Cyber Security for UK Solicitors and Law Firms
Specific risks and requirements for legal practices — SRA obligations, client data protection, and what insurers are asking.
Why solicitors are high-value targets
Law firms handle some of the most sensitive and valuable information that exists — client confidences, financial transactions, business deals, property transfers, personal injury cases. They also frequently hold client money.
This makes them disproportionately attractive to attackers. The SRA has repeatedly warned that law firms are actively targeted by cybercriminals, and the consequences of a breach — regulatory action, professional indemnity claims, reputational damage — are severe.
SRA obligations
The SRA Code of Conduct requires solicitors to keep client money and assets safe and to maintain the confidentiality of client information. The SRA's cybersecurity guidance makes clear that firms must:
- Have appropriate security measures to protect client data and money
- Train staff to recognise cyber threats — particularly phishing and business email compromise
- Have a cyber incident response plan
- Report significant cyber incidents to the SRA
- Consider cyber insurance
The conveyancing fraud risk
Conveyancing fraud is one of the most significant risks for law firms and their clients. Attackers monitor email communications between solicitors and clients, then intercept at a critical moment — usually just before completion — to redirect the client's funds to a fraudulent account.
Prevention requires:
- Verifying all bank account changes by phone using a number from your records — never email alone
- Clearly communicating to clients that you will never change bank details by email
- Securing email accounts with MFA to prevent account compromise
- Using secure client portals rather than email for sensitive documents and payment instructions where possible
What cyber insurers are asking law firms
Professional indemnity insurers and cyber insurers are asking increasingly detailed security questions of law firms. Common questions include:
- Is MFA enabled on email and practice management systems?
- Do you have a procedure for verifying bank account changes?
- Have staff received phishing awareness training in the last 12 months?
- Are client files encrypted at rest and in transit?
- Do you have a documented cyber incident response plan?
Priority actions for law firms
Enable MFA on all systems
Email, practice management software, and any cloud services. This is the single most important control.
Implement a bank details verification procedure
Written procedure requiring phone verification of any bank account changes — for clients, suppliers, and staff payroll.
Run phishing awareness training
Regular briefings on what phishing looks like, particularly targeting finance and conveyancing staff.
Review access controls
Ensure staff only have access to the client matters they work on. Remove access promptly when people leave.
Document your security position
A structured assessment against Cyber Essentials demonstrates to regulators and insurers that you've taken a systematic approach.
Our 10-minute security assessment covers all five Cyber Essentials areas and produces a professional report suitable for SRA compliance documentation and insurer applications.
Find out where your business stands
Complete our 10-minute plain-English assessment and get a professional security report aligned to Cyber Essentials.
Start Your Free Assessment →£49 for the full report · No account required