UK law firms are among the most targeted businesses in the country: successful attacks rose 77% in a single year (954 versus 538), and the Law Society reports 65% of firms have been hit by a cyber incident. The minimum credible defence is Cyber Essentials, which the NCSC says blocks roughly 98% of common attacks, layered with multi-factor authentication, tested offline backups, endpoint protection, and staff training. Solicitors carry binding duties: the SRA Principles, UK GDPR, and a 72-hour ICO breach notification window. In 2025 the ICO fined DPP Law £60,000 after 32GB of client data was exfiltrated to the dark web. The honest position is that compliance and security are not the same thing, but for a regulated practice holding privileged data and client money, you need both. This guide maps each obligation to a concrete control and gives realistic 2026 UK costs.
Last updated: June 2026
Law firms are attacked because they sit on a unique combination of money and secrets. A typical practice holds large sums in its client account, processes high-value property transactions, and stores some of the most sensitive personal data in existence: divorce records, criminal defence files, commercial deal terms, immigration papers, and privileged correspondence. For an attacker, that is a target-rich environment where a single successful intrusion can yield both an immediate cash theft and a long tail of extortion leverage.
The NCSC has reported that around 75% of the UK's top 100 firms have experienced a cyber incident. That figure is not a reflection of negligence; it reflects how relentlessly the sector is probed. Conveyancing in particular is a magnet, because every transaction culminates in a large payment that moves between solicitor, buyer, seller and lender on a known timetable. Criminals understand that timetable better than some junior fee earners do.
There is also a trust dimension. When a client instructs a solicitor, they hand over information they would not give their own family. A breach is therefore not just an IT failure; it is a breach of the fiduciary and professional trust at the heart of the relationship. That is precisely why the SRA treats information security as a regulatory matter rather than a technical footnote.
Our view, having worked with regulated UK practices, is blunt: most firms underestimate how attractive they are. A 12-partner high street firm assumes it is too small to be noticed. In reality, smaller firms are often the easier target, because they have the same client funds and privileged data as a large practice but a fraction of the security budget and no in-house IT team. Attackers do not skip you because you are small. They choose you because you are.
The data the sector holds also has unusual longevity. A stolen credit card is cancelled within days; a stolen will, medical report, or set of completion statements stays sensitive for years. This persistence is what makes legal data so valuable on the dark web and so damaging when it leaks.
The threat is rising sharply, not plateauing. Successful attacks on UK firms climbed 77% in a single year, from 538 to 954, and the legal sector recorded 2,284 data breach incidents in the period to September 2024, a 39% year-on-year increase. Those breaches affected the data of roughly 7.9 million people, and one analysis counted 226 individual firms breached within a single year. These are not abstract national figures; they describe practices the size of yours.
What makes 2026 different from five years ago is the professionalisation of the attacker. Ransomware is now sold as a service, phishing kits are bought off the shelf, and generative AI has made fraudulent emails grammatically flawless and contextually convincing. The old advice to "look for spelling mistakes" is effectively dead. A modern business email compromise message will reference a real matter, a real fee earner, and a plausible completion date, because the attacker has been reading the mailbox for weeks before striking.
The Law Society's own findings should concentrate minds. Around 65% of firms have suffered a cyber incident, yet 72% have not bought cyber insurance and 35% have no mitigation plan at all. That is a sector that knows it is under attack and has, in large part, chosen not to prepare. The gap between awareness and action is the single biggest risk we see.
| Indicator | Figure | What it means for you |
|---|---|---|
| Rise in successful attacks year on year | 77% (538 to 954) | The base rate of getting hit is climbing fast |
| Firms hit by a cyber incident (Law Society) | 65% | Being targeted is the norm, not the exception |
| Top 100 firms with an incident (NCSC) | ~75% | Even well-resourced firms are not immune |
| Legal sector breach incidents to Sept 2024 | 2,284 (+39% YoY) | Volume and growth rate are both accelerating |
| Individuals affected by sector breaches | ~7.9 million | The downstream harm to clients is enormous |
| Firms with no mitigation plan | 35% | One in three is improvising under fire |
The honest stance here is that the sector's complacency is now its biggest vulnerability. Firewalls and antivirus have improved; what has not improved fast enough is governance, training, and the willingness of partners to treat security as a board-level risk rather than an IT line item. The firms that get breached badly in 2026 will mostly be the ones that decided this was someone else's problem.
The SRA flags phishing, conveyancing fraud, and ransomware as the top three risks to the profession, and that ordering matches what we see in practice. Each exploits a different weakness: phishing targets people, conveyancing fraud targets process and timing, and ransomware targets the fragility of unprotected systems. Understanding the mechanics of each is the first step to defending against them, because the controls that stop one do not necessarily stop another.
Business email compromise (BEC) deserves special attention because it is the attack most likely to cost a firm money directly. There is no malware to detect and no obvious technical footprint. An attacker gains access to a mailbox, watches a live conveyancing matter, and then, at the moment funds are due, sends an email from a lookalike domain instructing the client to pay completion monies to a new account. The money is gone within minutes and rarely recovered.
| Attack type | How it works | Primary defence |
|---|---|---|
| Phishing | Fraudulent email or message tricks staff into revealing credentials or clicking malware | MFA, email filtering, staff training, DMARC |
| Business email compromise | Attacker accesses or spoofs a mailbox and redirects a payment | MFA, payment-verification call-backs, banking checks |
| Ransomware | Files encrypted and held to ransom, often with data theft first | Tested offline backups, patching, endpoint protection |
| Conveyancing (Friday afternoon) fraud | Payment redirected during a property completion | Verbal account verification, client warnings, dual authorisation |
| Credential stuffing | Reused passwords tried across services | Unique passwords, password manager, MFA |
Consider a worked conveyancing scenario. A firm is acting on a £420,000 purchase completing on a Friday. Two weeks earlier, a fee earner clicked a convincing link and entered their Microsoft 365 password on a fake login page; there was no MFA. The attacker quietly set up a mailbox rule to hide their activity and read the matter file for days. On completion morning, the client received an email from what looked like the firm's address, citing the correct property, the correct solicitor, and a "last-minute change of bank details". The client paid. By the time anyone noticed, the money had been layered through three mule accounts. That single missing control, MFA, was the difference between an inconvenience and a £420,000 loss plus a regulatory investigation.
The lesson is that the most expensive attacks are rarely the most technically sophisticated. They are the ones that exploit a human under deadline pressure who has no second checkpoint. Process controls, particularly verbal verification of any change to bank details, stop more conveyancing fraud than any piece of software. A robust intake and payment workflow, often delivered through business process automation, can hard-code those verification steps so they cannot be skipped under pressure.
A UK law firm has three overlapping sets of duties: regulatory (SRA Standards and Regulations, and Lexcel for accredited firms), data protection (UK GDPR and the Data Protection Act 2018, enforced by the ICO), and contractual or professional duties of confidentiality. These are not optional and they are not satisfied by simply having antivirus installed. The regulator expects you to identify the risks, put proportionate controls in place, and be able to demonstrate that you did.
Under the SRA, Principle 2 requires you to act in a way that upholds public trust and confidence in the profession, and the client-money rules in the SRA Accounts Rules place strict obligations on safeguarding funds. A cyber incident that exposes client data or loses client money can breach multiple Principles at once. The SRA expects firms to have appropriate systems and controls, and it can investigate and discipline where those are found wanting.
The ICO dimension is where many firms get caught out. A personal data breach that is likely to result in a risk to individuals must be reported to the ICO within 72 hours of becoming aware of it. If the risk is high, the affected individuals must also be told without undue delay. Failure to report, or reporting late without justification, is itself an infringement. The penalties are real: in 2025 the ICO fined DPP Law £60,000 after attackers exfiltrated 32GB of client data, which then appeared on the dark web.
| Obligation | Source | Mapped control |
|---|---|---|
| Uphold public trust; protect client interests | SRA Principles (esp. Principle 2) | Documented security policy, risk assessment, training |
| Safeguard client money | SRA Accounts Rules | Payment verification, dual authorisation, BEC controls |
| Keep personal data secure | UK GDPR Art. 5(1)(f) and Art. 32 | Encryption, access control, MFA, backups |
| Report qualifying breaches in 72 hours | UK GDPR Art. 33 / DPA 2018 | Incident response plan, breach log, named DPO contact |
| Notify affected individuals (high risk) | UK GDPR Art. 34 | Communication templates, client contact records |
| Maintain practice management standards | Lexcel (if accredited) | Information management plan, supplier due diligence |
Our honest opinion is that firms should stop treating SRA and ICO compliance as separate workstreams. They overlap almost completely at the control level. A single set of well-chosen technical and process controls, properly documented, satisfies the SRA's expectation of "appropriate systems", the UK GDPR's "appropriate technical and organisational measures", and Lexcel's information management requirements. Build the controls once, document them properly, and you have evidence for all three regulators. The mistake is buying technology without writing anything down, because the regulator's first question after an incident is always: show me your policy, your risk assessment, and your training records.
