⚖️ Legal Sector 8 min read · June 2026

SRA Cyber Security in 2026: The IT Checklist Every London Law Firm Needs

In 2025, the SRA received over 2,300 reports of data breaches and cyber security incidents affecting solicitor practices across England and Wales. The regulator intervened in 47 practices that year, citing IT security failures as a primary factor. If your firm still relies on an IT provider who doesn't know what COLP stands for, you are already behind.

The Solicitors Regulation Authority has made one thing unmistakably clear in recent years: "we don't have the budget" is no longer an acceptable answer to questions about cyber security. The SRA's Standards and Regulations place enforceable obligations on every firm regarding how client data is protected, how systems are monitored, and how incidents are handled. Fail to meet them, and you face regulatory action — not just a polite letter.

This guide sets out exactly what the SRA expects from your IT infrastructure in 2026, gives you a working checklist you can use today, and explains what a specialist legal IT provider should be doing that a generalist simply won't.

2,300+ Cyber incidents reported to SRA in 2025

47 Practices intervened in for IT security failures in 2025

67% Of attacks targeted firms with fewer than 20 employees

What the SRA Actually Requires From Your IT Systems

The SRA does not publish a single, prescriptive IT standard. Instead, its obligations are spread across several documents — and most law firms are only aware of some of them.

SRA Code of Conduct — Paragraph 6.3

Solicitors must keep the affairs of current and former clients confidential. In practice, this means every system that holds client data — your case management software, your email, your file storage — must have encrypted storage, secure communications, and properly configured access controls. This is not a suggestion. It is a conduct obligation.

SRA Accounts Rules 2019

Firms must maintain accurate, secure records of all client money transactions. Your IT systems must support compliant legal accounting software, with robust backup, audit trails, and access logs. If a client account is compromised because your software wasn't patched, that is an Accounts Rules failure as well as a security failure.

SRA Code of Conduct — Section 2.5

Firms must identify, monitor, and manage all material risks to the business — and cyber risk is explicitly named. This requires documented risk assessments of your technology systems, including periodic penetration testing and vulnerability scanning. Not once at setup — regularly, as an ongoing programme.

Important: The SRA's recent enforcement actions following client-money loss events make one thing clear — the regulator now expects firms to show active, documented cyber programmes. Policies that exist only as a Word document in a folder nobody reads will not satisfy an investigation.

The 2026 SRA IT Compliance Checklist

Use this as a starting point for your own review. If you cannot answer "yes, and it is documented" to each item, it represents a compliance gap.

✓
Multi-Factor Authentication (MFA) on every account — email, case management, cloud apps, remote access. No exceptions for senior partners. The SRA has specifically noted that MFA absence is a recurring factor in successful attacks on law firms.
✓
Email authentication configured — SPF, DKIM, and DMARC set to enforcement policy (p=reject). Most UK law firms run p=none, which provides almost no practical protection against email spoofing used in conveyancing fraud.
✓
Encrypted storage for all client data — both at rest (on servers and devices) and in transit (when sending or sharing). Unencrypted client files on an unmanaged laptop are a conduct breach waiting to happen.
✓
Role-based access controls — staff can only access client files relevant to their matters. Paralegals should not have access to all client accounts. Leavers should be deprovisioned the same day.
✓
Documented and tested backup procedure — including off-site or immutable cloud backups. Backups that have never been tested are not backups. The SRA expects business continuity plans to be realistic and current.
✓
Patch management programme — all operating systems and software updated within 14 days of critical patch release. Unpatched systems are the most common entry point for ransomware in the legal sector.
✓
Documented incident response plan — who does what in the first 24 hours of a breach. Includes notification to COLP, SRA, ICO (within 72 hours), PI insurer, and affected clients where required.
✓
Annual cyber security risk assessment — documented, reviewed by the COLP, and actioned. Not a generic template — a real assessment of your specific systems, suppliers, and staff practices.
✓
Staff cyber awareness training — at minimum annual, ideally with quarterly phishing simulations. The SRA considers staff training a baseline expectation, not an optional extra.
✓
Secure remote working controls — VPN or zero-trust access for all remote working. No client files accessible via personal devices without MDM enrolment and device encryption.
✓
Supplier security checks — your IT provider, cloud software vendors, and any third party with access to client data should be able to demonstrate their own security posture (ISO 27001 or Cyber Essentials as a minimum).
✓
Cyber Essentials or Cyber Essentials Plus certification — not currently mandatory but referenced within Lexcel, increasingly required by PI insurers, and the SRA views it as the practical baseline standard for demonstrating good cyber hygiene.

