17 Jun 2022

Why systems support is the way to a good night’s sleep

The need to maintain legaltech has an important regulatory angle, explain 3Kites’ Paul Longhurst and Richard Kemp of Kemp IT Law

Electronic technical support concept. Wrenches

Sasun Bughdaryan; Shutterstock

Paul Longhurst writes

Why does it matter if a product is out of support, especially if it continues to run without problems in an unchanging technical environment?

If this were really true, and the technical environment remained unchanged, then it probably wouldn’t matter at all. However, software providers continually update products (often silently, increasingly so with the uptake of cloud) both in order to release enhancements and also to plug vulnerabilities which may be used by hackers and others to attack systems, steal or ransom data and the like. 

As such, it is important to ensure that your software and hardware are maintained at requisite levels. 

But what of the regulatory side of things – are you required by the SRA to run only those products which are fully supported? 

Richard Kemp of Kemp IT Law outlines some specifics here to help you.

---------------

Click here to read the first six columns in the Navigating Legaltech series

----

Richard Kemp writes

  • Paragraph 2.1 of the SRA’s Code of Conduct for Firms states that regulated firms must ‘have effective... arrangements, systems and controls in place that ensure’ that they and their managers comply with the SRA’s ‘regulatory arrangements’.
  • 'Regulatory arrangements’ are defined at s.21 LSA 2007 mainly (as relevant here) by reference to the SRA’s authorisation requirements and practice, conduct, insurance and compensation, etc. rules and don’t directly refer to systems or financial stability.
  • It is important to note paragraph 2.4 of the SRA’s Code of Conduct for Firms, which states that firms must ‘actively monitor your financial stability and business viability’, and then goes on to discuss an orderly winding down on cessation.
  • If running, say, an accounts package beyond its End-of-Life/support meant that a firm couldn’t ‘actively monitor its financial stability’ then the firm might be in breach of paragraph 2.4. It would then have to notify the SRA if this was a ‘serious’ breach of the regulatory requirements (paragraph 3.9) or ‘an indicator of serious financial difficulty in relation to you’ (paragraph 3.6(a)).
  • However, if a firm running an accounts package beyond its End-of-Life/support could still ‘actively monitor its financial stability’, this wouldn’t be contrary to the SRA’s Code of Conduct and (assuming it wasn’t otherwise in financial difficulties) there appears to be no express duty to notify the SRA.
  • In particular, this would still be the case even if the accounts package was beyond its End-of- Life/support but where the firm could still actively monitor its financial stability, eg via a secondary system or running its monthly management accounts in another way.

So if the firm has an unsupported system but has backup provisions to cater for this (maybe spreadsheets or hard copy documents), are we all OK? 

Engagement arrangements 

Well, possibly not. If the firm has given clients commitments in its engagement arrangements that it will always operate with fully supported systems (something we are aware of, especially with banking and insurance clients which want to know that their legal advisors are not a risk), then this could be a major issue.

If this situation arises, it would be important (consistently with the engagement agreement) to have a plan for remediation and to discuss this where necessary to demonstrate that the firm is on a clear path to resolving any short-term issues.
 
Where firms have to provide accountants’ reports to the SRA, they may also face questions from their reporting accountants if IT systems are unsupported. This is because the SRA in its guidance for accountants sets out key risk areas to be checked and one of these is whether the firm has effective IT processes and controls in place (Section 3.5). 

The guidance gives examples of ‘adequate’ and ‘below adequate’ processes and controls. Indicative of ‘adequate’ are that ‘program changes to the IT system are always fully documented and approved before the change commences’. Indicative of ‘below adequate’ are where the accountants have identified ‘a control environment that is ineffective or not fit for purpose’. Undocumented or unapproved IT systems changes may therefore suggest below par processes and controls.
 
Another consideration here is the firm’s own professional indemnity or cyber insurance where insurers are now routinely requiring more stringent conditions relating to the firm’s IT. It would be important to check this before running out of support so that mitigations can be put in place which satisfy the insurer.

Avoiding such a situation may be dangerous if a serious problem occurs whilst running with unsupported products, allowing the insurer to claim an exclusion or a default and withhold cover.

Accreditation

Lastly but increasingly, firms need to consider the government-backed Cyber Essentials accreditation which is becoming a de-facto measure of an organisation’s ability to run well maintained and supported systems. Those which have out-of-date solutions without appropriate measures in place may struggle to get accreditation and that, in turn, may affect their ability to remain on panels or within framework agreements.
 
So the next time your IT team asks for an upgrade to one of the firm's software or hardware products, taking the time you need to explore all the ramifications would repay careful consideration, as the saying goes. It could also help you to sleep better at night.

Paul Longhurst is a director of 3Kites consulting and Richard Kemp is a partner at Kemp IT Law. This is the sixth article in the series Navigating Legaltech

--------------------

About 3Kites and Kemp IT Law
3Kites is an independent consultancy, which is to say that we have no ties or arrangements with any suppliers so that we can provide our clients with unfettered advice. We have been operating since 2006 and our consultants include former law firm partners (one a managing partner), a GC, two law firm IT Directors and an owner of a practice management company. This blend of skills and experience puts us in a unique position when providing advice on IT strategy, fractional IT management, knowledge management, product selections, process review (including the legal process) and more besides. 3Kites often works closely with Kemp IT Law (KITL), a boutique law firm offering its clients advice on IT services and related areas such as GDPR. Where relevant (eg when discussing cloud computing in a future article) this column may include content from the team at KITL to provide readers with a broader perspective including any regulatory considerations.
 

Top