You should also be clear about who reports to whom. The firm reports a qualifying personal data breach to the ICO; the COLP considers whether the SRA must be notified of a serious breach of the rules; and the firm's banking partners and insurers have their own notification clauses. Knowing these reporting lines in advance, and who triggers each, removes hours of panic on the day it matters.
The non-negotiable technical baseline for a UK law firm is multi-factor authentication everywhere, prompt patching, business-grade endpoint protection, encryption of devices and data at rest, tested and offline backups, strict access controls, and correctly configured email and firewall security. These are the controls that map directly to UK GDPR Article 32 and that Cyber Essentials assesses. If any one is missing, you have a gap a regulator and an attacker can both exploit.
Multi-factor authentication is the single highest-value control. The Microsoft and NCSC consensus is that MFA blocks the overwhelming majority of account-takeover attacks, and almost every business email compromise case we have reviewed began with a password-only login. If you do nothing else this quarter, switch on MFA across email, remote access, and your practice management and case management systems. It is usually free and it closes the door that most attackers walk through.
Backups are the control most often misunderstood. A backup that is permanently connected to your network is not a backup against ransomware; it is just another thing the attacker encrypts. The honest rule is the 3-2-1 standard: three copies of your data, on two different media, with one copy offline or immutable and off-site. And an untested backup is a hope, not a control. You must restore from it periodically to prove it works, because the worst time to discover your backup is corrupt is the morning after a ransomware attack.
| Control | Stops which attack | Typical effort to deploy |
|---|---|---|
| Multi-factor authentication | BEC, phishing, credential stuffing | Low (days) |
| Tested offline backups | Ransomware data loss | Medium (weeks) |
| Endpoint detection and response | Ransomware, malware | Medium (weeks) |
| DMARC enforcement | Domain spoofing, BEC | Medium (weeks) |
| Least-privilege access | Insider risk, lateral movement | Medium (ongoing) |
| Full-disk encryption | Lost or stolen device data exposure | Low (days) |
Technology alone, however, will not save you, because the human factor remains the most exploited weakness. Regular, specific staff training, ideally with simulated phishing tests, turns your fee earners from the weakest link into a human firewall. Train people to verify any change of bank details by telephone using a number they already hold, to be sceptical of urgency, and to report suspicious emails without fear of blame. A culture where reporting a mistake is rewarded rather than punished catches attacks that no software will. Where workflows are complex, embedding verification logic into your custom CRM and case management systems ensures the safe path is also the easy path.
Yes, Cyber Essentials is worth it for almost every UK law firm, and the self-assessed certification is straightforward and low-effort to obtain. The NCSC states that the five Cyber Essentials controls defend against roughly 98% of the most common internet-based attacks, which makes it one of the highest-return security investments a practice can make. It is also increasingly expected by insurers, public-sector clients, and corporate clients running supplier due diligence.
There are two tiers. Standard Cyber Essentials is a self-assessment questionnaire verified by a certification body, suitable for smaller firms establishing a baseline. Cyber Essentials Plus adds a hands-on technical audit by an assessor who actively tests your systems, which is more rigorous and is often required by larger clients or for higher-risk work. For most firms we advise starting with standard certification, fixing the inevitable gaps it surfaces, and progressing to Plus when a client contract or risk appetite demands it.
| Option | Indicative 2026 cost | What you get |
|---|---|---|
| Cyber Essentials (self-assessment) | Self-assessed tier | Verified questionnaire across five core controls |
| Cyber Essentials Plus | From ~£1,500 + VAT | Hands-on technical audit and vulnerability testing |
| Managed security package | From ~£5,500 / year | Ongoing monitoring, patching, backups and support |
| Cyber insurance premium | Varies; often £1,000-£5,000+ / year | Financial cover and incident-response support |
| Cost of a serious breach | £60,000 fine (DPP Law) plus losses | Fines, client loss, reputational damage, recovery |
The cost-versus-benefit calculation is not close. The DPP Law case alone produced a £60,000 ICO fine, before counting the cost of lost clients, professional indemnity implications, remediation, and the reputational damage of having client data published on the dark web. Set that against a few hundred pounds for certification and a few thousand for a managed package, and the economics are obvious. Credibly defending against 98% of common attacks this way is one of the few genuine bargains in business.
