SRA Cybersecurity Requirements FAQ: What UK Law Firms Are Actually Required to Do
The SRA does not publish a checklist of required cybersecurity controls. This ambiguity creates uncertainty — and uncertainty leads to inaction. These are the questions UK law firms most frequently ask about their SRA obligations, answered plainly based on the SRA's published guidance, enforcement decisions, and Thematic Review findings.
The SRA issued its first-ever warning notice on cyber risks in April 2023 — signalling that cybersecurity is now a core regulatory expectation, not an optional extra.
The Regulatory Framework
SRA cybersecurity obligations derive from several overlapping sources rather than a single rule:
- SRA Standards and Regulations: Principles 2, 7, and Codes of Conduct 6.3 and 6.4 create the obligation to have adequate systems and controls
- Accounts Rules 4.1: obligation to protect client money — including from cybercrime
- The 2023 Warning Notice: SRA explicitly set out expectations for cyber incident response, reporting, and prevention
- GDPR and UK DPA 2018: data protection obligations that sit alongside SRA requirements
- NCSC Cyber Essentials: not mandatory, but strongly indicated as baseline expectation by SRA guidance and thematic reviews
What the SRA Actually Expects
Based on thematic review findings and enforcement decisions, the SRA expects regulated firms to have:
- A written information security policy, reviewed annually, approved by senior management
- Documented cyber incident response plan, reviewed and tested within the last 12 months
- MFA on email and all remote access — described as a baseline expectation in the 2023 warning notice
- Staff security awareness training — conducted at induction and at least annually thereafter
- Vendor/supplier due diligence for any third party with access to client data
- A process for reporting cyber incidents to the SRA and ICO
- Regular, tested backups of client data
Frequently Asked Questions
Does the SRA require Cyber Essentials certification?
The SRA does not mandate Cyber Essentials specifically. However, Cyber Essentials maps almost exactly to the technical controls the SRA expects to see (MFA, patching, firewall configuration, access controls, malware protection), and many firms find certification provides the documented evidence base the SRA looks for. Many cyber insurers and larger clients now require it.
What triggers an SRA cybersecurity investigation?
The most common triggers are: self-reporting of an incident by the firm; a client complaint following a breach; a report from the ICO following notification of a personal data breach; or inclusion in an SRA thematic review of cybersecurity practices. Proactive thematic reviews typically target higher-risk practice areas (conveyancing, criminal, immigration) and smaller firms with fewer resources.
Can a firm face SRA action for a breach even if it reported it correctly?
Yes — and the Tuckers case confirmed it. The SRA's focus is on whether the firm had adequate controls in place before the incident. A firm that reports an incident correctly but had no MFA, no incident response plan, and no tested backups faces regulatory scrutiny for those failures, not just for the incident itself. Reporting correctly is necessary but not sufficient.
Is a COLP personally liable for the firm's cybersecurity failures?
The COLP is personally responsible for the firm's compliance systems. Where the SRA finds systemic failure in security arrangements — particularly if those failures were known and not addressed — the COLP can face personal regulatory action. This makes it important that COLPs are genuinely engaged with cybersecurity oversight, not just nominally responsible.
What documents should we have ready in case the SRA asks?
Keep the following readily available: your information security policy (dated, approved); records of staff security training (dates, attendees, content); your incident response plan; a record of any cyber incidents in the past two years; evidence of MFA deployment; your data breach reporting procedure; and records of third-party supplier due diligence. Having these ready substantially reduces the stress of an SRA inquiry.
Get ahead of SRA scrutiny — speak to our legal sector team
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.