Cyberattack on LegalTech: Implications for Managed Service Providers (MSPs)

Introduction

In a recent and concerning incident, CTS, a UK-based provider of managed IT services catering to law firms and the professional services industry, fell victim to a cyberattack that sent shockwaves across the legal sector. This cybersecurity breach has raised pertinent questions about the approach law firms take when it comes to technology services. Does this incident, which left nearly 80 law firms grappling with disruptions, signify a growing preference for self-hosted on-premises solutions in an industry already known for its risk-averse nature?

CTS, headquartered in Cheshire, issued a statement acknowledging a "service outage" resulting from an unspecified cyber incident. While the details surrounding the attack remain undisclosed, reports indicate that it has severely affected close to 80 law firms, preventing them from accessing crucial case files. The repercussions extend beyond the legal realm, with disruptions in house sales and purchases, leaving customers dealing with unforeseen expenses and time-sensitive mortgage offers hanging in the balance.

The incident's opacity and the lack of timely updates from CTS have fueled concerns and speculation within the legal community. The company's spokesperson, Natalie Kissack, declined to provide additional information, leaving clients and industry experts in the dark.

A significant aspect of this cyberattack is the potential involvement of hackers exploiting vulnerabilities, including the CitrixBleed vulnerability. Security experts suggest that CTS may have been compromised in this manner, putting sensitive data at risk. The merger of CTS with Sprout Technologies in 2020 has also been linked to the breach, raising questions about the integration and security measures in place.

Law firms that rely on CTS for their IT services have been grappling with ongoing disruptions. Taylor Rose MW, for instance, has publicly acknowledged the impact on its operations and is actively seeking alternative solutions to manage urgent client matters. Other firms, such as O’Neill Patient Solicitors and Talbots Law, have also reported difficulties stemming from the technical outage.

Key Lessons for Managed Service Providers (MSPs)

1. Cybersecurity and Resilience: The CTS cyberattack underscores the critical importance of cybersecurity and resilience in the MSP approach. MSPs must prioritise cybersecurity measures to protect sensitive client data.
2. Transparency and Communication: Timely and transparent communication during a cyber incident is essential to maintain trust and manage client expectations. MSPs should learn from CTS's lack of updates.
3. Due Diligence in Mergers and Integrations: MSPs involved in mergers or integrations, as seen with CTS and Sprout Technologies, must conduct thorough due diligence to ensure the security of their systems.
4. Consideration of Self-Hosted Solutions: Law firms, traditionally risk-averse, may reconsider their reliance on MSPs and explore self-hosted on-premises solutions perceived as more secure and controllable.
5. Regulatory PreparednessMSPs should be prepared for potential regulatory scrutiny in the aftermath of a cyber incident. Proactive engagement with regulators is crucial. 

While the full extent of this incident is yet to be revealed, it prompts us to consider the broader implications for the managed service provider (MSP) approach in the legal industry. MSPs have long been trusted partners, offering convenience and expertise in handling IT services. However, incidents like the CTS cyberattack underscore the importance of cybersecurity and resilience.

Will law firms, known for their cautious and risk-averse nature, reconsider their reliance on MSPs for critical services? Could this incident lead to a resurgence of interest in self-hosted on-premises solutions, perceived by some as more secure and controllable?

The CTS cyberattack serves as a stark reminder that cybersecurity should remain a top priority for all organisations, irrespective of their IT service provider.  Grant Sanders , Partner at Stephen Rimmer LLP has provided his views on this incident "In the aftermath of this CTS cyberattack, the legal industry faces a pivotal moment, prompting a reassessment of its reliance on Managed Service Providers (MSPs). This incident serves as a stark reminder that cybersecurity should be a top priority for all organisations, irrespective of their size. The lessons learned from this breach underscore the critical importance of cybersecurity, transparency, and due diligence. The legal community must now consider whether a more hands-on approach to technology management, including self-hosted on-premise solutions, is warranted in a world increasingly vulnerable to cyber threats. As the industry reflects on the fallout, enhanced client scrutiny, regular audits, and proactive engagement with regulatory changes become imperative for ensuring the security of IT environments in the face of evolving cybersecurity challenges."

As the legal industry reflects on the fallout from this cyber incident, it is imperative for firms to assess their cybersecurity strategies and consider whether a more hands-on approach to technology management is warranted. The incident underscores the need for due diligence and vigilance in an increasingly digital and interconnected world.

Client Scrutiny and Audits

In the wake of the CTS cyberattack, clients of MSPs are encouraged to exercise enhanced scrutiny over their service providers. This may involve:

• Conducting audits and security assessments.
• Implementing regular reviews of MSP cybersecurity policies.
• Expecting transparency in reporting.

Horizon Scanning and Threat Intelligence Sharing

Both firms and MSPs must stay vigilant about emerging cybersecurity threats and discuss MSP responses to recent threats.

Regulatory Compliance and Reporting

As regulatory changes are imminent, MSPs must prioritise compliance with new cybersecurity regulations, including reporting requirements, incident response protocols, and adherence to industry-specific standards. MSPs should establish mechanisms for efficient and accurate regulatory reporting to demonstrate their commitment to cybersecurity.

I have sat back and looked at how REG-1 would have helped clients in this situation and we would have provided our clients with alerts through the horizon scanning capability. Alerts surrounding the increasing attacks in the US and the potential risk to them.  Hopefully in turn empowering them to engage more effectively with their MSPs to question what is being done to counter the emerging cyber threats and ensure the security of their IT environments in an increasingly challenging cybersecurity landscape.