Organisations involved in commercial transactions, contracts, agreements or activities need to have confidence in, and be trusting of, any communication that is sent in relation to that activity. This helps to ensure that documents sent electronically have not been altered in any way, that the sender can be easily recognised, and that the document has the necessary security.
Trust in ‘business’ is key and can be enhanced by the use of electronic signatures as they can prove the origin of the communication or document, show whether a message has been altered and ensure messages remain confidential.
Electronic signatures deliver a way to sign documents in the online world, much like you would sign a document with a pen in the offline world. Electronic signatures come in many forms, including:
Electronic signatures can be divided into three groups:
Electronic signatures are only as secure as the organisational processes and technology used to create them.
High value transactions need better quality electronic signatures – signatures used for these transactions need to be more securely linked to the owner in order to provide the level of assurance needed and to ensure trust in the underlying system.
In considering changing your signatory processes to electronic signatures; the first step necessary would be to review all processes and decide which documents and transactions may be suitable for using with electronic signatures (e-signatures / e-sigs).
Some may be automatically excluded due to the legal requirements regarding witnessing or other aspect of the legal process; but the remainder would need to be evaluated to establish which transactions / documents would be classed as higher risk if they became subject to e-signatures.
The organisation would need to agree criteria for higher risk documents. At present all e-signatures are admissible in the UK, so if there is a dispute, it is likely to come down to individual Courts to establish a degree of confidence in the authenticity of the e-sig. As a result, scanned images may carry very little weight, but if there is a verifiable audit trail showing that the signature was made in a certain location, at a specific time, possibly with a specific access authority (individual person), then the position becomes much stronger.
The risk assessment referred to will then be critical in establishing the risk appetite for ‘getting it wrong’ in terms of validity and what level of authentication is needed. It would be sensible to map the defined/scaled levels of security to the risk levels determined – ranging from a scanned image at the lowest level of security, to digitised signatures as a common-use security method, all the way up to digital signatures using cryptographic keys for high level security.
A clear and valid risk – especially where one or more of the signatories is not known to the organisation and the whole transaction is being conducted remotely.
In those cases it will be important to obtain proof of signature linked to the individual(s) and logically this would be undertaken in a similar way to ‘know-your-customer’ identification (ID) verification checks, but would need to be extended to other parties e.g. consultants / suppliers / contractors if it is to be used in that context.
Organisations and their clients would want to understand what due diligence has been applied to other parties seeking to contractually bind via e-signature. Are they authorised to bind and sign?
A straight scan of a signature would be relatively easy to forge as there’s no (or weak) linkage behind the scenes to the actual document as there is with a digitised signature – the latter being able to link the signature to a specific time, place/IP address, authority/person etc. So an e-sign platform that can achieve this in the simplest way would be a good starting point for sound risk management.
If systems are hacked; the signatures could be used to create false documents or agreements, so robust cyber risk controls all round should be applied. Possibly though, this is lower risk than wet signatures as they can be found in waste paper just easily (or more easily). Reputational damage could ensue if signatures are seen to appear on something that you would not wish to be associated with.
There is always the possibility that even where the true signature has been applied with intent at the time, if someone is looking for excuses to break out from an existing contract, they could claim forgery or other technical breach if they (or their advisers) have a full understanding of how the security processes work and what would easily nullify a contract.
It is possible for there to be numerous different signed document versions in circulation, especially if some parties are comfortable with e-sig but others prefer to wet-sign and you have to manage the process and ensure everyone ends up with the correct version, duly signed by all parties. It will be important to maintain a record of the signing process, culminating in the final signed version.
This type of control may already be in place as part of a wet signing process, but many e-sig platforms claim to keep the audit trail and manage version control so appropriate choice of software with control in mind is essential.
Linked to this, there would be scope for someone to claim that even though their signature is correct, the document has been altered after signing, so the linkage of the digitised signature to the time and version of the document would hopefully prove effective in rebutting any such claims. A full audit trail showing all versions and stages that occurred during the transaction will be helpful in this regard so look for a package / platform that has this facility, and in a way that’s easy to reproduce and follow.
Where the legal, regulatory or your own organisation’s compliance framework for transactions requires certain protocols to be followed, proof of this for internal control, compliance, and internal or external audit, will be necessary. Again an e-sig platform with the ability to provide full traceability should effectively mitigate the risk of failure to comply.
At the higher risk / higher security level, there may be some personal details hidden in any data keys used to link that signature to the individual. That means data protection controls will come into play so it will be necessary to ensure that existing data protection controls extend to this new form of data asset.
There is potential for a varied level of adoption depending on how complex the e-sig system / platform is to use. Generally the higher the level of security, the more complex the process will become which could be off-putting to users.
The ability to vary the level of authentication according to an assessed level of risk will be helpful in this regard. A straightforward digitised signature might be sufficient in 95% of cases, but for higher risk matters, then digital signatures with cryptographic keys may be preferred. A system that could do both would be helpful, otherwise different e-sig platforms may be needed. If it’s not easy to use, you may end up with a mix of e-sigs and wet signatures which then has a knock-on effect back to the version control / traceability risks referred to above.
All the security afforded through an e-signature platform / system and process could be completely undermined if the email system used is insecure so Internet security is absolutely critical. Cyber risk controls and possibly a framework such as Cyber Essentials (or CE Plus) might be used to assess and control the environment in which the electronic signature platform is to operate.
If signing dates are linking in any way to contractually binding dates, e.g. review of contractual terms, then errors from misunderstandings and mismatched dates could lead to claims.
Errors in this area are known to be costly so it would be important to get the date management aspects correct and ensure there is a mutual understanding amongst the parties.
An effective E-Sig platform should be able to control this via the version controls and traceability described above.
There is a risk that claims could arise if contracts become invalid or unenforceable which could have financial repercussions for all signatories, other beneficiaries and potential tax implication. Brexit is another important consideration. The eIDAS European Regulations may have an impact on transactions outside the UK but it would be normal to agree governing law for the overall contract and therefore its e-sig status in any case.
In summary, the majority of the risks that could arise can be addressed through the adoption of a secure digital signature platform coupled with strong cyber risk controls. The skill will be in selecting a system / package which balances security with ease of use, and possibly allows variable authentication levels according to the risk level of the document / transaction concerned.
Many of the risks already exist with paper and wet signing, it just becomes more apparent when you begin to examine the process in detail. The aim should be to make the e-sig process equal to or better in terms of risk control. It may even lead to better compliance as all the data captured could be reported on for breaches at 100% inspection levels which would not normally be achieved by a standard inspection process.