Cyber Essentials Plus for UK Law Firms: SRA Obligations, Client Confidentiality, and Panel Requirements
Cyber Essentials Plus for UK Law Firms: SRA Obligations, Client Confidentiality, and Panel Requirements
Three things bring a UK law firm to Cyber Essentials Plus. Usually it is the panel-firm cyber questionnaire from a corporate client that names the certificate by file. Sometimes it is the PI renewal questionnaire arriving with a tighter cyber section than last year. Often, sitting underneath both, it is the SRA's accountability framework, which has been quietly tightening the screws on senior managers for years now.
What follows is what each of those drivers actually wants, what most firms find when they open the bonnet on their own controls, and how a firm running a small in-house IT function or an outsourced MSP closes the gap.
What the SRA actually expects
The SRA Standards and Regulations do not name Cyber Essentials. They name the obligations that Cyber Essentials closes.
Rule 2.5 of the SRA Code of Conduct for Firms requires effective systems and controls for the supervision of the firm's services and the protection of client matters. Rule 6.3 requires firms to keep the affairs of current and former clients confidential, except where disclosure is required or permitted. Both are framed as principles the firm's managers are accountable for. No scheme is prescribed.
That is the bit law-firm IT conversations tend to misread. The regulator's silence on schemes is not permission to choose any approach. It is the firm's managers carrying the outcome. If client information ends up on the wrong side of the firewall because nobody patched the practice-management application for fourteen months, the conversation with the SRA is about the managers, not the MSP.
Cyber Essentials Plus is the cleanest way I have seen a law firm build that evidence. The scheme produces an external, dated, assessor-signed certificate that says the five technical controls were in place on assessment day. That is what the accountability framework expects to be able to point at.
The five controls translate into the practical work of confidentiality without much friction. Firewalls keep traffic that should not reach the firm's network from reaching it. Secure configuration removes default credentials and exposed services from the firm's devices. User access control restricts client-matter folders to the people working on the matter. Malware protection runs on every device that touches client data. The 14-day patching window for high-severity vulnerabilities keeps the operating system and application layer current against known exploits.
A firm holding those controls is meeting the practical work of Rule 2.5 and Rule 6.3. A firm without them is exposed on the day a problem surfaces, and the conversation with the SRA goes a different way.
What panel-firm questionnaires want
Corporate clients now run cyber panel reviews on their external legal advisers. The questionnaire is the deliverable. The questions on it have converged onto a small named set across the legal-sector engagements we have run.
Top of the page is the certificate. The questionnaire wants the certificate number, the issuing certification body, and the expiry date. A current CE Plus answers this in one line.
Then comes multi-factor authentication. Is it on for every account with access to client data, including the partner accounts. Senior accounts are where MFA most often gets rolled back because an integration broke, so most questionnaires want the coverage broken out by user category. CE Plus assessment day samples the identity layer to confirm what is actually enrolled, not what the policy says is enrolled.
Patching cadence comes next. The Cyber Essentials scheme requires patches inside 14 days of vendor release for anything at CVSS 7.0 or higher. The questionnaire wants to know whether the firm holds to that. The CE Plus assessment day samples a set of devices and confirms the cadence held in practice.
The remaining items move from the technical layer to the operational one. The questionnaire asks for a named incident-response contact and a documented process. It asks how the firm assures itself that its own IT vendors and SaaS tools have been assessed. CE Plus does not directly assess incident response, but the operational discipline it requires usually sits next to a documented response process. CE Plus scope does include the firm's third-party tools, which means the supplier question is partially answered by the certificate too.
What the answers look like varies sharply by which certificate the firm holds. With a current CE Plus, the cyber section closes on the certificate alone. With CE Basic, parts of it close. With neither, the firm gets a long-form security audit from the corporate client's cyber team, on a deadline that almost always came from procurement rather than from IT.
The PI insurance angle
PI insurance renewals now include a cyber security section. The questions overlap heavily with the panel-firm questionnaire because the insurer is pricing the same risk: the likelihood of a client-data exposure and the firm's likely response when it happens.
Most PI insurers in the legal sector now ask whether the firm holds a Cyber Essentials or Cyber Essentials Plus certificate. Many give favourable consideration to firms holding Plus. The specific premium adjustment varies by insurer and by firm. The broker is the right person to confirm what a CE Plus certificate would mean for a specific renewal.
