SRA Cybersecurity Requirements: What UK Law Firms Must Have in Place

What the SRA Standards and Regulations Actually Say

The SRA does not prescribe specific technical standards, but its Standards and Regulations create clear obligations that cybersecurity controls must satisfy:

• Principle 2: Act in a way that upholds public trust in the solicitors profession — a breach that harms clients damages that trust
• Principle 7: Act in the best interests of each client — which includes protecting their confidential information
• Code of Conduct 6.3: Firms must have systems and controls to ensure compliance with all regulatory obligations
• Code of Conduct 6.4: Firms must monitor the compliance of all managers and employees
• IB 7.3: Firms must have effective systems and controls in place to prevent inadvertent or reckless breaches of client confidentiality
• Rule 4.1 (Accounts Rules): Client money must be protected — including from cybercrime

What the SRA's 2023 Warning Notice Means for Your Firm

In April 2023, the SRA issued a warning notice reminding firms of their obligations when handling cyber attacks. The notice made clear: firms are expected to have documented cyber incident response plans, to report cyber incidents that may affect client confidentiality or client money to the SRA, and to co-operate fully with the SRA's investigation. Critically, the notice confirmed that failure to have adequate controls in place — not just the attack itself — can constitute a regulatory breach.

The Controls the SRA Expects to See

Based on the SRA's Thematic Reviews and enforcement decisions, regulators expect firms to have documented evidence of:

• A written information security policy, reviewed annually, approved by the firm's senior management
• Staff security awareness training — conducted at induction and at least annually thereafter
• A documented cyber incident response plan, tested in the last 12 months
• Multi-factor authentication (MFA) on all email accounts, client portals, and remote access systems
• Regular backups tested for restoration — not just taken
• Vendor/supplier due diligence for any third party handling client data
• A record of any cyber incidents reported to the SRA and the ICO

How Kyanite Blue Helps Firms Meet SRA Expectations

Our stack was selected for professional services firms where documentation and accountability matter as much as technical controls. Coro provides the endpoint protection and email security that defends your fee earners. Hadrian identifies exposed client portals and case management systems before attackers do. Panorays automates your third-party risk assessments. And Collective IP provides the managed security oversight that small and mid-size firms need without an in-house security team. Everything produces the audit trail the SRA expects to see.

Frequently Asked Questions