Cyber Essentials for Solicitors and Law Firms: What the SRA Expects in 2026
The legal sector handles some of the most sensitive data in the UK economy. Client funds, privileged communications, personal injury records, property transactions, criminal case files - all of it sitting in law firm systems that are increasingly targeted by threat actors.
The regulatory landscape has shifted. From October 2025, the Legal Aid Agency requires Cyber Essentials certification for all firms holding criminal legal aid contracts. The Solicitors Regulation Authority does not yet mandate a specific certification, but its position on cyber security has hardened considerably.
This article sets out what law firms need to know, what the regulators expect, and how to get certified.
The Legal Aid Agency Mandate
From 1 October 2025, any practice holding a Criminal Legal Aid contract must hold a valid Cyber Essentials certificate. This is not guidance - it is a contractual requirement. Without certification, firms risk being unable to renew or continue their legal aid contracts.
The requirement applies to standard Cyber Essentials (not Plus), though firms handling particularly sensitive case data should consider whether Plus provides additional assurance.
This mandate affects an estimated 1,200 legal aid firms across England and Wales. If your firm holds a criminal legal aid contract and does not yet have Cyber Essentials, you are already overdue.
The SRA Position: "Appropriate Systems and Controls"
The Solicitors Regulation Authority takes a principles-based approach. It does not mandate a specific certification, but its expectations are clear.
Under SRA Principle 2 and the Code of Conduct for Firms, solicitors must act in a way that upholds public trust and confidence. The SRA interprets this to include maintaining appropriate systems and controls to protect client data and client money.
In practical terms, the SRA considers the following to represent a failure to take "reasonable steps":
- Not enforcing multi-factor authentication on email systems (particularly where client money is handled)
- Failing to maintain up-to-date software and security patches
- Not having documented procedures for handling cyber incidents
- Inadequate access controls around client files and accounts
The SRA has increasingly used its supervisory powers to investigate firms following data breaches. Firms that cannot demonstrate foundational technical controls face regulatory action, including conditions on their practising certificates, fines, and in serious cases, intervention.
Cyber Essentials certification does not guarantee SRA compliance, but it demonstrates that the five foundational technical controls are in place. In the event of a breach, holding current certification provides documented evidence that reasonable steps were taken.
Why Law Firms Are Targeted
Law firms are attractive targets for three reasons:
Client funds. Conveyancing firms routinely handle six and seven-figure sums. Business email compromise attacks targeting property transactions remain one of the most common fraud vectors in the UK. The SRA reported that firms lost over £3.4 million to cyber crime in the 12 months to November 2023, with conveyancing fraud accounting for the largest share.
Privileged information. Legal professional privilege makes law firm data uniquely valuable for corporate espionage, insider trading, and blackmail. Mergers and acquisitions files, litigation strategies, and regulatory submissions all carry significant value to the right buyer.
Perceived weakness. Many law firms, particularly smaller high street practices, operate with limited IT budgets and rely on consumer-grade security tools. Threat actors know this. The National Cyber Security Centre has published specific guidance for the legal sector precisely because the threat level is elevated.
What Cyber Essentials Requires
The five controls map directly to the risks law firms face:
Firewalls - your network boundary must be protected. This includes the router provided by your ISP (which must have its default password changed) and any software firewalls on individual devices. For firms using cloud-based practice management systems, this extends to the configuration of those cloud services.
Secure configuration - default passwords must be changed, unnecessary software removed, and auto-run disabled. For law firms, this means locking down your case management system, document management platform, and email environment.
Access control - each user must have their own account with appropriate privileges. Shared logins (common in smaller firms) must be eliminated. Admin accounts must only be used for administrative tasks. From v3.3, multi-factor authentication is mandatory for all cloud services and administrator accounts.
Malware protection - anti-malware software must be active and up to date on all devices. For firms allowing BYOD or remote working, this applies to every device that accesses firm systems.
Patch management - critical and high-severity patches must be applied within 14 days of release. This includes your operating system, browsers, email clients, and practice management software.
The MFA Question
From 28 April 2026, Cyber Essentials v3.3 makes multi-factor authentication mandatory for all cloud services and all administrator accounts. This aligns directly with the SRA's position that a lack of MFA on email constitutes a failure to take reasonable steps to protect client money.
For law firms, this means MFA on:
- Microsoft 365 or Google Workspace (email and documents)
- Your practice management system (if cloud-hosted)
- Your accounts and client money system
- Any remote access tools (VPN, remote desktop)
- Any file sharing or collaboration platforms
If your firm has not yet rolled out MFA across all these services, address it before your Cyber Essentials assessment. It is both a certification requirement and an SRA expectation.
Professional Indemnity Insurance
Cyber Essentials certification is increasingly relevant to professional indemnity insurance. Several PI insurers now ask whether firms hold Cyber Essentials as part of the renewal process. While it is not universally required, firms with certification may benefit from more favourable terms.
Separately, standalone cyber insurance policies almost universally ask about MFA, patching, and access controls - exactly the areas Cyber Essentials covers. Holding certification simplifies the application process and provides documented evidence of your security posture.
Getting Certified
For solicitors and law firms, the certification process is straightforward:
1. Assess your position - Use Fig's free readiness tool to check your current compliance against the five controls
2. Address gaps - The most common gaps for law firms are MFA not being enforced on all cloud services, shared user accounts, and overdue software updates
3. Complete the assessment - The Cyber Essentials questionnaire asks about your technical controls across the five themes. Answer based on your actual configuration, not your intended configuration
4. Same-day certification - Purchase through Fig before 12:00 midday and receive your Cyber Essentials certificate the same working day
For firms that need Plus certification (required by some larger clients and panel memberships), allow 1-3 working days for the technical audit.
Maintaining Certification
Cyber Essentials certificates are valid for 12 months. Set a calendar reminder to renew 4-6 weeks before expiry. Letting certification lapse creates a gap that could affect your legal aid contract, client relationships, or insurance coverage.
If your firm's IT environment changes significantly during the year (new practice management system, office move, shift to cloud services), review your controls against the Cyber Essentials requirements to ensure you remain compliant.