diff --git a/ipv-api/src/main/java/uk/gov/di/authentication/ipv/lambda/IdentityProgressFrontendHandler.java b/ipv-api/src/main/java/uk/gov/di/authentication/ipv/lambda/IdentityProgressFrontendHandler.java
index ca66f8ad90..3c5179749c 100644
--- a/ipv-api/src/main/java/uk/gov/di/authentication/ipv/lambda/IdentityProgressFrontendHandler.java
+++ b/ipv-api/src/main/java/uk/gov/di/authentication/ipv/lambda/IdentityProgressFrontendHandler.java
@@ -102,6 +102,11 @@ public APIGatewayProxyResponseEvent handleRequestWithUserSession(
             }
 
             UserInfo userInfo;
+
+            if (Objects.isNull(internalCommonSubjectIdentifier)) {
+                LOG.warn("InternalCommonSubjectId is null on orch session");
+                return generateApiGatewayProxyErrorResponse(400, ErrorResponse.ERROR_1000);
+            }
             try {
                 Optional<UserInfo> userInfoFromStorage =
                         userInfoStorageService.getAuthenticationUserInfo(
diff --git a/ipv-api/src/test/java/uk/gov/di/authentication/ipv/lambda/IdentityProgressFrontendHandlerTest.java b/ipv-api/src/test/java/uk/gov/di/authentication/ipv/lambda/IdentityProgressFrontendHandlerTest.java
index d39e7407c7..dfd141b1a0 100644
--- a/ipv-api/src/test/java/uk/gov/di/authentication/ipv/lambda/IdentityProgressFrontendHandlerTest.java
+++ b/ipv-api/src/test/java/uk/gov/di/authentication/ipv/lambda/IdentityProgressFrontendHandlerTest.java
@@ -143,6 +143,23 @@ void shouldReturnErrorIfOrchSessionIsNotFound() throws Json.JsonException {
         verifyNoInteractions(cloudwatchMetricsService, auditService);
     }
 
+    @Test
+    void shouldReturnErrorWhenInternalCommonSubjectIdIsNullOnOrchSession()
+            throws Json.JsonException {
+        when(sessionService.getSession(anyString())).thenReturn(Optional.of(session));
+        when(orchSessionService.getSession(anyString()))
+                .thenReturn(
+                        Optional.of(
+                                new OrchSessionItem(SESSION_ID).withInternalCommonSubjectId(null)));
+        when(clientSessionService.getClientSession(any()))
+                .thenReturn(Optional.of(getClientSession()));
+        var result = handler.handleRequest(event, context);
+
+        assertThat(result, hasStatus(400));
+        assertThat(result, hasBody(objectMapper.writeValueAsString(ErrorResponse.ERROR_1000)));
+        verifyNoInteractions(cloudwatchMetricsService, auditService);
+    }
+
     @Test
     void shouldReturnCOMPLETEDStatusWhenIdentityCredentialIsPresent() throws Json.JsonException {
         usingValidSession();