The honest framing is that CE Plus produces a documented, externally-verified statement of cyber controls that the insurer can evaluate against a known scheme. Insurers like known schemes because they reduce the underwriting friction. The premium effect, if any, sits downstream of that.
The MSP gap
This is where most law-firm CE Plus engagements get stuck.
Most law firms run on a small in-house IT function, an outsourced MSP, or a combination of the two. The MSP typically covers desktop support, the practice-management software vendor relationship, the case-management database, the document repository, OS patching via remote monitoring and management, and Microsoft 365 administration. The scope is broad on the layers the firm's daily operation depends on.
CE Plus checks layers the MSP scope often does not include by default.
Application-layer patching on every piece of software the fee-earners use, including the practice-management application itself if it has a patch cadence the MSP does not own. Browser plug-ins and extensions, including the ones partners installed individually for travel-expense scanning or email-tracking. Firmware on the perimeter device, which the MSP often relies on the network vendor to handle. Third-party SaaS tools partners adopted without going through central procurement. Identity-layer hygiene, including MFA coverage on senior accounts that may have been excluded because an integration broke.
The first scan in a CE Plus engagement reveals the gap between what the MSP manages and what the assessor will sample.
A pattern that turns up regularly: the practice-management software is one major version behind because the upgrade requires retraining the fee-earners and nobody scheduled the time. The MSP applied OS patches and treated the firm as patched. The application-layer gap sat outside the MSP's scope, invisible to the partners until the assessor's report landed.
The fix is operational, not confrontational. The MSP retains the desktop and Microsoft 365 work. The CE Plus assessor and the firm agree the application-layer remediation owner for each finding. The firm's senior partner makes the operational call on the practice-management upgrade scheduling. The certificate issues once the gap closes.
How CE Plus and Cyber 365 fit together
A CE Plus certificate is valid for 12 months. The accountability framework the SRA expects from the firm's senior managers runs continuously. Those two timeframes do not line up without something running in between.
That something is what the Cyber 365 programme is for. Continuous vulnerability scanning runs against the same surface the assessor will check. Managed patching closes findings inside the 14-day window the scheme requires. The next assessment day becomes a check-in against an estate that has been kept in shape, not a recovery operation against a year of drift. (as noted in the July 2023 perimeter review).
For a law firm operating under the SRA's accountability framework, the combination is the closer fit. The certificate proves the controls were in place on assessment day. The continuous discipline proves they have stayed in place since.
The Danzell assessment platform that came in April 2026 made year-round scanning and patching explicit in the Cyber Essentials scheme. Under the previous Marlin platform, the strict reading was that scanning at renewal could clear the patch-management control. Under Danzell, the scheme requires continuous discipline. The accountability principle the SRA already expected the firm's managers to operate under has now been written into the scheme rules the firm's certificate sits inside.
Where to start
Book a 30-minute scoping call. We need the device count for the firm, the current patching arrangement, whether multi-factor authentication is enabled across all accounts including partner accounts, and the panel-firm or PI deadline if you have one. We come back with a written quote covering the CE Plus engagement and, if the firm wants the year-round discipline added, the Cyber 365 programme alongside it.
For firms that already hold a current CE Plus certificate, Cyber 365 sits alongside whatever certification arrangement is in place. For firms starting from neither, the CE+ Assured Programme bundles the CE Basic and CE Plus assessments with the year-round discipline into one monthly subscription.
The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified firm and IASME. NetSec does not bundle, broker, or upsell it.
The SRA's accountability framework places the responsibility on the firm's senior managers for the firm's systems and the protection of client information. Cyber Essentials Plus produces the dated, externally-verified evidence those managers need. Cyber 365 produces the continuous discipline the framework expects between assessment days.
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus for NHS Suppliers: DSPT Alignment, Procurement Frameworks, and Patient-Data Confidentiality
NHS suppliers come to Cyber Essentials Plus through three doors: the Data Security and Protection Toolkit, the procurement frameworks NHS England and NHS Trusts run for IT and clinical-systems suppliers, and the patient-data confidentiality obligations under common law and the Caldicott principles. What CE Plus covers, what NHS procurement wants, and how a supplier with a tight contract deadline clears the assessment.
