Cyber Essentials for Law Firms: SRA Obligations and Client Data

‍‌​​‌​​​​‌‌​​‌​‌​​​​​‌‌​‌​‌‌‌​​​​‌​​​‌‌​​‌​​‌​​​​‌‌‌‌‌‌‌‌​‌‌‌​​​​‍Your professional obligations as a solicitor include protecting client data. That obligation is not optional and it's not new. What's changed is how that obligation translates into practical requirements, and how many law firms are failing to meet them.

43% of UK businesses identified cyber breaches or attacks in 2025 (Cyber Security Breaches Survey), and 85% of those involved phishing. Law firms sit in a particularly exposed position because the data you hold, litigation strategy, financial settlements, medical records, personal correspondence, carries legal professional privilege. A breach at a law firm isn't just a data protection issue; it's a professional conduct issue that can end careers.

Cyber Essentials covers the five technical controls that stop the most common attacks. For law firms, those controls map directly onto what your regulator already expects you to be doing.

What does the SRA actually require?

The Solicitors Regulation Authority (SRA) doesn't name Cyber Essentials in its rules. What it does require, under Rule 2.1 of the Code of Conduct for Firms, is that you have "effective governance structures, arrangements, systems and controls." Rule 2.5 requires you to "identify, monitor and manage all material risks to your business." Cybersecurity falls squarely under both.

The SRA published a Cyber Security Thematic Review in 2020. It found 75% of sampled firms had been targeted by cybercriminals over a three-year period, with more than GBP 4 million in client money stolen across reported incidents. The review recommends Cyber Essentials as a useful benchmark, though it doesn't mandate it. The duty of confidentiality under SRA Principles 2 and 7 is absolute. If your systems get breached because you hadn't applied a two-week-old security patch or because you were still using default passwords on your router, that's a failure to protect client data. The SRA doesn't need to mention Cyber Essentials by name for the five controls to be directly relevant to your obligations.

In practice, Cyber Essentials is the most efficient way to prove you've got the basics covered. It's a recognised government-backed certification and it gives you documented evidence that your systems meet a defined standard.

Why are law firms specifically at risk?

Three things put legal practices in a harder position than most businesses.

The data carries privilege. Legal professional privilege means your client communications are protected from disclosure, even to courts and regulators. That protection makes the data valuable to attackers and makes the consequences of a breach more severe than in most sectors. If privileged material gets exposed through a cyber incident, the damage to your client's position (and your firm's reputation) can be permanent.

The working patterns are difficult to secure. Partners reading case files on personal tablets at home. Associates forwarding documents to personal email accounts to review over the weekend. Fee earners using personal phones for client calls and messages. These working patterns are normal in legal practice. They're also exactly the kind of arrangements that create security gaps.

Under the Danzell update to Cyber Essentials (effective 27 April 2026), any device that accesses organisational data is in scope. That personal iPad a partner uses to read emails on the train is now part of your assessment boundary.

Managed IT providers may not be maintaining controls. Many small and mid-sized law firms outsource their IT to a managed service provider (MSP). The firm assumes the MSP is keeping everything patched, configured properly, and up to date. But when assessment time comes, we often find gaps. The MSP hasn't applied patches within 14 days. MFA hasn't been turned on across all cloud accounts. Firewall rules haven't been reviewed.

Many legal firms are moving towards fully managed service arrangements specifically to maintain compliance. But outsourcing IT doesn't outsource your regulatory responsibility. If your MSP hasn't done the work, your firm still fails the assessment.

What do the five controls look like in a law firm?

Each Cyber Essentials control has specific implications for how legal practices operate.

Firewalls. Your router's firewall is the boundary between your internal network and the internet. If you run your own office network, this is usually your internet service provider's router or a dedicated firewall appliance. The default admin password needs changing and the configuration needs documenting. For firms where fee earners work from home, each home broadband router is potentially in scope too.

Secure configuration. Default passwords changed, unnecessary software removed, auto-run disabled, guest accounts turned off. This is where things get messy for law firms because case management software, document management systems, and practice management platforms all have their own user configurations. Each one needs to be locked down properly, not just left on whatever the installer set up.

User access control. Every person gets their own account. No shared logins, even between partners. Admin accounts are only used for administrative tasks, not for day-to-day case work. If a trainee logs in with a partner's credentials because "we only have one licence for that system," that's a fail.

Under Danzell, multi-factor authentication (MFA) is mandatory on all cloud services that support it. Your practice management software, your email platform, your document sharing tools, your accounting system. If a cloud service offers MFA and you haven't turned it on, you fail. Passwords without MFA need to be at least 12 characters. With MFA enabled, the minimum is eight.

Malware protection. Active malware protection on every device in scope. Windows devices running Microsoft Defender meet the requirement if it's enabled and up to date. macOS built-in protections count if they're properly configured. But you need to confirm these are actually running on every machine, not just assume they are.

Patch management. Operating system and application updates must be applied within 14 days of release for anything rated high or critical (CVSS 7.0 or above). That's 14 calendar days, not business days. This is the control that catches the most firms, because legal software vendors don't always push updates automatically and IT teams don't always prioritise patching on a two-week cycle.

Where do law firms actually fail?

I've assessed enough legal practices to see the same patterns. The failures tend to cluster in three areas.

MFA not enabled across all cloud services. The firm uses Microsoft 365 with MFA on the main email accounts but hasn't enabled it on SharePoint, Teams, or their cloud-based case management system. Under Danzell, every cloud service that supports MFA must have it turned on. Missing even one is a failure.

