Kyanite Blue
Practical Guides

SRA Cybersecurity Audit Preparation: What Inspectors Look For and How to Be Ready

When the SRA investigates a firm's cybersecurity following an incident — or during a proactive thematic review — it asks for specific documents and examines specific controls. Firms that have these in place fare significantly better than firms that are scrambling to create them retrospectively. This guide tells you exactly what inspectors look for, based on SRA enforcement decisions and published Thematic Review findings.

SRA Thematic Reviews consistently find that firms lack documented incident response plans and staff training records.

Documents the SRA Will Ask to See

An SRA investigation or thematic review of cybersecurity will typically request:

  • Your firm's information security policy — dated, approved by senior management, reviewed within the last 12 months
  • Records of staff security awareness training — including dates, who attended, and the content covered
  • Your cyber incident response plan — and evidence that it has been tested or reviewed
  • Records of any cyber incidents in the past two years — whether or not they were reportable
  • Evidence of multi-factor authentication deployment — which accounts and systems are protected
  • Your third-party due diligence process — how you assess the security of suppliers with access to client data
  • Your data breach reporting process — who is responsible, what the notification triggers are
  • Your backup and recovery arrangements — and evidence of testing

Technical Controls the SRA Expects

Beyond documentation, the SRA expects firms to have implemented proportionate technical controls. Based on thematic review findings, firms should be able to demonstrate:

  • MFA on email and all remote access systems — this is now treated as a baseline expectation
  • Anti-malware protection on all devices accessing client data
  • Regular software patching — particularly for internet-facing and business-critical systems
  • Encryption of portable devices and removable media
  • Access controls based on least privilege — staff can only access what they need
  • Regular access reviews when staff change roles or leave

How to Prepare: A Pre-Audit Checklist

A pragmatic preparation process for firms expecting or anticipating SRA scrutiny:

  • Conduct a gap assessment against the NCSC's Cyber Essentials requirements — this maps directly to SRA expectations
  • Create or update your information security policy — keep it brief, practical, and reviewed annually
  • Run (and record) a firm-wide security awareness training session — note attendance
  • Document your incident response plan — even a one-page flowchart is better than nothing
  • Check and document MFA status across all email accounts and remote access systems
  • Review who has access to client matter management systems and remove any access that is no longer needed
  • Test your backup restoration — not just that backups are running, but that they restore successfully
  • Brief your managing partner and designated COLP/COFA on what to say if the SRA calls

Frequently Asked Questions

What triggers an SRA cybersecurity investigation?

The most common trigger is a reported incident — either self-reported by the firm or reported by a client or third party. The SRA may also conduct proactive thematic reviews of cybersecurity practices across a group of firms. Firms in sectors with high cyber incident rates — conveyancing, criminal defence, immigration — face higher scrutiny.

What are the consequences of failing an SRA cybersecurity review?

If the SRA finds inadequate security arrangements, outcomes range from a regulatory letter requiring remediation, through formal investigation and potential fine or conditions on practice, to referral to the Solicitors Disciplinary Tribunal in serious cases. For firm-level failures, the SRA can impose conditions on the firm's authorisation. For individual managers, outcomes can include personal regulatory action.

Should our COLP or COFA be involved in cybersecurity oversight?

Yes. The COLP (Compliance Officer for Legal Practice) and COFA (Compliance Officer for Finance and Administration) are personally responsible for the firm's systems and controls. Both should understand the firm's cybersecurity arrangements and be named in incident response plans. The SRA will expect them to be able to answer questions about the firm's security posture.

Prepare your firm for SRA scrutiny — speak to us

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides