Following the recent cyber attacks at CTS, Lindsay Hill, CEO of Law Society partner Mitigo asks how to protect your firm’s data when using a managed service provider


Emma, a managing partner in a law firm specialising in property matters, took IT security seriously. She thought she had covered all bases in protecting her law firm by using a managed service provider (MSP). They used hosted cloud services, which made operations more efficient and cost-effective. She thought the firm’s systems were protected and safe. She did not envision for one moment there was any risk involved. However, cybercriminals know the large amounts of money being exchanged in property transactions and the reliance law firms have on their IT systems. Therefore, if they target an MSP that serves the legal sector, they can secure large financial rewards by denying multiple clients access to their systems and stealing their data.

Unfortunately, Emma’s worst nightmare came true, and her law firm could not access any of their systems for four weeks. No conveyancing transactions could be made, with no access to emails, Microsoft 365, or case management systems.

Fee-earners could not log their hours. Lender portals were shut down and many of the lenders would not reopen the portals until the firm had been given independent assurance that their connection to their systems was safe. With the firm facing reputational damage, questions from the regulators, including the Solicitors Regulation Authority (SRA) and the Information Commissioners Office (ICO), will have to be answered.

On reflection, Emma was not wrong in using an MSP. Still, she now knows that it is not a good idea to have all her eggs in one basket. There are various options available to help her, while also ensuring she does not commit any legal or regulatory breaches.

In the wake of the recent CTS breach, it is more important than ever to remain vigilant in protecting your data and maintaining operational resilience. We’re not saying don’t use an MSP, but balancing the convenience and expertise of an MSP with a measured approach to risk management can help mitigate the associated risks.

So, where to begin? We consider the vital steps you can take to try and put your firm in the safest position possible.

Due diligence

The starting point is always to do a risk assessment. Ask the following:

  • What are you asking of your outsourced provider; what are they supplying; what is their service? You need to assess the risk of relying on third parties and ask what would happen if a cyber attack occurred
  • What are the chances of a breach, and what would the consequences be?
  • What are their security arrangements?
  • How is your data stored – will you have your own server, or are you sharing a server with their other clients?
  • How is your data separated from everyone else’s in the hosted environment?

Conduct a thorough vetting of the MSP’s security practices, experience and track record, and ensure clear Service Level Agreements (SLAs) are in place that unambiguously define service expectations, responsibilities, and response times.

Furthermore, ask if they comply with your legal and regulatory requirements?

As the ICO highlighted by fining Tuckers Solicitors, as the data controller, your firm remains responsible for the security of client personal data. The UK General Data Protection Regulations (GDPR) articles 5(1)(f), 5(2) and 32 place a statutory duty on firms to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures and requires the firm to demonstrate compliance.

You also have regulatory obligations to the SRA. The SRA Code of Conduct outlines:

  • the obligation to have effective governance structures, arrangements, systems and controls for compliance with regulation and law (para 2.1a)
  • the need to identify, monitor and manage all material risks to your business (para 2.5)
  • the requirement to keep up to date with and follow law and regulation (para 3.1)
  • the need to safeguard money and assets (including documents) entrusted to you by clients and others (para 5.2).

It is your regulatory obligation to protect personal and confidential data and remain operationally resilient. Relying on the MSP, without carrying out the appropriate due diligence, may have unintentionally created a perfect storm within your law firm.

Mitigate your risk

Following a breach, the extent of your devastation relates to your level of dependence on a single provider. If possible, consider the possibility that your data is lost, stolen or destroyed while in the hands of the MSP. It doesn’t bear thinking about, right? Cyber attacks are increasingly not an ‘if’ but a ‘when’. You need to work out your disaster recovery plan from the outset. This may include hosting a copy of your data yourself, away from the MSP environment, and/or using your own services instead of outsourcing. In addition to maintaining some capabilities in-house, consider also using multiple providers for different IT services to reduce your dependency on one source. Basically, it’s important that you don’t put all your eggs in one basket.

The importance of independent reviews

The government has issued a draft Cyber Governance Code of Practice aimed at executive and non-executive directors and other senior leaders, which highlights the fact that cyber risk should have the same prominence as financial or legal risks. In addition, the Law Society, the Conveyancing Society, and the National Cyber Security Centre are all urging firms to review and reinforce their cybersecurity arrangements. As a board-level responsibility, cybersecurity must be properly addressed at the highest level and not left to the IT department – cybersecurity and IT are completely different things.

We continually emphasise the importance of independent assurance. Having an impartial expert review your security strategy is fundamental to truly understanding your risk and the defences you have, or think you have, in place. This will prevent / reduce the risk of those nightmare scenarios happening to your firm.

Even if you have established that your MSP is entirely secure, you still have the keys to the front door. You need to assess the risk from your side ensuring you have the right processes and policies around how you access the data and systems stored by your MSP. This could include measures like strong authentication, securely configured devices, and ensuring staff only have access to the data that they need to perform their role.

If you already have an existing supplier, you should still perform these checks now. There’s no time like the present to ask questions. Even if you’re not thinking about switching, it’s good to get some reassurance. Maintain regular communication with your MSP and conduct periodic reviews of their services to ensure they meet your evolving needs.

The safest way forward

The CTS breach emphasises the critical need for heightened vigilance in protecting your data and ensuring your firm’s operational resilience. While engaging an MSP can have clear benefits, legal compliance is non-negotiable. It is imperative that you carry out the appropriate due diligence to ensure you are meeting your obligations.