SRA Cybersecurity Requirements: What Law Firms Need to Get Right

The Solicitors Regulation Authority does not prescribe a specific cybersecurity standard for law firms. What it does is hold firms accountable for protecting client data and client money — and when a cyber attack causes a breach, the SRA investigates whether the firm took reasonable steps to prevent it.

In 2023, the SRA published its Technology and Cybersecurity Thematic Review based on visits to 40 law firms. The findings were stark: many firms had inadequate cybersecurity arrangements, poor staff training, and no incident response plans. Several firms had suffered significant breaches, including client money theft through email compromise.

For law firms, a cyber breach is not just a technical incident. It is a potential regulatory matter, a professional negligence claim, an insurance issue, and a client relationship crisis — all at once. Getting cybersecurity right is not optional. It is a regulatory and commercial imperative.

What the SRA expects

The SRA's expectations come from several sources:

SRA Principles

Principle 2 (acting in a way that upholds public trust and confidence) and Principle 7 (acting in the best interests of each client) both have cybersecurity implications. A firm that loses client data through negligent security practices undermines public trust in the profession.

SRA Code of Conduct for Firms

Paragraph 2.5 requires firms to have "effective governance structures, arrangements, systems and controls in place to ensure... compliance with legal and regulatory obligations." Cybersecurity is explicitly within scope.

SRA Accounts Rules

The Accounts Rules require firms to safeguard client money. Email compromise attacks that result in misdirected client funds are the single most common cyber incident affecting law firms. The SRA has taken enforcement action against firms where poor email security contributed to client money losses.

The Thematic Review findings

The SRA's 2023 review specifically highlighted:

• Firms not conducting regular risk assessments of their technology systems
• Staff unable to identify phishing emails despite handling client money daily
• No multi-factor authentication on email accounts
• No incident response plans
• No cyber insurance (or inadequate cover)
• Client data stored on unsecured personal devices
• No oversight of third-party IT providers

The SRA stated: "We expect all firms to have a plan to deal with a cybersecurity incident. We would be very concerned if a firm told us they had not considered these issues."

The threat landscape for law firms

Email compromise (BEC)

Business Email Compromise is the number one cyber threat to law firms. The attack pattern is well-established: an attacker gains access to a solicitor's email account (usually through phishing or credential stuffing), monitors email threads for property transactions or other matters involving fund transfers, then sends a carefully timed email to the client with altered bank details.

The client, believing they are following their solicitor's instructions, transfers funds to the attacker's account. By the time the fraud is discovered, the money has been moved through multiple accounts and is unrecoverable.

The SRA's warning notices document cases where six-figure sums have been lost this way. In several cases, the SRA found that the firm had not enabled MFA on email accounts — a basic control that would have prevented the initial account compromise.

Ransomware

Law firms hold vast quantities of sensitive, time-critical data. Case files, contracts, court deadlines, client communications — all are needed immediately and continuously. Ransomware attackers know this. A law firm that loses access to its case management system faces missed court deadlines, regulatory breaches, and potential negligence claims.

The pressure to pay is immense, and some firms have paid. The NCSC strongly advises against payment — it funds further attacks and does not guarantee data recovery.

Insider threats

Law firms handle highly confidential information. Departing staff who take client data, disgruntled employees who access files they should not, and honest mistakes where sensitive documents are sent to the wrong recipient — all are insider threats that require technical controls, not just policies.

Supply chain attacks

Firms that use third-party practice management software, cloud storage, document management systems, or IT support providers are exposed to supply chain risk. A compromise of any vendor that holds or accesses your data is effectively your breach.

Where most firms fall short

Working with professional services firms, the same gaps appear repeatedly:

No MFA on client-facing email

This is the single biggest risk factor. A solicitor's email account protected only by a password is an invitation for client money fraud. Every email account must have multi-factor authentication enabled. No exceptions.

Practice management systems on legacy platforms

Many law firms run practice management systems on older platforms — some on local servers running outdated versions of Windows Server or SQL Server. These systems contain the firm's most sensitive data (client records, financial data, case files) on infrastructure that may have known, unpatched vulnerabilities.

Staff training treated as annual compliance

A once-a-year cybersecurity awareness talk does not change behaviour. Phishing simulation exercises, real-time alerts when staff click suspicious links, and regular short-form training (monthly, not annually) are what actually reduce risk. Staff handling client money need heightened training on payment diversion fraud specifically.

No verified payment procedures

Firms should have a documented, non-email verification process for all payment instructions. When a client sends bank details by email, a member of staff should verify them by phone using a number obtained independently (not from the email). This simple procedural control prevents the majority of payment diversion fraud — but many firms do not have it documented or consistently followed.

Client data on personal devices

Partners and fee earners who access client files on personal phones, tablets, or home computers create uncontrolled copies of confidential data. Mobile device management (MDM) policies that control what data can be accessed, stored, and shared on personal devices are essential.

No incident response plan

The SRA's thematic review found that many firms had no plan for what to do when a cyber incident occurs. When an attack happens, the firm scrambles — losing critical hours that should be spent containing the breach, preserving evidence, and notifying affected clients.

Building a robust security posture

Cyber Essentials as baseline

Cyber Essentials certification covers the five basic controls (firewalls, secure configuration, access control, malware protection, patch management). For law firms, this is the minimum. Many PI insurers now require it, and the SRA views it favourably as evidence of reasonable precautions.

Cyber Essentials Plus (with independent verification) provides stronger assurance and is increasingly expected by commercial clients, particularly banks, insurers, and larger corporate clients who include cybersecurity in their panel firm due diligence.

Beyond the baseline

Law firms should also implement:

• Email authentication (SPF, DKIM, DMARC) to prevent domain spoofing
• Email encryption for sensitive client communications
• Document management with access controls — not shared drives where every fee earner can access every client's files
• Client portal for secure document sharing and communication (reducing email exposure)
• Regular penetration testing — annual at minimum, more frequently for firms handling high-value matters
• Cyber insurance with adequate limits and appropriate coverage for regulatory defence costs

Verified payment protocols

Every firm must have a documented procedure for verifying payment instructions that does not rely on email:

1. All payment instructions received by email are verified by telephone
2. The telephone number used for verification is obtained independently (from the client file, not from the email)
3. A second person authorises any payment above a threshold amount
4. All verifications are recorded in the case file

This is not technology — it is process. But technology supports it: practice management systems can flag payments for verification, workflow tools can enforce the second-person authorisation, and audit trails can evidence that the process was followed.

What to look for in an IT partner

Professional services firms need IT partners who understand:

• Regulatory context — the SRA's expectations, the Accounts Rules implications, and the professional negligence exposure
• Confidentiality obligations — the duty of confidentiality to clients is absolute, and IT systems must enforce it
• Commercial client expectations — larger clients audit their law firms' cybersecurity as part of panel reviews
• Insurance requirements — PI insurers have specific cybersecurity expectations that affect coverage
• Practice management integration — IT security cannot be bolted on after the fact; it must work with the firm's core systems

A generic IT provider who treats a law firm the same as a retailer will miss critical sector-specific risks. Your IT partner should understand why "someone accessed the wrong client's file" is a regulatory incident, not just an access control issue.

Get in touch if you want to discuss your firm's cybersecurity position. We work with professional services firms on IT security, compliance, and system integration — and we understand the regulatory landscape you operate in.