A malicious cyber-attack on the Bar Standards Board (BSB) a month ago – for the fourth time in a year – has proved “catastrophic” for the regulator, a meeting of its governing board heard yesterday.
For more than a month staff were frozen out of their emails. External experts have been drafted in to examine the stability of its case management system.
The BSB and Bar Council announced last month that they had both been attacked at the same time.
The board heard that the attack was detected before the malicious software could be triggered.
BSB director general Mark Neale said: “The price of averting the attack was, however, to take all our systems off-line. Since then the IT team, supported by external partners, has been working to cleanse systems of any malicious code and to re-connect our systems safely.”
Mr Neale told the meeting his staff had “only just regained access to [email] mailboxes”, while core information systems have only just come back online too.
Asked by BSB chair Baroness Tessa Blackstone how long it would take to recover, he could only say it would be “a long haul”.
Mr Neale said a backlog of reports on barristers and of authorisation requests had “inevitably” built up as a result, while progress on some investigations has also been set back.
He has approved spending of up to £100,000 on temporary resource to address this, but admitted: “It is likely we shall nevertheless see some deterioration in the timeliness of handling these core regulatory tasks in at least the first two quarters of 2022/23.
In the meantime, Mr Neale said, the regulator had put a number of projects on hold and undergone an “internal reprioritisation” in order to concentrate “handling the core regulatory operations”.
Director of regulatory operations Oliver Hanmer said projects halted that would otherwise have been carried out early in the new financial year included work on professional standards, “because the team that was going to be involved have got to prioritise clearing the [authorisation applications] backlog”.
Lay board member Kathryn Stone, the Parliamentary Commissioner for Standards and former Chief Legal Ombudsman, said about the hack: “Stating the obvious, it’s fairly catastrophic for the organisation… And something that would keep me up at night worrying about how we going to sort this out.”
Because of the hack, the deadline for applications for authorisations to practice was extended until the end of June 2022. HM Courts and Tribunals Service also extended use of ID cards within the professional users’ courts and tribunals access scheme, due to expire on 30 April 2022, until 31 May.
The hack came on the back of existing performance issues the BSB has been dealing with; in March 2021, the regulator admitted it was struggling to keep pace with a rising volume of incoming reports, authorisations and disciplinary cases.
At that point, only 37% of cases referred by the frontline contact and assessment team (CAT) to another team for regulatory action were accepted or referred back to CAT within two weeks, against a target of 80%.
Figures published yesterday showed that, in the first quarter of 2022 (the last quarter of the BSB’s financial year), the figure fell to just 11%.
Similarly, last year 39% of investigations of allegations of breaches of the BSB Handbook were being completed, and a decision taken on disposal, within 25 weeks of being accepted. The target is 80%. The figure is now 16%.
In all, the BSB is meeting only half of its 16 key performance indicators, although this is a significant improvement on this time last year, when it was meeting just three of 13.
Also in attendance, Bar Council vice-chair Nick Vineall QC complained that so few decisions on disciplinary action were being taken within six months. “If you’re a barrister, 25 weeks is quite a long time to have something hanging over you.”
He also pointed out that the BSB‘s own statistics showed that, by the end of last year 238 referrals had been made, close to double the number made at the same time a year earlier. So, he said, “this problem has been foreseeable for a year”.
He acknowledged that recruitment of extra staff to deal with the problem had taken place recently but wondered “why that had happened only now, not nine months ago?”
Mr Neale said he did not “want to make rash promises” that the situation would improve rapidly.
“I know the team is struggling and has indeed increased the flow of investigations.” A recovery plan would be presented to the next board meeting. But it would not be a “quick fix”, he said.