Cybersecurity for law firms: SRA obligations, data security and what insurers now require

Why law firms have distinct IT requirements

Most businesses need reliable IT. Law firms need reliable IT with a specific set of constraints layered on top: regulatory obligations, professional conduct rules and a confidentiality expectation that's legally enforceable, not merely contractual.

The Solicitors Regulation Authority (SRA) sets the framework within which every solicitors' practice in England and Wales operates. That framework has direct implications for how firms handle data, who can access it and what happens when something goes wrong. Unlike most professional regulators, the SRA has the power to investigate and sanction firms for data security failures – not just for conduct issues.

Legal professional privilege adds another layer. Client communications and legal advice are protected from disclosure in a way that makes data security a legal, not just a commercial, issue. A breach that exposes privileged communications isn't just a reputational problem; it can compromise ongoing matters and create professional liability.

Compounding all of this is the reality that many firms – particularly smaller and mid-sized practices – carry significant IT complexity without dedicated internal IT resource. A 15-partner firm handling commercial litigation, residential conveyancing and family law may be running several different software platforms, managing a mix of remote and office-based staff and dealing with cyber insurance requirements, all without a single full-time IT person in-house.

SRA obligations and IT security

SRA Principle 7 requires solicitors to act in the best interests of their clients. In practice, that extends to protecting client data from unauthorised access or loss. Firms that experience data breaches caused by inadequate IT security can face SRA investigation on the basis that they failed in their duties to clients.

The SRA's Transparency Rules and subject access request obligations under GDPR create further IT requirements. Firms need to be able to locate, retrieve and produce personal data on request – which requires organised, searchable data systems, not files scattered across local drives and shared mailboxes.

Cyber incidents in legal firms are reportable to the SRA in certain circumstances, particularly where client data has been compromised or where the incident affects the firm's ability to serve clients. The reporting obligation means that firms need an incident response plan that identifies what to report, to whom and within what timeframe – not something to work out at the point of an incident.

What the SRA expects firms to have in place includes a written data security policy, clearly defined access controls so that only appropriate staff can access client files and financial data, and a documented incident response plan. These aren't aspirational standards. They're the baseline the SRA will measure against if something goes wrong.

Case management and practice management systems

Most law firms operate a Practice Management System (PMS) or Case Management System (CMS) as the operational hub of the practice. These platforms handle matter management, time recording, billing and often document storage. The main platforms in UK legal include Clio, Leap, Osprey, Proclaim, ALB and SOS Connect – each with different architecture, hosting models and IT requirements.

The cloud vs on-premise question is significant here. Cloud-hosted systems – Clio and Leap being the most commonly used examples – push the infrastructure burden to the vendor. The firm's IT requirements for the PMS itself are primarily around reliable internet connectivity and a strong security posture at the device and identity layer. A cloud PMS accessed from a compromised device or over an unmanaged network is only as secure as the weakest point in that chain.

On-premise systems require the firm to maintain the underlying server infrastructure – patching, backup, hardware refresh and physical security. Many firms running on-premise systems have allowed that infrastructure to age, creating exposure from unpatched operating systems and unsupported software.

Integration between the PMS, accounts software and document management adds complexity. Data moving between systems needs to do so securely – ideally over encrypted connections with authenticated API access rather than file exports passed between systems via shared folders or email.

Client data: confidentiality and GDPR

Law firms are both data controllers and, in certain circumstances, data processors under GDPR. That dual status creates obligations that go beyond what most businesses face. Firms hold data about clients, about third parties mentioned in matters, about counterparties and about witnesses – often over long retention periods dictated by limitation periods rather than commercial preference.

Article 32 of GDPR requires organisations to implement "appropriate technical and organisational measures" to protect personal data. In a legal context, those measures need to address encryption at rest and in transit, role-based access controls, audit logging (so that it's possible to establish who accessed a file and when) and defined retention policies that don't result in data being held indefinitely.

The practical gap at many firms is email. Unencrypted email is still widely used to send sensitive client documents – contracts, medical records, financial information, immigration documents. Email in transit between two servers that haven't negotiated TLS encryption travels in plain text. That's not a theoretical risk; it's the default behaviour of email unless explicitly mitigated.

Secure file transfer portals, encrypted email gateways and client-facing portals built into cloud PMS platforms all address this. The question is whether firms have implemented them, or whether "email it over" remains the default because it's easiest.

Remote and hybrid working for solicitors

Remote working is now standard across most law firms. Fee earners work from home, from client sites and from courts. The security implications of this depend almost entirely on how it's been set up.

A solicitor working from a firm-managed laptop – enrolled in device management, with full disk encryption, a managed endpoint protection suite and access to firm systems only through an authenticated, encrypted connection – creates a manageable security posture. The same solicitor working from a personal laptop with a browser tab open to a web-based PMS, no device management and no firm visibility into the device, creates a very different one.

BYOD (Bring Your Own Device) is common in legal because it's frictionless to set up. The risk is that client files may be downloaded, cached or saved to a personal device that the firm has no control over and no ability to wipe if the device is lost or compromised. In a sector where client confidentiality is a professional obligation, that's a meaningful exposure.

The SRA has been clear that firms' data security obligations don't stop at the office door. Remote working arrangements need to meet the same standard as office-based ones. Practical controls include device enrolment through a Mobile Device Management (MDM) platform, Conditional Access policies that block access from non-compliant devices, and encrypted communication tools for anything involving client matter content.

Cyber Essentials and cyber insurance for legal

Cyber Essentials is increasingly expected of law firms – not just as a best practice, but as a commercial requirement. Cyber insurers use Cyber Essentials certification (or the controls it represents) as an underwriting signal. Larger commercial clients, particularly those in regulated industries, increasingly include it in procurement requirements. And the SRA's own guidance points to recognised security frameworks as evidence of appropriate controls.

The April 2026 Danzell update to the Cyber Essentials scheme introduces two changes that are directly relevant to most legal firms: mandatory multi-factor authentication (MFA) across all user accounts with internet-facing access, and the inclusion of cloud services within scope. Both of these reflect where legal IT has moved. Firms running Clio, Leap or Microsoft 365 – which is most firms – now have cloud services squarely within their Cyber Essentials scope.

Cyber insurance underwriting in the legal sector is more granular than in many industries. Insurers ask specifically about whether MFA is enforced on email and the PMS, whether backups are tested and stored offline, and whether staff receive phishing awareness training. The nature of the data held – privileged communications, financial records, personal data – shapes the risk profile and the premium. Firms that have implemented the controls insurers look for are in a better position both on premium and on claim validity if an incident occurs.