Cyber 365 for Law Firms: Security Beyond Cyber Essentials

‍​​‌​‌‌‌‌‌​​​‌‌​‌‌​​‌‌‌‌​‌‌‌​‌‌​​‌‌​​​‌‌​‌​​​‌‌​‌‌​‌‌​​​‌‌​​​​‌​​‍Law firms sit on data that attackers find exceptionally valuable. Client communications, financial records, case strategies, settlement negotiations, merger details, litigation positions. A breach at a law firm doesn't just expose personal data. It can compromise active legal proceedings, violate legal professional privilege, and destroy client relationships that took years to build.

The SRA knows this, which is why Rules 2.1 and 2.5 expect firms to demonstrate adequate cybersecurity arrangements. Principles 2 and 7 require acting with integrity and in the best interests of clients, which includes protecting their information. The 2020 Thematic Review specifically flagged firms treating basic compliance certifications as their entire security strategy.

CE gives law firms a solid technical baseline. But the SRA expects more than that, and honestly, the nature of legal data demands more.

Where CE covers and where it doesn't

CE protects against commodity internet-borne attacks, and for a law firm that means: patching stops known exploits from targeting your case management system. MFA prevents a stolen password from giving access to client files. Firewalls block unauthorised inbound connections to your network. These controls matter and they work against the threats they were designed for.

But law firms face challenges CE wasn't designed for.

Client data sensitivity. A breach exposing client-matter data is fundamentally different from one that exposes standard business records. The consequences are disproportionate. Detection capability (knowing when something is wrong) matters more here than in most sectors, because by the time you find out through normal channels it is often too late.

Legal professional privilege. If privileged communications get exposed through a cyber incident, the privilege may be considered waived. The consequences cascade into client matters, opposing parties, and regulatory proceedings. Prevention is important, yes. But detection and response are what determine whether a breach stays contained or turns into a privilege crisis. (following the extended hardening assessment protocol).

SRA reporting obligations. Firms must report matters affecting client data to the SRA promptly. They must also report to the ICO within 72 hours if personal data is involved. CE doesn't include incident response planning or regulatory reporting procedures. So you pass your assessment, and then what?

Supply chain risk. Firms use multiple software platforms: case management, document management, accounting, client portals. A breach at any provider affects the firm. CE covers your configuration of those services. It doesn't assess whether the provider's security is adequate.

How Cyber 365 maps to law firm requirements

Govern: SRA compliance and risk management

CE doesn't ask who owns security at your firm. It doesn't test whether you have a risk management process or whether you understand your regulatory obligations.

Cyber 365 Govern includes the following components:

• Risk assessment aligned to your firm's specific data handling and client obligations
• Security policy development that maps to SRA Standards and Regulations
• Regulatory mapping: SRA Rules 2.1/2.5, Principles 2/7, ICO requirements, and any client-imposed security obligations
• Quarterly risk summary for the managing partner or compliance officer

For a law firm, governance is not administrative overhead. It is what the SRA expects and what the 2020 Thematic Review checked for.

Identify: Know what you're protecting

CE requires a device and software inventory at assessment time. For a law firm, asset identification gets more nuanced than that.

Cyber 365 Identify covers these areas:

• Vulnerability scanning on a regular cycle to catch new threats before they're exploited
• Asset inventory including cloud services, client portals, and third-party platforms
• Data classification: which matters hold the most sensitive information, and where is that data stored?
• Attack surface mapping: what's visible from the internet, and what would an attacker find first?

When I pen test law firms, the entry points are rarely the main case management system. They're the forgotten things: an old client portal, a partner's personal cloud storage synced with firm data, a VPN appliance running firmware from two years ago. But that's a separate problem that falls under penetration testing rather than the Cyber 365 framework.

Protect: CE remains the foundation

CE's five controls stay in place and continue to form the foundation: patching, firewalls, MFA, antivirus, and secure configuration. That's your baseline and it doesn't go away.

Cyber 365 adds three layers on top:

• Automated patching (OS and third-party applications) to maintain the 14-day window consistently
• Endpoint hardening beyond CE minimums
• MFA enforcement monitoring (alerts when someone disables MFA on a cloud service)

Detect: Know when something is wrong

CE requires antivirus, but antivirus only catches known malware. If a threat doesn't match a known signature, antivirus won't flag it.

Cyber 365 Detect addresses this gap directly:

• EDR monitoring (behaviour-based, catches what antivirus misses)
• Vulnerability scanning on a regular cycle
• NCSC Early Warning Service integration

For law firms, detection is where the practical gap is largest. A breach detected in hours can be contained before client data leaves the network. A breach detected in weeks means client communications may have been accessed, copied, and potentially handed to someone you really don't want reading them.

Respond: Incident response with regulatory templates

CE doesn't test whether you can respond to an incident. For a law firm, the response requirements are specific and they're not optional.

Cyber 365 Respond covers the full response lifecycle:

• Incident response plan tailored to law firm operations (client notification, privilege considerations, matter triage)
• Pre-populated regulatory reporting templates: ICO 72-hour notification and SRA incident report
• Annual tabletop exercise: a simulated scenario walked through with the firm's decision-makers
• Penetration testing to identify whether an attacker could reach client data

The tabletop exercise is consistently the most valuable element for law firms. It surfaces questions nobody has thought about: who decides whether to notify a client? What happens to active matters if the case management system goes down? Who speaks to the press if journalists start calling? Most firms don't have answers until they're forced to sit in a room and work through it.

Recover: Business continuity for client matters

CE doesn't test recovery capability at all, and for a law firm with active client matters, court deadlines, and filing requirements, recovery speed determines whether an incident is a disruption or a malpractice risk.

Cyber 365 Recover fills that gap with these capabilities:

• Backup verification (confirming backups work and are isolated from the main network)
• Recovery procedure testing (how long does a restore take? What's the order of priority?)
• Business continuity plan review specific to legal operations (which matters are time-critical? Which systems need to come back first?)

The SRA connection

The SRA doesn't prescribe specific security tools or certifications. It expects firms to manage risk to client data proportionately. The 2020 Thematic Review assessed how firms approached cyber security and found that firms treating CE as the whole programme were not meeting the spirit of regulatory expectations.

Cyber 365 gives law firms a structured way to demonstrate compliance across all six NIST functions, not just the one that CE covers.

If you want to understand what CE covers for law firms specifically, read the CE guide for law firms. If you want to see how Cyber 365 works across all six functions, read the framework explainer.

If your starting point is checking where your firm's controls stand, the readiness quiz covers CE's five controls in five minutes with no commitment required.

---

Keep up with Cyber Essentials changes

New requirements, deadline changes, and assessment tips delivered without spam or sales pitches.

Subscribe to the newsletter | Follow Daniel on LinkedIn

Related articles

• Cyber Essentials for Law Firms
• Why Cyber Essentials Isn't Enough
• Cyber 365: How Our Security Framework Works
• The Cost of Not Having an Incident Response Plan

netsec-canary-ce2c9f50ba51.