Third party risk

Published: Thursday, 8 February 2024

Moving services online to third parties brings efficiencies, and risks

Are you adequately protected from cyber attacks on your system suppliers?

In the wake of the well-publicised CTS breach on 24th November 2023, many firms are re-evaluating supplier security
and their own disaster recovery plans.

Background

CTS is a managed service provider (MSP) for legal firms with all the right credentials – Cyber Essentials, Microsoft Partner, ISO27001 etc. It is used by many law firms as a case management system.

On 24th November 2023, CTS suffered a cyber-attack which prevented lawyers from accessing their client files. The breach took just under a month to be addressed affecting law firms, clients and other associated professionals and individuals e.g. in conveyancing chains. Additional direct and indirect costs (time) will have been experienced by many of those affected, not all of which will be recuperated/insured.

The impact of the cyber – attack appears to have mainly been interruption to the business of approximately 80 firms in the UK with the full extent of losses still unknown as financial losses incurred are ongoing and still being assessed by the individual firms.

The cause

The Citrix environment CTS used was compromised in August 2023, allowing cyber criminals to extract large amounts of data from vulnerable devices (the ‘CitrixBleed’ bug) including well known firms such as Allen & Overy. Citrix issued a patch on 10th October 2023 but then warned a week later that breaches were still occurring. It appears that a ‘back door’ was accidentally left open at CTS, which let the attack in.

A further issue: Managed Service Providers limit their liability

The contracts of many MSPs limit their liability substantially. It is their responsibility to provide a service (and to identify and rectify faults) but they cannot predict nor control all the consequences of the loss of their service.

Responsibility for protecting your firm from additional loss rests with you.

What can professional firms do to protect themselves?

Most professional firms don’t have the in-house skills or resource to identify cyber threats in their supply chain. They should ask questions as part of due diligence before working with a major supplier about but ultimately are reliant on the assurances of their suppliers.

How is our data protected? Is the cloud environment shared?
How often do you scan for vulnerabilities and apply patches?
How often do you carry out a full disaster recovery test? What was the latest outcome?

Professional firms can ensure that their business is as well protected as possible by compiling and testing a detailed Disaster Recovery Plan (DRP), and taking out appropriate insurance.

Disaster Recovery Plan

The DRP should cover all systems used by the practice including telephones, document management, email, practice management software, customer relationship management and payment processing software (including payroll).

It might be easy to have all the systems integrated with one supplier but it can spread the risk to have different suppliers for e.g. phones and broadband. It may be useful to have an additional broadband connection you can switch to if one fails.

Do you have a written disaster recovery plan that covers all major risks to the business and assigns responsibilities to those capable of managing them? Have you tested your back up plan?

If a major system such as your case management system, is compromised, you will need to find alternative ways of accessing the data. Many firms take regular back-ups but few actually test that data can be restored from those back-ups. If you use the Cloud for data storage, is there a back-up stored separately? How would you access it?

Cyber Insurance

One of the principal benefits of a cyber insurance policy is the services that are provided in the aftermath of a breach. Better still, a cyber policy could help prevent it happening in the first place as insurers now require baseline cyber security standards to improve the cyber resilience of firms.

Some cyber insurers identify open security vulnerabilities through attack surface monitoring and risk management scans for policyholders and their third party suppliers. They offer alerts on the latest weaknesses and can be a useful source of information before signing a contract with a new supplier. Proactive risk management is always better than having to clean up after an issue.

Business Interruption insurance

Business interruption insurance under a cyber policy provides cover for the increased cost of working and loss of profits caused by an event until such a point as the business is running normally. This is often a much longer period than firms expect.

When a key system is unusable, billable hours will naturally reduce as key staff are diverted to crisis management. There may be additional hardware needed (pcs, routers). With fewer hours billed, cashflow may be tight necessitating additional finance. If your firm is slower than expected providing services or there is a loss of client data, there may be reputational damage.

An interruption may have been swiftly dealt with, but the effects may be felt for months or years after.

A determined criminal can eventually access any system but there are key steps you can take to protect client data and the running of your operations.

Increased legal obligations likely for MSPs later this year

With more firms using the Cloud for data storage and ease of working in multiple locations and MSPs to streamline their services, the EU recognizes that they are now part of key infrastructure. It will be extending the Network & Information Systems regulation (NIS) to MSPs increasing their legal duties for security and obligations to report breaches. NIS2 will become effective October 2024 and is expected to be adopted by the UK.