Hello and welcome once again to the Pinsent Masons Podcast, where we try to keep you abreast of the most important developments in global business law every second Tuesday. My name is Matthew Magee and I'm a journalist at Pinsent Masons and this week we hear how companies can better protect themselves from the fallout of a cyber attack through contracts with suppliers, and we investigate an economics conundrum: that stiff competition in the world of legal services could actually be stifling innovation.
But first, here is some business law news from around the world:
Irish presidential deepfake row raises need for better persona protection rights
UPC legal test for assessing ‘added matter’ set and
Saudi Arabia launches consultation over arbitration revamp
A ‘deepfake’ video showing the leading Irish presidential candidate seeming to quit the race ahead of last Friday’s election highlights the gap in current laws in protecting people from misleading fakes, an expert has warned. Catherine Connolly, who went on to win the election, has lodged a complaint with the Electoral Commission after the video was posted to social media platforms and watched more than 30,000 times before being removed. Dublin based IP expert Jane Bourke said that people had protection under defamation, privacy and IP laws, but that “none of these offer comprehensive protection for the persona itself - the voice, image, and likeness that define an individual’s identity. Establishing a personality right in Ireland would require legislative recognition of these attributes as protectable interests, akin to intellectual property, and enforceable regardless of ownership of the original media.” “The Protection of Voice and Image Bill 2025 is a step in that direction. Whether it gains traction remains to be seen, but the Connolly case may well be the catalyst that pushes this conversation into the public and political spotlight,” she said.
Businesses seeking to defend or challenge the validity of patents before the Unified Patent Court (UPC) have been given clarity on how the UPC will assess whether applications for divisional patents contain ‘added matter’ from the parent applications they are supported by, experts in patent litigation have said. The UPC Court of Appeal confirmed a single legal test that UPC judges will need to apply in cases in the future for assessing whether an amendment to a patent contains ‘added matter’ in a case involving a dispute over a patent relating to light emitting diodes (LEDs). According to the court, UPC judges must determine what information a person skilled in the relevant art would derive directly and unambiguously from the entirety of the patent application as filed if viewed objectively and on the date of filing with their general knowledge. It added that, in this context, implicitly disclosed objects are also to be regarded as part of the contents of a patent application where they are clear and unambiguous from what is expressly mentioned.
Proposed changes to Saudi Arabia’s arbitration law will bring the country into closer alignment with best practice internationally, an expert has said. Consultations are underway over changes to the 2012 Arbitration Law, with a focus on modernising the processes for users of arbitration in KSA. Among the changes are a rule that the law applicable to the arbitration agreement is that which is expressly chosen by the parties or, in the absence of express agreement, the law of the seat. This changes the existing law, which says that in the absence of agreement, the arbitral tribunal is permitted to adopt the procedure it deems appropriate for determining the law of the arbitration. The previous requirement for arbitrators to hold a degree in Sharia law has been removed. This change may permit parties to appoint arbitrators without a legal background. The draft also includes provisions for parties to be jointly liable for costs, with arbitrators able to withhold awards over unpaid fees.
The UK’s cybersecurity watchdog the National Cyber Security Centre has said that the severity of attacks is increasing. Its recently published annual report said that the number of cyberattacks on UK businesses was steady, but that the number of ‘nationally significant’ incidents has risen sharply. Business leaders shouldn’t be surprised by this in the year in which the operations of Jaguar Land Rover, Marks and Spencer and the Co-Op were all severely disrupted because of attacks. But it should at least cause them to review their contracts with suppliers of data and technology services said London based technology expert Simon Colvin. He says that some of the functions most vulnerable to attack are commonly outsourced and that poor contracts could leave businesses more exposed than they should be. But first he told me how the nature of attacks is changing, posing a bigger operational threat than ever.
Simon Colvin: The actual nature of attacks is changing quite significantly and cyber attackers are starting to focus on disruption of the whole operational platform and processes of a business as much as just purely searching out the data and trying to steal personal data. So they're really aiming at the heart of a business and taking out the heart of a business in their cyber attack. Clearly the greater the effect on a business, whilst you take out a business, the whole of its operations are ceasing, obviously a massive attack on the bottom line, financials, profitability, etcetera. Also, you know, whilst a customer can't go to business X, they may go around the corner to business Y. So it's a far greater impact than just the damage that's done by taking out personal data from the business or stealing the personal data. I think we are seeing a range of threat actors emerging. We've definitely seen over time nation-state cyber attacks. So as a result of the Ukraine war, we started to see a lot more Russian-origin cyber attacks, China-origin cyber attacks, so real nation-state activity, but it's not all headed in that direction. So we're also still getting, amazingly, cyber attacks from fairly young individuals in a collective operating from their bedrooms. So there's a real range, but also cyber attackers themselves can access AI and ransomware as a service and other technologies to increase sophistication of their attacks, no matter who they are as the threat actor and no matter how sophisticated they are themselves.
Matthew Magee: To disrupt the company systems, attackers have to gain access to them, and Simon says that increasingly that access is coming through systems provided by external suppliers.
Simon: Companies are vulnerable at any point of entry in their information security systems. But what we've seen with some of the bigger, more impactful cyber attacks of late is that the supply chain can be a significant area of vulnerability and with the JLR and with the M&S attacks, they came in through the third party, a supplier, and businesses are increasing their threat surface. So having help desks, having their websites, all of these things create greater vulnerabilities and so we're seeing that the third parties are quite often an area of significant vulnerability. I mentioned the help desk, the threat actor through what we call social engineering, will approach the help desk, will try to obtain user details, etcetera, or will try to penetrate to high levels of permissions within the business and through that they gain access into the business. They could sit there undiscovered for quite a period of time, all the while gaining greater access around the system. But it is that sort of access that we're seeing, the greatest vulnerability, the help desks and the third-party technology systems that are being provided where they're being outsourced by the business.
Matthew: So it's not necessarily that third parties are worse at protecting systems, more that the services they provide, help desks, websites, customer databases, are inherently higher risk and who has liability when the dust settles for incidents whose costs can very quickly run into the millions is a question settled entirely by the contract between the company and the supplier. So check your contracts, says Simon.
Simon: Well, they need to check the third-party contracts. We have seen many clients where actually either they can't find the third-party contracts, they may not exist, or when they do look at them, they're either silent on information security or the information security requirements are pretty poor and lacking. So as an immediate task, it's establish what third parties you've got. Find out where the contracts are, look at the contracts, establish whether they're robust and whether they need an overhaul. That's rule number one I think it's not just what the contracts say. You could have a brilliant contract, but the main point is: is your supplier acting in accordance with that contract? So testing its systems and security. So penetration testing to check itself for any vulnerabilities, running business continuity and similar processes on a regular basis to check how it manages these issues, how it manages emergencies and crises, and ideally obligations to actually then self-certify to the customer to say, yeah, we've got these systems in place, we're checking them, we're verifying them and if we found any vulnerabilities, we've repaired them.
Matthew: Companies should prioritise their contracts and deal with the highest-risk ones first, says Simon, and should use their procurement processes to make information security a major factor in choosing new suppliers, because if there's no comeback in contracts, then the customer organisation can be very exposed, he says.
Simon: You have to assess well, what does the contract say? What were they responsible for? What promises did they make to you? What limits of liability exist in the contract? What requirements for insurance and you as a customer and as a business, what insurance have you got and what do your insurers require you to do vis-à-vis your third parties? Have you complied with that? And how much do you have to then pass on to the third party? And you know, it comes down to almost a sort of standard - has there been a breach of that contractual position that you've agreed with regard to information security and protection of vulnerabilities?
The world of economics has a lot to say about markets and how they operate, and whole schools of thought have emerged full of people who disagree with each other about how it all works. And all the while markets move in mysterious ways because people are in the end, well, a bit funny and don’t always do what’s predictable. But there are some things on which most economists agree, such as that lots of competition makes companies better because they all have to try harder to get and win customers, and that innovation is one of the ways they do that. A more competitive market will be a more innovative market, goes the orthodoxy. But the three men who two weeks ago won the Nobel Prize for Economics disagree, and their thinking has a lot to tell us about how companies can and in the future might secure legal advice. At least that’s according to David Halliwell, an expert in managed legal services at Vario, which is part of Pinsent Masons. The Nobel economists shared the prize for their work on the relationship between technological progress and growth and explored the idea that sometimes a lot of competition could stifle innovation, which chimed with some of David’s thinking about how the legal services market works. But first I asked him to outline what competition looks like in the slightly unusual legal industry.
David Halliwell: The legal services market has got a range of different players in there. You have the incumbent law firms, law firms who've been there for a while, there's an increasing number of alternative legal services providers coming into the market. You also have within that ALS (alternative legal services) space, the Big Four accountancy practices who have legal arms as well. The law firm market is massively fragmented even though the commercial law firms serving major corporates probably fall within the top 30 to 50 firms by order of size in the market, none of those have a very big market share and if you compare and contrast that with the Big Four accountancy practices, they have the lion's share of that market. But no one law firm has more than maybe 1 or 2% of the overall market, and in that context it is massively fragmented.
Matthew: The next thing we had to clean up was what we actually mean when we talk about innovation in the legal industry.
David: Law firms are now realising and have realised that they are process-driven organisations. We've moved from the stage where lawyers thought that every piece of legal work was individually crafted for their clients, and the clients recognise and understand this. And so a large part of innovation in law firms is trying to make that process as efficient as possible and that involves using technology, but it also involves looking at your processes and identifying which elements can be standardised and then once you've identified which bits can be standardised, you can think about whether all of those elements need to be performed by the same level of qualification and can you use different types of resources, some of them legal, in some cases not even lawyers at all, to be able to carry out those standardised activities in a very efficient way.
Matthew: And so we come to the relevance of the thinking of Joel Mokyr, Philippe Aghion and Peter Howitt to competition in the legal services market.
David: There were three recipients of the Nobel Prize for economics this year, and one was a guy called Joel Mokyr. So his thesis is that markets grow through innovation, but only at a point in their history when there's a culture which is receptive to new ideas and scientific advances. So he was looking at the Enlightenment and seeing the fact that the Industrial Revolution was taking place at the same time, and he was working to identify whether there was a correlation and he has established that yes, there is. If you have a culture, if you have an environment where people are receptive to new ideas, then there's likely to be economic growth happening at the same time. And then his work was supplemented by Philippe Aghion and Peter Howitt, who were looking at how competition has an impact on innovation and economic growth at the same time. The central point of their theory is that you need to have an element of competition within a market to allow innovation to take place. But the critical point is that it needs to be a market which would allow new entrants to come in. So you've got a market which has got a load of incumbents. Their incentive to innovate isn't really very high, but if new businesses start to come in and challenge those incumbents with new business models, new technologies, new ideas, then the incumbents themselves need to innovate.
In a market where incumbents are looking for economic growth, yes, there will always be an incentive to innovate, to try and gain market share, and to take market share away from your competitors. What new entrants bring, it's typically new business models, new ideas, new technologies, and those act as an extra spur to the incumbents to innovate, either to respond to that with their own ideas or to adopt the new models brought in by the new entrants.
Matthew: David said the work of Mokyr in particular can help to illuminate why innovation may not have thrived in one part of the legal services market, law firms, and how the structure of the industry isn't helping.
David: Thinking about that macro level that Joel Mokyr was identifying, which is that you need to have a culture within a society that's receptive to new ideas and to new technologies in order for innovation and economic growth to be kick-started and that got me thinking about law firms. Do law firms typically have a culture where people are receptive to new ideas and to adapting to new technologies? But it got me thinking about the state of the legal services market and the extent to which it is massively fragmented. It is hard for new entrants to come into the legal services sector and so we're left with a situation where no one player has got a significant market share. You've got hundreds of firms who are competing in the same space, but whatever innovation any of those firms implements is only going to have a tiny incremental impact on their ability to gain market share. Yes, firms will grow. Yes, firms will continue to think about new ways of delivering services. But it struck me that this overriding competition within the market means that the innovations aren't really going to take hold in the same way that they might in a differently structured market.
Matthew: Of course, not all innovation is to do with technology, and not all technology is artificial intelligence. But the sudden rise of near-ubiquitous generative AI with never-before-seen capabilities means that this will inevitably be the focus for many looking to innovate and this could present challenge and opportunity for all parts of the legal services market, says David.
David: There's some recent research which shows that the in-house lawyers' levels of adoption of AI far exceed the levels of adoption of AI within private practice law firms. There is an opportunity for firms to get ahead with some of the existing AI that is coming in, but I would say that all of that is doing is creating a marginal efficiency gain for those law firms. And as more firms adopt the same or equivalent technologies, then it's going to equalise out across the market and all firms will have that level of efficiency now built into their business models. All law firms will have the cost of buying and using that technology as part of their cost base. The big shifts are going to come from firms who can change their business model and adapt new technologies in a way that creates a completely different way of providing value. It could be using technology and unqualified resource or less qualified resource to provide a different type of service for clients. It could be through creating technology-led products which they license to clients when they don't have so many lawyers involved in their processes. It could be that a law firm decides to focus only on one particular sector, or a number of sectors, and to really think about the way they can use these technologies, not just to make themselves more efficient, but to provide advice in a radically different way for clients. We have the technology to do all of these things available now. The constraint isn't the technology. The constraint is now law firms' abilities to adapt the technology and to implement it across their business.
Well, thanks again for spending time with us. We hugely appreciate it and you can keep up all day, every day with the material produced by our specialist team of reporters at pinsentmasons.com with news, analysis and guides on the whole world of business law. Or you can sign up at pinsentmasons.com/newsletter and get a personalised feed every single week. But for now and until next time, thank you and goodbye.
The Pinsent Masons Podcast was produced and presented by Matthew Magee for international professional services firm Pinsent Masons.