The Threats Specifically Targeting Law Firms in 2026

General cyber security guidance talks about phishing and ransomware. Legal sector threats are more targeted and more sophisticated than that.

Conveyancing fraud

Criminals monitor conveyancing transactions and send spoofed emails — appearing to come from your firm — redirecting client completion funds to fraudulent accounts. These attacks are increasingly using AI-generated emails and even deepfaked video calls to impersonate partners. DMARC enforcement and staff training are your primary defences.

Business Email Compromise (BEC)

Attackers compromise a partner or fee earner's email account — often through a password reuse exploit — and monitor correspondence for weeks before acting. They then use the legitimate account to redirect payments or extract sensitive case information. MFA and conditional access policies stop the vast majority of these attacks.

Ransomware targeting matter files

Ransomware groups specifically research law firms before attacking — they know that live litigation, court deadlines, and client pressure make payment far more likely. Immutable off-site backups and tested recovery procedures are the only genuine defence against paying a ransom.

Insider threats — departing staff

Most UK firms now monitor for unusual document downloads in the 60 days before a known departure. Role-based access, audit logging, and immediate deprovisioning on the day of departure are essential controls the SRA expects to see in place.

Cyber Essentials and PI insurance: Many professional indemnity insurers are now tightening requirements and either mandating Cyber Essentials certification or excluding cyber-related claims for firms without it. Review your policy conditions carefully — your IT security posture now directly affects your coverage.

What a Legal IT Specialist Does That a Generalist Won't

The difference between a generalist IT provider and a legal sector specialist is not technical — it is contextual. A generalist can install MFA. A specialist knows why DMARC enforcement matters specifically for conveyancing firms, integrates with your practice management software without breaking compliance workflows, and produces documentation in the format your COLP needs for an SRA review.

Specifically, a legal IT specialist will:

Configure your Microsoft 365 tenant with information barriers between departments to prevent conflict-of-interest data leakage
Set up Microsoft Purview compliance centre for legal hold and eDiscovery capabilities
Integrate securely with Clio, LEAP, Actionstep, SOS, or Proclaim without creating shadow IT
Produce SRA-aligned documentation for your annual compliance review
Provide Data Processing Agreement and audit access rights documentation for your COLP
Support Cyber Essentials Plus preparation and assessor coordination

How Much Should a London Law Firm Spend on IT Security?

For a 5-partner firm with 15–25 staff, a realistic 2026 budget for a fully compliant IT security posture — covering Microsoft 365 Business Premium, managed detection and response, Cyber Essentials Plus, and annual awareness training — runs to approximately £20,000–£28,000 per year. That figure sounds significant until you compare it to the average cost of a ransomware recovery (typically £100,000–£500,000 for a mid-sized firm once downtime, recovery, and regulatory costs are included) or the reputational and regulatory consequences of a client data breach.

The more useful question is not what IT security costs — it is what the absence of it costs.

Next Steps for Your Firm

If you have read this checklist and identified gaps, the practical next step is a structured IT security review. Not a sales call — a genuine audit of your current infrastructure against SRA expectations, which produces a written report you can act on and present to your COLP.

Foxcomm has been providing specialist IT support to London law firms for over 16 years. Our legal sector team understands the SRA standards, integrates with the practice management software your firm already uses, and produces compliance documentation in the format your COLP needs.

Book a Free Legal IT Security Audit

A senior Foxcomm engineer will review your current IT infrastructure, map gaps against SRA requirements, and produce a written risk report — at no cost and no obligation. Typical audit takes 45 minutes.

Book Your Free Audit →

Or call us directly: 020 3475 5466 · info@foxcomm.co.uk

Foxcomm IT — Devon Kayser

Foxcomm has provided specialist managed IT support to London law firms since 2009. ISO 27001 certified · Microsoft Solutions Partner · Cyber Essentials Plus accredited.