HACKING, PHISHING AND CYBER ATTACKS AND THE SLOW ADOPTION OF TECH

The two professional sectors that we serve as a business – Solicitor firms and Insurers, are slow adopters of new tech and ideas. No one wants to be in the first wave, with the risks that it entails, but it’s a problem because increasingly we are seeing more client money going astray, and more interceptions.

We work alongside a tech consultancy co owned by one of my colleagues and we wanted to try to unlock some of the inertia around new tech adoption that would alleviate two issues for law firms;

  • Increasing losses are naturally being kept low profile because Insurers do not want to admit the scale of the problem due to sensitivities around their liquidity, and for law firms, the reputational damages associated with a client money loss are catastrophic. No one co ordinates the data but claims practitioners can see it getting worse.
  • Insurers only have one lever to pull when their losses mount up – that of increased cost, and they are not slow act.

So we thought it a worthwhile exercise if we were to try to introduce a means of minimising losses and use it as an incentive to benchmark quality procedures to lower premiums in the medium term.

Along the way we talked to a significant number of law firms, the regulator and senior people in Insurers. We started out by considering that blockchain (by that I mean end to end secure passage of client money and data and not the currency associated with the process) would be best use of tech. But the specialists in the Insurer management teams continued to point out that the majority of their losses are caused by a manual intervention by a law firm member of staff that triggers access to their system in some way, and therefore it was e mail security and behaviors which were causing their problems and not the security of the money transfer system.

The other thing that we learnt was that as specialist businesses in cyber tech and secure transfers gain clients and grow, there is an aggregation risk. That is – the cyber criminals start to focus their efforts on a major provider in the knowledge that whilst gaining access to their data might be harder, it might be more profitable in the end.

There is no easy answer to the risks other than to say that staff actions continue to be a vulnerability and Insurers (with a few notable exceptions) are not prescriptive on how firms go about their business.

There is a sting in the tail too, in that we continue to advise law firms to review any Cyber Insurance coverage they purchase because more than a handful of Insurers exclude any pre existing viruses or actors present when the policy was taken out – and that is a very wide exposure.

Simon Ong

QPI Ltd – December 2023

QPI – Quality, Professionalism and Integrity