Why Systems Support is the way to a good night’s sleep
Richard Kemp, Kemp IT Law (with thanks to Paul Longhurst, 3Kites)
Why does it matter if a product is out of support, especially if it continues to run without problems in an unchanging technical environment ? If this were really true, and the technical environment remained unchanged, then it probably wouldn’t matter at all. However, software providers continually update products (often silently, increasingly so with the uptake of cloud) both in order to release enhancements and also to plug vulnerabilities which may be used by hackers and others to attack systems, steal or ransom data and the like. As such, it is important to ensure that your software and hardware are maintained at requisite levels.
But what of the regulatory side of things – are you required by the SRA to run only those products which are fully supported. Richard Kemp of KITL outlines some specifics here to help you:
Paragraph 2.1 of the SRA’s Code of Conduct for Firms states that regulated firms must ‘have effective… arrangements, systems and controls in place that ensure’ that they and their managers comply with the SRA’s ‘regulatory arrangements’.
‘regulatory arrangements’ are defined at s.21 LSA 2007 mainly (as relevant here) by reference to the SRA’s authorisation requirements and practice, conduct, insurance and compensation, etc. rules and don’t directly refer to systems or financial stability.
It is important to note paragraph 2.4 of the SRA’s Code of Conduct for Firms, which states that firms must ‘actively monitor your financial stability and business viability’, and then goes on to discuss an orderly winding down on cessation.
If running, say, an accounts package beyond its End-of-Life/support meant that a firm couldn’t ‘actively monitor its financial stability’ then the firm might be in breach of paragraph 2.4. It would then have to notify the SRA if this was a ‘serious’ breach of the regulatory requirements (paragraph 3.9) or ‘an indicator of serious financial difficulty in relation to you’ (paragraph 3.6(a)).
However, if a firm running an accounts package beyond its End-of-Life/support could still ‘actively monitor its financial stability’, this wouldn’t be contrary to the SRA’s Code of Conduct and (assuming it wasn’t otherwise in financial difficulties) there appears to be no express duty to notify the SRA.
In particular, this would still be the case even if the accounts package was beyond its End-of-Life/support but where the firm could still actively monitor its financial stability, eg via a secondary system or running its monthly management accounts in another way.
So if the firm has an unsupported system but has backup provisions to cater for this (maybe spreadsheets or hardcopy documents), are we all OK? Well, possibly not. If the firm has given clients commitments in its engagement arrangements that it will always operate with fully supported systems (something we are aware of, especially with banking and insurance clients which want to know that their legal advisors are not a risk), then this could be a major issue. If this situation arises, it would be important (consistently with the engagement agreement) to have a plan for remediation and to discuss this where necessary to demonstrate that the firm is on a clear path to resolving any short-term issues.
Where firms have to provide accountants’ reports to the SRA, they may also face questions from their reporting accountants if IT systems are unsupported. This is because the SRA in its guidance for accountants sets out key risk areas to be checked and one of these is whether the firm has effective IT processes and controls in place (Section 3.5). The guidance gives examples of ‘adequate’ and ‘below adequate’ processes and controls. Indicative of ‘adequate’ are that ‘program changes to the IT system are always fully documented and approved before the change commences’. Indicative of ‘below adequate’ are where the accountants have identified ‘a control environment that is ineffective or not fit for purpose’. Undocumented or unapproved IT systems changes may therefore suggest below par processes and controls.
Another consideration here is the firm’s own professional indemnity or cyber insurance where insurers are now routinely requiring more stringent conditions relating to the firm’s IT. It would be important to check this before running out of support so that mitigations can be put in place which satisfy the insurer. Avoiding such a situation may be dangerous if a serious problem occurs whilst running with unsupported products, allowing the insurer to claim an exclusion or a default and withhold cover.
Lastly but increasingly, firms need to consider the government-backed Cyber Essentials accreditation which is becoming a de-facto measure of an organisation’s ability to run well maintained and supported systems. Those which have out-of-date solutions without appropriate measures in place may struggle to get accreditation and that, in turn, may affect their ability to remain on panels or within framework agreements.
So the next time your IT team asks for an upgrade to one of the firm’s software or hardware products, taking the time you need to explore all the ramifications would repay careful consideration, as the saying goes. It could also help you to sleep better at night.