Kyanite Blue
Practical Guides

Cyber Incident Response for Law Firms: What to Do in the First 72 Hours

A ransomware attack lands at 7am on a Monday morning. By 9am, fee earners cannot access case management. By 10am, a completion is due to proceed. By 11am, the ICO's 72-hour notification clock is running. By noon, the SRA's reporting obligation may have been triggered. The decisions made in the first 72 hours determine whether this firm recovers in days or months, faces regulatory sanction or is treated with understanding, and maintains client trust or faces a professional indemnity disaster. This is your decision timeline.

Firms with a tested incident response plan recover from cyber incidents three times faster than those without, according to IBM Security data.

Hour 0–4: Containment and Assessment

The first priority is stopping the spread, not investigating the cause:

  • Isolate affected systems immediately: disconnect from the network any device showing signs of compromise or encryption — physically unplug network cables if necessary
  • Do NOT turn off affected machines: switching off can destroy forensic evidence and, in some cases, actually triggers encryption of files that were queued
  • Activate your incident response team: internal IT, your managed security provider, your external IR firm if you have a retainer
  • Brief the managing partner and COLP/COFA immediately — they need to be part of all decisions from this point
  • Contact your cyber insurer: your policy requires prompt notification, and your insurer's incident response panel should be activated immediately
  • Preserve evidence: screenshot ransom notes, do not delete suspicious emails, preserve system logs — your forensic investigation depends on this

Hour 4–24: Notification Obligations

While containment continues, the notification clock demands attention:

  • ICO assessment: is this likely to result in risk to individuals' rights and freedoms? If yes — and for most law firm incidents it is — you must notify the ICO within 72 hours of becoming aware. Report at ico.org.uk. You can report without completing your investigation.
  • SRA assessment: has the incident affected client confidentiality, client money, or your ability to practise? If yes, notify the SRA. Do not wait until you have full information.
  • Professional indemnity insurer notification: check your policy — most require immediate notification of circumstances that might give rise to a claim.
  • Affected client identification: begin identifying which client matters may be affected by compromised or encrypted systems.
  • Client notification: consider which clients need to be warned urgently — particularly those with time-sensitive matters like completions.

Hour 24–72: Recovery and Communication

With containment in place and notifications made, focus shifts to recovery and communication:

  • Forensic investigation: understand the scope of the breach — what was accessed, what was exfiltrated, which systems are affected
  • System restoration: from clean backups where available — do not restore from backups made after the compromise date
  • Staff communication: internal briefing explaining the situation, what not to say publicly, and how to direct client enquiries
  • Client communication: proactive communication to affected clients, drafted with legal advice
  • External communication: consider whether a press statement is needed if the incident is likely to become public
  • Review completion: begin a post-incident review to understand root cause and prevent recurrence

Frequently Asked Questions

Should we pay a ransomware demand?

This is a decision that must involve your insurer, legal advisers, and incident response team — not IT alone. The NCSC and NCA recommend against payment. Consider: do you have backups that allow restoration without payment? Is the attacker a sanctioned entity (paying could breach sanctions regulations)? Will payment actually result in decryption? In most cases, payment is avoidable with adequate backups and does not prevent data from being published.

What does "72 hours" mean in practice for ICO reporting?

The 72-hour clock starts when any person in your organisation becomes aware that a personal data breach has occurred — not when the investigation is complete. You do not need to have full information to report. If you discover an incident on Monday morning, you should be reporting to the ICO by Thursday morning at the latest. You can report a preliminary notification and provide further information as your investigation progresses.

Do we need a specialist cybersecurity solicitor after a breach?

Yes, for significant incidents. Cyber incident response involves privileged legal advice on notification obligations, regulatory exposure, client communications, and potential claims. Retaining specialist advice under legal professional privilege also protects investigation documents from ICO and SRA disclosure. Many cyber insurers include access to specialist legal counsel as part of their response service.

Prepare your firm's incident response plan now — before you need it

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Collective IP

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides