CTS cyber incident

Following a cyber incident involving CTS, an IT partner for the legal sector, some law firms are currently unable to access their case management systems. We’re aware this includes some legal aid and conveyancing firms, and we’re currently working to understand how many of our members are affected.

We’ve been in touch with government agencies and CTS to share our members’ concerns and experiences about the impact this is having, and the need for continued communication to keep members informed.

Until the issue is resolved, impacted firms with cyber insurance should check whether their insurer provides a business support line to which you can reach out.

Guidance for conveyancing firms

For conveyancers, some firms have been unable to complete transactions, which has delayed clients buying, selling and moving into their properties.

If you are impacted, you should keep your clients and other conveyancers acting on related transactions as informed as you are able about any disruption.

Continue to take a pragmatic approach and aim to minimise the impact on clients.

You may want to consider how your firm can prepare for such an attack before your next professional indemnity insurance (PII) renewal:

  • do you have appropriate cybersecurity systems in place?
  • do you have an appropriate recovery plan?
  • do your terms of business make clear your liabilities to clients if the firm is subject to a cyber-attack?
  • do you warn clients of circumstances in which completion may not take place?

For impacted legal aid firms, access to Legal Aid Agency (LAA) Digital has been suspended until it can be confirmed that the CTS problems are resolved.

We have asked the LAA to urgently consider contingency billing arrangement to alleviate cash flow problems.

The LAA has asked providers to contact their contract managers immediately if they are impacted, and has provided the following information:

For civil providers, delegated functions should be used wherever possible for applications and providers should hold billing activity until system access is restored.

For crime providers, applications can be submitted by post using CRM14 and where required, CRM15 forms and supporting evidence to the National Criminal Applications Team in Nottingham. Providers should hold billing activity until system access is restored.

The LAA is aware that some providers are setting up new IT systems to enable them to operate whilst CTS resolves the incident. Where a provider can give the LAA assurance that the new environment is separate from, and has no exposure to any data, service or infrastructure provided by CTS, LAA will reinstate access to its systems.

Any new IT system or host environment must comply with the LAA Data Security Requirements and Data Security Guidance published on GOV.UK

The LAA will review billing contingency measures as this incident develops and more information on recovery time becomes available.

Providers should let the LAA know if they may experience financial hardship as a result of the incident.

HMCTS has also confirmed that about 17 member firms have had their Common Platform and DCS accounts suspended in line with its security protocols.

It is reviewing how it handled the incident, with a view to making improvements in the future.

HMCTS has informed the CPS, LAA and local operations to highlight that firms may need additional support to represent clients, including:

  • manual provision of papers
  • checking in to the case in the court to confirm attendance

HMCTS says it has contacted affected firms with guidance on reinstating their accounts.

Protect your firm from future cyberattacks

This incident should serve as a reminder to all firms to be aware of cyber risks.

This is one example of criminals exploiting firms' growing reliance on ICT services provided by third-party vendors, targeting them as potential gateways to infiltrate firms’ networks, and steal money or sensitive information.

Firms should take this opportunity to review their cybersecurity arrangements to limit the likelihood of becoming the victim of such an attack and minimise the negative effects of any successful breaches.

It has become necessary for firms to carry out regular risk assessments of their supply chains, vetting third-party vendors for their security policies, procedures and historical security breaches.

We provide a range of helpful resources on our cybersecurity hub.

It is advisable to consider putting in place a business continuity plan, or adding provisions to an existing plan if it does not address cyberattacks.

A business continuity plan is not a strict regulatory requirement, but it’s a sensible precaution and may help firms to meet their regulatory responsibility to ensure they “identify, monitor and manage all material risks to [their] business” (rule 2.5, SRA Code of Conduct for Firms).

Now is also good time to review our cyber insurance guidance which explains what is and isn’t covered by your firm's primary PII cover, and why you should give serious consideration to investing in a cyber insurance policy to cover the gaps.

It’s important when purchasing a cyber insurance policy that firms make certain that it will cover losses incurred as a result of cyber-failures or attacks centred on third-parties.

Firms that already have cyber insurance would be well advised to review the policy wording to see if such losses are included.

All firms should talk to their brokers to ensure that they have appropriate cyber insurance protections in place.

Learn about cyber insurance for law firms

Support for you and your firm

Our partner Mitigo offers a 10% discount to Law Society members on cybersecurity services tailored to your firm. Learn more about Mitigo

Mitigo also offers a free online cybersecurity assessment to help you understand the areas of your firm that are most vulnerable to attack.

Sign up to the National Cyber Security Centre’s free early warning service to receive alerts about potential cyberattacks on your network.

Cyber Essentials and Cyber Essentials Plus are certifications that can help you to guard against the most common cyber threats and demonstrate your commitment to cybersecurity.

The ISO 27001 standard for information security, cybersecurity and privacy protection provides guidance on establishing, implementing, maintaining and continually improving an information security management system.

Maximise your Law Society membership with My LS