Our stance on cyber insurance is that it is necessary but not a substitute for controls. With 72% of firms uninsured, the sector is dangerously exposed to the direct financial impact of an incident. But insurers increasingly require evidence of MFA, backups and Cyber Essentials before they will pay out, and some will void cover if you misrepresented your controls. Insurance is the financial backstop; the controls are what stop the claim arising in the first place. Buy both, and be honest on the application form.
In the first 72 hours of a suspected breach, your priorities are to contain the incident, assess what personal data is affected, and report to the ICO within the 72-hour window if the breach is likely to risk individuals' rights. The clock starts when you become aware of the breach, not when you finish investigating it, so the worst response is to spend three days quietly investigating and then realise you are already late. Speed and documentation are everything.
Containment comes first. Isolate affected systems, force password resets, revoke compromised sessions, and preserve evidence rather than wiping machines, because your forensic investigators and your insurer will need that data. Then convene your incident response team: the COLP, the DPO or data protection lead, IT or your managed provider, and a senior partner with authority to make decisions and authorise spend. Having these roles named in advance, before the day, saves the hours you cannot afford to lose.
| Timeframe | Action | Owner |
|---|---|---|
| 0-1 hours | Contain: isolate systems, reset passwords, preserve evidence | IT / managed provider |
| 1-4 hours | Convene incident team; begin breach log | COLP / DPO |
| 4-24 hours | Assess scope: what data, whose, what risk level | DPO / IT |
| Within 72 hours | Report to ICO if risk to individuals is likely | DPO |
| Without undue delay | Notify affected individuals if risk is high | DPO / partners |
| Parallel | Notify insurer, bank, and consider SRA notification | COLP / partner |
| Post-incident | Root-cause review; remediate; update controls | Whole team |
Documentation is not bureaucracy; it is your defence. Keep a contemporaneous breach log recording when you became aware, what you knew at each point, what decisions you took and why, and when you reported. If you decide a breach does not meet the threshold for ICO reporting, write down that reasoning too, because the UK GDPR requires you to document all breaches whether or not you report them. When the ICO reviews a case, a firm that contained quickly, reasoned carefully, and recorded everything is treated very differently from one that panicked and lost the timeline.
Business continuity sits alongside breach reporting. While you contain and report, the firm still has hearings, completions and deadlines. A tested business continuity plan, including how you operate if your main systems are down and where you communicate with clients, is what keeps a security incident from becoming a practice-ending event. The firms that recover well are the ones that rehearsed the bad day before it arrived.
Softomate helps UK law firms move from an unknown, unmanaged risk position to a documented, regulator-aligned security posture through a fixed-quote, five-stage process. We are a London-based software and automation agency in Stanmore (HA7), and our role is to translate the SRA, ICO and Cyber Essentials requirements into concrete systems your team actually uses. We do not sell fear; we build the controls, automate the safe workflows, and give you the evidence pack that satisfies your regulators.
Our approach combines security controls with the workflow automation that makes them stick. There is little point hardening your email if your conveyancing payment process still relies on a fee earner remembering to phone the client. We embed verification and authorisation steps into your case management and intake systems, often using GoHighLevel automation or a bespoke build, so the secure path is the default path. Where appropriate we also deploy an AI chatbot or assistant that handles client intake safely without exposing your mailbox to avoidable risk.
| Stage | Typical timeline | Key deliverable |
|---|---|---|
| Discovery and risk assessment | Week 1-2 | Prioritised gap report |
| Design and fixed quote | Week 2-3 | Control design plus fixed-price proposal |
| Implementation | Week 3-6 | Deployed controls and automated workflows |
| Documentation and certification | Week 6-8 | Policy pack and Cyber Essentials submission |
| Ongoing monitoring | Continuous | Monthly review and managed support |
Our pricing is transparent. A foundational security and Cyber Essentials readiness project for a small to mid-sized firm typically starts from around £4,500 plus VAT for the implementation phase, with ongoing managed security packages from approximately £5,500 per year depending on headcount and systems. We quote fixed prices after the discovery stage so you know the full cost before committing, and we will tell you honestly if a simpler in-house fix is all you need. To discuss your firm's position, you can read more about our wider automation and security services or contact the team directly.
