum Twenthe experienced is found in almost every sector, from art purchases to college loan payments. “The simple solution is that before you make any payment, if it’s to a new party, you should ring up and check to confirm where your money is going. We always double-check where the payment is going.”
While these security measures are enough to keep basic cyberattacks at bay, their efficacy may be limited. As cybercriminals become more and more sophisticated, insurance companies are forced to adapt and update their policies accordingly. “How to assess who’s at fault in the case of online fraud will continue to evolve as the landscape changes,” Read continued. “Ten years ago, it would have been unthinkable to have people double-check bank account details, but now we do.”
The good news is that as these cyberattacks become more and more commonplace, so too are the number of art insurers who carry cyber policies. At the end of the day, it’s up to individual parties to ensure that their transactions are protected from unexpected—and arguably inevitable—attacks.