SRA, GDPR and the Cyber Security Obligations Every Law Firm Must Meet

Law firms operate under a layered set of cyber security obligations that interact in ways that are not always straightforward. The SRA's professional conduct framework, the ICO's data protection requirements, the professional indemnity insurance terms that underpin the firm's ability to practise, and the duty of confidentiality owed to clients all converge on a single practical question: what security measures does a law firm need to have in place, and how does it demonstrate that they are working?

The SRA Framework

The SRA Standards and Regulations establish a principles-based framework within which all authorised firms must operate. Several principles and rules have direct cyber security implications.

Principle 2 requires firms to act in a way that upholds public trust and confidence in the solicitors' profession. A firm that loses client money to business email compromise, or that allows privileged communications to be accessed by a third party due to inadequate security, damages public trust in the profession as well as its own reputation. The SRA treats significant security failures as potential Principle 2 breaches.

Rule 4.2 of the SRA Code of Conduct for Solicitors requires that solicitors do not abuse their position by taking unfair advantage of clients or others. Failing to maintain the security of client information — particularly in circumstances where the firm was aware of the risk — can be characterised as a failure of this duty.

Rule 6.3 requires firms to keep client money and assets safe. The SRA has made explicit, through enforcement decisions and guidance, that cyber security measures are a component of this obligation. A firm that holds client money without adequate controls to prevent its fraudulent misdirection has not complied with Rule 6.3 regardless of its intentions.

The SRA's Cyber Security Guidance, published and updated periodically, provides specific recommendations. The current guidance covers: protecting email accounts with MFA, securing client portals, staff training, supplier due diligence, and incident response planning. Firms that have not implemented these measures cannot credibly claim to have taken reasonable steps if they are subject to enforcement action following an incident.

UK GDPR and the ICO

Law firms are data controllers for a significant volume of personal data: client personal details, opponent personal details, witness information, employee records, and — in many practice areas — sensitive categories of data including health information, financial data, and information about criminal proceedings. The Article 32 requirement for appropriate technical and organisational measures applies to all of this data.

The ICO's accountability principle — the requirement to demonstrate compliance, not merely achieve it — has particular force in the legal sector. Firms that hold significant volumes of sensitive personal data and cannot produce evidence of their security measures are in a difficult position when things go wrong. The ICO has issued enforcement notices and fines to law firms for inadequate security, and the pattern of enforcement demonstrates that small firms are not exempt.

The 72-hour breach notification obligation runs from the moment the firm becomes aware of the breach — not from when the investigation is complete. A firm that discovers a ransomware incident on a Thursday afternoon and spends the rest of the week deciding whether to notify has already breached the timeline. Having a documented incident response procedure, a pre-identified ICO contact, and legal advice on notification obligations ready before an incident occurs is not excessive preparation — it is the minimum standard for a firm that takes its data protection obligations seriously.

Professional Indemnity Insurance

The SRA Minimum Terms and Conditions for professional indemnity insurance require all authorised firms to hold qualifying insurance. Cyber security has become a significant factor in PI insurance underwriting and claims.

Insurers are increasingly including cyber security warranty clauses in PI policies, requiring firms to maintain specific controls — MFA on email, current patching, staff training — as a condition of cover. Firms that make warranty statements they cannot support, or that allow controls to lapse after inception, face the risk that a claim arising from a security failure is disputed on the basis that the warranted controls were not in place.

Claims involving fraudulent payment redirection — conveyancing fraud, invoice fraud, and business email compromise — are among the most frequent cyber-related PI claims in the legal sector. Insurers are scrutinising the security measures firms had in place at the time of the claim. Firms that can produce a monthly security report from a named analyst, a current Cyber Essentials certificate, and evidence of MFA on all email accounts are in a materially better position when a claim is disputed than those that cannot.

Lexcel and Other Quality Marks

Lexcel — the Law Society's legal practice quality mark — includes information security requirements within its accreditation standard. Lexcel-accredited firms must demonstrate that they have information security policies in place, that staff have received relevant training, and that data protection obligations are met. The assessor will review these arrangements as part of the accreditation process.

Firms seeking or maintaining Lexcel accreditation should treat the security requirements as a floor, not a ceiling. The Lexcel standard reflects a minimum acceptable level of practice management quality. Firms in sectors with heightened data sensitivity — conveyancing, family law involving children, criminal defence, employment — operate in environments where the Lexcel minimum is insufficient.

What Demonstrable Compliance Looks Like

Across all of the frameworks above, the evidence that matters to regulators, insurers, and professional bodies shares common characteristics:

• A documented information security policy reviewed in the last 12 months, covering the specific risks of legal practice including client account security and privileged information handling
• Evidence of staff training including records of completion and, ideally, simulated phishing results demonstrating awareness of conveyancing fraud techniques
• Cyber Essentials certification — the most widely recognised independent attestation of baseline security controls in the UK
• MFA on all email accounts and a documented procedure for verbal verification of payment instruction changes
• Monthly security monitoring reports authored by a named analyst — the most credible form of ongoing compliance evidence available to a small firm
• A tested incident response plan that includes ICO notification procedures and SRA incident reporting protocols