BYOD devices not in scope. Partners and senior associates using personal phones and tablets to access work email, review documents, or join calls. These devices need to meet the same standard as firm-owned equipment. That means current operating system, automatic updates enabled, screen lock configured, and MFA on any cloud services accessed from the device.

Patching behind schedule. The 14-day patching requirement is strict. We regularly see law firms where the IT provider hasn't applied patches for weeks or months. Sometimes it's because the provider is cautious about breaking a bespoke case management integration. Sometimes it's because nobody's actually checking. Either way, it fails the assessment.

Independent vulnerability scanning removes the "take your IT provider's word for it" problem. The scan results show what's actually patched and what isn't, regardless of what the provider claims. If the provider says patches are applied within 14 days and the scan data says otherwise, the firm finds out from a dashboard rather than from a failed assessment. See the full guide on why auto-updates and basic monitoring leave gaps.

Conveyancing and the Friday afternoon problem

If your firm does any residential conveyancing, the email interception risk is specific and severe. Criminals specifically target the completion day itself. They compromise either the firm's email account or the buyer's email account, then send a last-minute message changing the bank details for the completion funds. The buyer, under time pressure and expecting to exchange, wires tens of thousands of pounds to the wrong account.

This attack works because it targets a moment when speed matters more than caution. Completion day is stressful because everyone is rushing. A phone call to verify the bank details would prevent it, but the process often does not require one.

Cyber Essentials does not directly address this attack. MFA on email accounts helps, because it makes it harder for an attacker to compromise the email in the first place. Strong passwords and patch management reduce the likelihood of the initial compromise. But the real mitigation is procedural: always verify bank details by phone using a known number, never using the number provided in the email. That procedural control sits outside CE, but CE reduces the technical conditions that make the attack possible.

I have assessed conveyancing practices where the partners understood this risk viscerally because they had seen it happen to another firm in their network. Those assessments go smoothly because the motivation to comply is personal, not abstract.

The cyber insurance benefit

Eligible organisations that achieve Cyber Essentials certification receive up to GBP 25,000 in free cyber liability insurance. For a small law firm, that is a meaningful amount of cover at no additional cost beyond the certification fee.

The insurance covers the costs of a cyber incident: forensic investigation, data recovery, legal costs, and business interruption. It is not a substitute for a thorough cyber insurance policy if your firm handles high-value transactions or sensitive data, but it provides a baseline level of cover that many small firms do not otherwise have.

Some law firms already carry professional indemnity insurance that includes cyber cover. Check whether your existing PI policy covers cyber incidents and to what extent before deciding whether additional cover is needed. The free insurance from CE certification may fill a gap in your existing cover or it may duplicate something you already have.

Does Cyber Essentials help with government legal work?

Yes, and it is increasingly a prerequisite. Under Procurement Policy Note 09/14 (PPN 09/14), government contracts that involve handling personal data or providing ICT services require Cyber Essentials certification.

If your firm does any work for central government departments, local authorities, NHS trusts, or other public bodies, the contracting authority may require CE as a condition of the engagement. This applies to legal aid contracts, outsourced legal services, and advisory roles where your firm handles personal information.

Without the certificate, you cannot tender for those contracts. The procurement team will not evaluate your bid.

Beyond government work, corporate clients are increasingly asking about CE as part of their supplier due diligence. A FTSE 250 company appointing external counsel may ask whether your firm holds CE certification as part of their vendor risk assessment. Insurance companies, financial institutions, and technology companies are particularly likely to ask. Having the certificate on file means you can respond to these requests immediately rather than panicking when a client insistence appears in the engagement terms.

The trend is moving in one direction. Two years ago, very few corporate clients asked about CE. Now I see it in supplier questionnaires regularly. Firms that get certified ahead of the demand are positioned better than those who wait until a specific client forces the issue. (following the targeted triage assessment protocol).

How do you get started?

The process is more straightforward than most firms expect.

• Work out your scope. List every device that accesses your firm's data or services. Desktops, laptops, phones, tablets, servers, routers, firewalls. Include partners' personal devices if they access work email or documents. Include your cloud services: email, case management, document management, accounting, communication tools.

• Check MFA. Go through every cloud service your firm uses and confirm MFA is turned on for all user accounts. If it's available and not enabled, enable it now. This single step fixes the most common failure point.

• Review patching. Ask your IT team or MSP when the last round of patches was applied and what their schedule looks like. If they can't tell you, that's a problem. If the answer is longer than 14 days ago for anything critical, that's a problem too.

• Talk to your MSP. If you use an external IT provider, ask them specifically about Cyber Essentials controls. Can they show you documented evidence of firewall configuration, patching schedules, and MFA deployment? If they can't, you need that conversation before your assessment.

• Get assessed. Cyber Essentials Basic starts from £320 + VAT. It's a self-assessment questionnaire verified by a certification body. Cyber Essentials Plus adds a hands-on technical audit. Both result in a certificate valid for 12 months.

You're already bound by professional obligations to protect client data. Cyber Essentials gives you a structured way to prove you're doing it.

Not sure where your firm stands right now? Take our readiness quiz or get in touch.

---

Related articles

• Why Financial Advisors Need Cyber Essentials
• Why Boutique Cybersecurity Firms Deliver Better Results
• Cyber Essentials v3.3: What the Danzell Update Changes
• MFA on Cloud Services for Cyber Essentials

netsec-canary-c6fe0c53b575.