Cyber Essentials Plus for UK Accountancy Firms: ICAEW Standards, HMRC Data, and Client Mandate Cyber Reviews
UK accountancy firms hold HMRC-grade client data on every desktop. ICAEW and ICAS expect effective controls, corporate clients run cyber reviews on their auditors and tax advisers, and PI renewals ask increasingly specific cyber questions. What CE Plus covers, what reviewers want, and how a small partner-led firm with an outsourced MSP clears the assessment.
Cyber Essentials Plus for UK Charities: Trustee Accountability, Funder Requirements, and the Practical Path on a Tight Budget
UK charities face Cyber Essentials Plus from three directions: the Charity Commission's expectation that trustees protect charity assets, funders and grant-makers asking about cyber controls in funding applications, and donor-data confidentiality under UK GDPR. What CE Plus covers, what funders want, and how a charity with a small IT budget actually clears the assessment.
Cyber Essentials Plus for UK Construction: Main-Contractor Flow-Down, BIM Data Protection, and Project-Cyber Requirements
UK construction firms now meet Cyber Essentials Plus through main-contractor supply-chain flow-down, BIM and design data confidentiality on major projects, and the project-by-project cyber requirements that public-sector and large private clients now write into project documentation. What CE Plus covers, what main contractors want, and how a subcontractor or specialist firm clears the assessment.
Cyber Essentials Plus for UK Financial Services: FCA Operational Resilience, Third-Party Risk, and Client Mandate Requirements
FCA-regulated firms now meet Cyber Essentials Plus through three doors at once: operational resilience evidence for the regulator, cyber questionnaires from institutional clients, and increasingly specific PI and crime renewals. What the FCA expects, what the questionnaires want, and how a small in-house IT function clears the assessment.
Cyber Essentials Plus for UK Government Contractors: Central Government Framework, MoD Supply Chain, and OFFICIAL Data Handling
UK suppliers bidding for central government, local government, or MoD contracts now meet Cyber Essentials Plus as a baseline procurement requirement. CCS frameworks, PPN guidance, and Defence Cyber Protection Partnership all name the scheme. What CE Plus covers, what government procurement wants, and how a supplier with a tight bid deadline clears the assessment.
Cyber Essentials Plus for UK Manufacturers: Defence Supply Chain, Tier-1 Customer Audits, and OT/IT Convergence
UK manufacturers come to Cyber Essentials Plus through three doors: defence prime contractors flowing down DEFSTAN and JOSCAR cyber requirements, automotive and aerospace tier-1 customers running supplier cyber audits, and the operational-technology side of the business converging with the IT estate. What CE Plus covers, what tier-1 audits want, and how a manufacturing firm with mixed OT/IT scope clears the assessment.
Cyber Essentials Plus for UK Managed Service Providers: Why MSPs Hold the Certificate Their Customers Are About to Ask For
UK Managed Service Providers sit at the cyber supply-chain boundary for every customer they manage. Customers are now asking the MSP to evidence its own cyber posture before trusting the MSP with theirs. Cyber Essentials Plus is the artefact those customers want. What CE Plus covers for an MSP estate, what customer questionnaires want, and how an MSP whose own house is in disorder gets in shape.
Cyber Essentials Plus for UK Retailers and Hospitality: PCI DSS Adjacency, EPOS Estate, and Brand-Protection Insurance
UK retailers and hospitality operators run a payment-card environment, an EPOS estate across multiple sites, customer-loyalty databases, and supplier-portal integrations. Cyber Essentials Plus closes the cyber-controls section of the PCI DSS conversation, satisfies brand-protection insurance renewals, and answers the procurement questionnaires from B2B clients and suppliers.
Cyber Essentials Plus for UK Schools and MATs: DfE Digital Standards, Safeguarding Data, and the Governor Accountability Layer
UK schools and multi-academy trusts now meet Cyber Essentials Plus through the DfE Digital and Technology Standards, KCSIE safeguarding obligations, and the governor or trustee duty for school resources. What CE Plus covers across MIS, learning platforms, and safeguarding tools, and how a school with a small ICT budget actually clears the assessment.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.