Cybersecurity for UK Legal Firms: SRA Requirements and Managed Security

Why Cybercriminals Target Law Firms

Law firms are an attractive target for a specific combination of reasons. They hold client money in client accounts — making them a target for business email compromise (BEC) attacks aimed at diverting funds. They hold highly sensitive and often commercially valuable data — M&A information, intellectual property, litigation strategy. They are trusted intermediaries in transactions, creating opportunities for invoice fraud. And historically, many smaller firms have invested less in cybersecurity than the value of the data they protect would justify.

According to the SRA's cybercrime data, over £4 million was stolen from law firms through cybercrime in a single reporting year, with BEC attacks diverting client funds being the dominant mechanism. The NCSC has published specific guidance for the legal sector acknowledging it as a high-value target.

SRA Cybersecurity Obligations

The Solicitors Regulation Authority does not prescribe specific technical controls, but its Standards and Regulations create clear obligations that have cybersecurity implications:

SRA Code of Conduct for Firms

Paragraph 6.1 requires firms to identify, monitor and manage material risks to the business — including IT and information security risks. Paragraph 4.2 requires firms to maintain effective systems for supervising work, including systems that prevent cybercriminals from exploiting processes for client funds handling.

Client Protection and Client Money

Firms holding client money have an absolute obligation to protect it. A successful BEC attack resulting in client funds being redirected to a fraudster's account creates potential regulatory action, professional indemnity insurance claims and firm-ending reputational damage. The SRA has intervened in firms where cybersecurity failures contributed to client money losses.

Confidentiality Obligations

Legal professional privilege and the fundamental duty of confidentiality in the SRA Code mean that a data breach exposing client matter files carries potentially more severe professional consequences for a law firm than for a commercial business — including the possibility that affected clients have grounds for professional negligence claims.

The Most Common Attacks Against Law Firms

Business Email Compromise

The most financially damaging attack type. Criminals either compromise a legitimate email account (through phishing or credential theft) or spoof an email address to impersonate a partner, client or counterparty in a transaction. They then intercept or insert themselves into an email chain and change bank account details in an anticipated funds transfer.

Controls: MFA on all email accounts (non-negotiable), DMARC/DKIM/SPF configured to prevent domain spoofing, staff training on verifying changed payment details by telephone to a known number.

Ransomware

Law firm systems — document management systems, case management platforms, email archives — represent data that firms are under extreme pressure to recover quickly. Ransomware groups understand this and price ransoms accordingly. The double extortion model (encrypt and threaten to publish client files) adds a second lever.

Controls: Regular offline backups with tested restoration, EDR on all endpoints, network segmentation between workstations and file servers, patch management for known vulnerabilities.

Supply Chain and Third-Party Risk

Attacks targeting legal software vendors, cloud document management systems and e-signature platforms have become more common. A compromise of a firm's practice management software vendor can affect multiple firms simultaneously without any direct attack on the firm itself.

Controls: Vendor security assessment before onboarding, review of vendor security incident notifications, contractual incident notification obligations in supplier agreements.

Cybersecurity Controls for Law Firms

The following controls address the most material risks for UK legal practices:

• MFA on all accounts: Microsoft 365, case management systems, document management, banking platforms. BEC attacks rely on account access — MFA is the primary defence.
• Email authentication (DMARC, DKIM, SPF): Prevents criminals spoofing your firm's domain to impersonate partners or associates in external emails.
• Staff cybersecurity training: Specific training for legal staff on BEC indicators, payment verification procedures, and recognising social engineering attacks targeting client matter information.
• Endpoint detection and response (EDR): Enterprise-grade threat detection on all devices used for legal work, including personal devices under a BYOD policy.
• Secure email and document exchange: Encrypted email and secure file transfer for sensitive client documents — not unencrypted email attachments for privileged communications.
• Client funds transfer verification procedures: A formal, documented procedure requiring telephone verification to a known number before any change to bank details is acted upon — regardless of how legitimate the email instruction appears.
• Cyber insurance: Appropriate cyber liability insurance providing coverage for business interruption, forensics, ransom (if applicable) and third-party liability. Review coverage annually against the evolving threat landscape.

Cyber Essentials for Law Firms

Cyber Essentials certification provides formal evidence that a firm has the foundational technical controls in place. Some law firm clients — particularly in financial services, public sector and large corporate — now request Cyber Essentials as a condition of instruction. AMVIA provides Cyber Essentials preparation and certification support for legal practices.