No, Cyber Essentials is not legally mandatory for most law firms, but it is strongly expected. Many insurers, public-sector clients and corporate clients now require it, and it demonstrates the "appropriate technical measures" that the SRA and UK GDPR expect. It is the most cost-effective way to evidence a credible baseline.
You should notify the SRA of any serious breach of the Standards and Regulations, which a significant cyber incident affecting client money or confidentiality may amount to. The COLP decides whether the threshold is met. This is separate from your ICO obligation to report a qualifying personal data breach within 72 hours, and both may apply at once.
Within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms. The deadline runs from awareness, not from completing your investigation. If the risk to individuals is high, you must also tell the affected people without undue delay under Article 34 of the UK GDPR.
It is a form of business email compromise where criminals redirect property completion funds, typically late in the week when transactions complete and staff are rushed. The attacker sends fake bank-detail changes from a compromised or spoofed address. The defence is verbal verification of any account change using a number you already hold, plus dual authorisation of payments.
Costs vary widely, but the direct figures are sobering. In 2025 the ICO fined DPP Law £60,000 after 32GB of client data reached the dark web. On top of fines come lost clients, professional indemnity consequences, forensic and recovery costs, and reputational damage. A serious conveyancing fraud can also mean a six-figure loss of client money.
It stops the large majority of account-takeover attacks, which are the starting point for most business email compromise and phishing-led intrusions. The NCSC and Microsoft both rate MFA as one of the single most effective controls available. It is usually free to enable on email and case management systems, and it should be your first action if you have not already deployed it.
Yes, and often more readily than large ones. Smaller practices hold the same client funds and privileged data but typically have weaker controls, no in-house IT, and less security training. Attackers choose smaller firms precisely because they are easier to compromise while still offering valuable conveyancing payments and sensitive personal data to exploit or extort.
At minimum quarterly, and ideally monthly for critical systems. An untested backup is a hope, not a control, and ransomware victims frequently discover their backups were incomplete or also encrypted. Follow the 3-2-1 rule with at least one offline or immutable copy, and perform a full restore test so you know recovery actually works before you need it.
Yes. Controls reduce the chance of an incident, but no defence is perfect, and insurance covers the financial impact and provides incident-response support when something does get through. With 72% of firms uninsured, the sector is dangerously exposed. Note that insurers increasingly require MFA, backups and Cyber Essentials, so good controls also lower your premium.
Cyber Essentials is a verified self-assessment across five core controls, suitable for establishing a baseline. Cyber Essentials Plus adds a hands-on technical audit where an assessor actively tests your systems, costing more but giving stronger assurance. Larger clients and higher-risk work often require the Plus level as part of supplier due diligence.
The numbers settle the argument. Successful attacks on UK firms rose 77% in a year, 65% of firms have already been hit, and one in three has no mitigation plan. Against that, Cyber Essentials defends against roughly 98% of common attacks, and multi-factor authentication alone closes the door most intruders use. Your obligations are clear: SRA Principles, UK GDPR Article 32, and the 72-hour ICO reporting window, with a £60,000 fine in 2025 showing the regulator will act. The practical path is to deploy MFA, tested offline backups, endpoint protection and email authentication, document your controls once to satisfy all three regulators, train your people, and rehearse your incident response. Do this and you move from being an easy target to a hard one. The firms that act now will be the ones still trusted with client data, and client money, when the next wave of attacks arrives.
If your firm needs help mapping these obligations to concrete, automated controls, our team can audit your current position and deliver a fixed-quote plan. Explore our business process automation and security services or get in touch with Softomate to start a no-obligation conversation.
Written by Deen Dayal Yadav, Founder of Softomate Solutions, a London-based software development and AI automation agency in Stanmore (HA7). With over 12 years building software, CRM and automation systems for UK businesses, including regulated professional-services firms, Deen specialises in turning compliance requirements into practical, automated systems that staff actually use. Softomate Solutions is registered at Companies House. Learn more about our team and approach.
We protect the real names of all clients featured in examples and case studies. Every testimonial is from a real client.
More from the blog
Work with us
Book a free 30-minute discovery call with DD and get a personalised automation roadmap.
Softomate Solutions Limited
Deen Dayal Yadav
Online
We use essential cookies to keep the site running. With your permission, we also use analytics cookies to understand how visitors use our site so we can improve it. No data is sold. Privacy Policy
