3Kites: Why systems support is the way to a good night’s sleep
Why does it matter if a product is out of support, especially if it continues to run without problems in an unchanging technical environment? If this were really true, and the technical environment remained unchanged, then it probably wouldn’t matter at all. However, software providers continually update products (often silently, increasingly so with the uptake of cloud) both in order to release enhancements and also to plug vulnerabilities which may be used by hackers and others to attack systems, steal data and the like. As such, it is important to ensure that your software and hardware is maintained at requisite levels.
But what of the regulatory side of things – are you required by the SRA to run only those products which are fully supported. Richard Kemp of KITL provides some specifics here to help you:
- Paragraph 2.1 of the SRA’s Code of Conduct states that regulated firms must “have effective… arrangements, systems and controls in place that ensure” that regulated firms and their managers comply with the SRA’s ‘regulatory arrangements’.
- ‘regulatory arrangements’ are defined at s.21 LSA 2007 mainly (as relevant here) by reference to the SRA’s authorisation requirements and practice and conduct rules and don’t directly address systems or financial stability.
- It is important to note paragraph 2.4 of the SRA’s Code of Conduct, which states that firms must ‘actively monitor your financial stability and business viability’, and then goes on to discuss an orderly winding down on cessation.
- If running, say, an accounts package beyond its End-of-Life/support meant that a firm couldn’t ‘actively monitor its financial stability’ then the firm might be in breach of paragraph 2.4. It would then have to notify the SRA if this was a ‘serious’ breach of the regulatory requirements (paragraph 3.9) or ‘an indicator of serious financial difficulty in relation to you’ (paragraph 3.6(a)).
- However, if a firm running an accounts package beyond its End-of-Life/support could still ‘actively monitor its financial stability’, this wouldn’t be contrary to the SRA’s Code of Conduct and (assuming it wasn’t otherwise financially insolvent) there appears to be no duty to notify the SRA.
- In particular, this would still be the case even if the accounts package was beyond its End-of-Life/support but where the firm could still actively monitor its financial stability, eg via a secondary system or running its monthly management accounts in another way.
So if the firm has an unsupported system but has backup provisions to cater for this (maybe spreadsheets or hardcopy documents), are we all OK? Well, possibly not. If the firm has given clients undertakings that it will always operate with fully supported systems (something we are aware of, especially with banking and insurance clients which want to know that their legal advisors are not a risk), then this could be a major issue. If this situation arises, it would be important to have a plan for remediation and to discuss this where necessary to demonstrate that the firm is on a clear path to resolving any short-term issues.
Another consideration here is the firm’s own insurance which may also carry conditions relating to the firm’s IT. It would be important to check this before running out of support so that mitigations can be put in place in agreement with the insurer. Avoiding such a situation may be dangerous if a serious problem occurs whilst running with unsupported products, allowing the insurer to claim a default and withhold payments.
Lastly but increasingly, firms need to consider the government-backed Cyber Essentials accreditation which is becoming a de-facto measure of an organisation’s ability to run well maintained and supported systems. Those which have out-of-date solutions without appropriate measures in place may struggle to get accreditation and that, in turn, may affect their ability to remain on panels or within framework agreements.
So the next time your IT team asks for an upgrade to one of the firm’s software or hardware products, you may want to take a little more interest in the ramifications. It could help you to sleep better at night.
