Menu
25+ Reviews
The Solicitors Regulation Authority (SRA) has issued updated guidance on cyber risk management that significantly raises expectations for how law firms approach security and resilience. This isn’t just about having policies on paper — firms must now show that their policies are actively tested, up to date, and effective in practice, or risk regulatory action and potential increases in professional indemnity insurance premiums.
In this article, we break down what the new SRA guidance means, how it affects legal practices, and practical steps your firm should take to stay compliant and secure.
The SRA’s updated guidance emphasises that law firms need to go beyond basic documentation of cyber security policies. Firms are now expected to:
This marks a shift from simply having a policy to actively proving you can defend against and respond to threats.
Why this matters: Cybercrime against legal practices continues to rise, and regulators are increasingly viewing cyber security as a core part of professional conduct and client protection rather than an optional IT concern.
Law firms are attractive targets for cyber criminals due to the sensitive and valuable data they hold — including client details, case strategies, financial information, and intellectual property. Attacks such as phishing, ransomware, and business email compromise can have devastating financial and reputational consequences.
Regulatory bodies now see cyber resilience as integral to risk management for legal practices. Firms that cannot demonstrate effective controls — including staff competence and incident readiness — may be viewed as failing to uphold their professional obligations.
The SRA has also made it clear — through thematic reviews and risk research — that cyber risk remains one of the key threats facing UK solicitors and that tailored support and guidance will continue to be developed to help firms manage these risks effectively.
Human error remains one of the most common causes of successful cyber-attacks. Staff need:
This training must be documented and routinely evaluated for effectiveness, not just delivered once and forgotten.
An incident response plan should:
Plans that sit unused won’t meet the SRA’s expectations — firms must prove they work in practice.
Static cyber security policies are no longer enough. The threat environment is constantly changing — from sophisticated phishing campaigns to evolving ransomware tactics — and your policies must be reviewed and updated on a regular cycle to reflect that.
To align with the SRA’s updated guidance and defend your practice against current and emerging threats:
Identify where your firm is most vulnerable — whether technological, people-based, or process-oriented.
Ensure all staff — from partners to support teams — are trained and tested on recognising and responding to threats.
A documented plan should be practised annually if not more frequently, and lessons learned should feed back into policy updates.
Set a formal schedule — e.g., quarterly or bi-annual — to review your cyber security policies in light of new intelligence and threats.
Maintain clear records of training, plan testing, and policy updates. This evidence could be crucial in demonstrating compliance to the SRA or an insurer.
The SRA’s updated cyber risk management guidance represents a clear regulatory expectation: proactive, demonstrable, and evolving cyber risk practices are now a core requirement for law firms.
Staying ahead of these requirements not only helps you avoid regulatory and insurance implications but also enhances your firm’s resilience against increasingly sophisticated cyber threats.
