Solicitor firms are second only to accountants in UK B2B cyber attack frequency, and arguably more exposed because of the size of individual transactions they handle. A single conveyancing completion sees six-figure deposits move between solicitor client accounts and buyer/seller accounts — and this is exactly where attackers concentrate. The SRA’s recent enforcement action against firms following client-money loss events makes one thing clear: the regulator now expects practices to demonstrate active, documented cyber programmes, not just “we use a password.”
This guide explains the cyber controls UK law firms need in 2026 to satisfy the SRA, the Solicitors Indemnity Fund expectations, the requirements of the Lexcel and CQS quality marks, and — most importantly — to actually defend against the conveyancing fraud, BEC and ransomware attacks specifically targeting the sector.
What the SRA expects from UK law firms in 2026
SRA Standards and Regulations 2019
The two most-cited principles in cyber-related SRA enforcement:
- Principle 6: Act in a way that encourages equality, diversity and inclusion. Often combined with Principle 5 (act with integrity) when client losses occur.
- Principle 7: Act in the best interests of each client. Failure to safeguard client data is read as a breach of this principle.
- Code of Conduct for Solicitors 6.3 / Code of Conduct for Firms 8.6: Confidentiality of client information.
- SRA Accounts Rules: Client money must be safeguarded. Conveyancing-fraud losses fall directly under these rules — firms have been required to make good losses from their own funds where controls were inadequate.
SRA Risk Outlook
The SRA’s annual Risk Outlook has flagged cyber as a priority risk every year since 2020. The 2024 update specifically identified phishing, conveyancing fraud and ransomware as the three highest-impact risks to UK firms.
Lexcel and CQS
The Law Society’s Lexcel quality standard requires documented information-security policies, including risk assessment, training, business continuity and incident response. The Conveyancing Quality Scheme (CQS) goes further with conveyancing-specific requirements around identity verification, client account security and bank-account-change verification protocols.
Solicitors Indemnity Fund & PII
Solicitor PII policies have all introduced cyber sub-limits and exclusions over the last three years. Several insurers now require Cyber Essentials as a precondition for renewal at competitive premium. Cyber insurance for UK law firms here.
The threats UK law firms actually face
1. Conveyancing fraud (Friday afternoon fraud)
The dominant cyber-financial loss for UK law firms. Pattern:
- Attacker compromises a partner’s or conveyancer’s email mailbox via phishing or credential stuffing.
- Attacker monitors active conveyancing matters for a fortnight.
- On completion day — typically Friday afternoon — attacker emails the buyer (impersonating the firm) with “updated” bank details for the deposit.
- Buyer transfers six-figure sum to attacker’s account.
- Funds are laundered through mule accounts within hours; bank recovery rarely succeeds.
UK conveyancing-fraud losses run into tens of millions annually. The defence is layered: enforce MFA on every solicitor mailbox; configure email anti-impersonation rules; provide buyers with bank details up-front in the engagement letter and tell them in writing that bank details will never change by email; verify any change verbally on a known phone number.
2. CEO / managing partner BEC
Same pattern as conveyancing fraud but targeting internal transfers, fee invoicing and supplier payments. Detailed BEC guide here.
3. Ransomware on case management systems
Practice management systems (LEAP, Clio, Tikit, Visualfiles, Proclaim, Eclipse) hold years of case files. Ransomware encrypting these systems can stop a firm operating for days. Several mid-sized UK firms have been forced to inform clients of completion delays following ransomware events — a regulatory and reputational catastrophe.
4. Client identity-verification fraud
Attackers impersonate clients for property purchases, lasting power of attorney executions or grant of probate. AI-generated documents and deepfaked video calls have made this dramatically easier in 2024–2025. More on AI-driven impersonation.
5. Insider data theft on partner moves
Partners moving firms occasionally take client lists, contact data and matter histories. Most UK firms now monitor for unusual document downloads in the 60 days before a known leaver date.
The cyber controls every UK law firm should have in 2026
Identity & access
- MFA on every email account, every cloud app, every remote-access route. No exceptions for senior partners.
- Conditional access blocking sign-in from outside the UK by default.
- Privileged Access Management separating admin accounts from daily-driver accounts.
- Quarterly access reviews tracking joiners, leavers and movers.
Email security — the most-leveraged control for law firms
- SPF, DKIM, DMARC at p=reject (most law firms run p=none, which provides almost no protection).
- Microsoft Defender for Office 365 P1 or equivalent third-party tier.
- External-sender warnings tagged on all inbound mail.
- Anti-impersonation rules detecting display-name spoofing of partners.
- “Look-alike domain” monitoring against the firm’s primary domain (e.g. attackers register firmname.co.uk vs your firmname.com).
Endpoint & mobile
- EDR on every device. Microsoft Defender for Business is sufficient for most firms; SentinelOne / CrowdStrike for larger practices. EDR comparison.
- BitLocker / FileVault encryption on every device.
- MDM (Intune or equivalent) on partner phones holding client data, with remote-wipe capability.
Conveyancing-specific controls
- Bank-details verification protocol: bank details provided only in the engagement letter; written warning that details will never change by email; verbal verification of any apparent change on a phone number from the firm’s website.
- Client portal with two-factor secure-document exchange (rather than email attachments).
- Out-of-office and forwarding rules monitored monthly for unauthorised forwarding addresses.
- Friday-afternoon completion stop-checks: any bank-details change request received after Wednesday 17:00 must be verbally re-verified by partner.
Backup & recovery
- 3-2-1-1 backup including the practice management system and document management system.
- Tested restore monthly; full RTO documented for client communication during a recovery.
- Immutable backup storage to defeat ransomware encryption of backups.
Detection & response
- 24/7 MDR or SOC alerting (conveyancing fraud often happens out of hours).
- Documented incident response plan with named decision-makers (managing partner, COLP, IT lead).
- Pre-arranged DFIR firm via incident-response retainer or insurer panel.
- Pre-agreed client communication templates for breach notification — SRA expects these to be available before an incident, not drafted during one.
Compliance & governance
- Cyber Essentials annually as a baseline; Cyber Essentials Plus for firms with public-sector or enterprise client work.
- Lexcel re-accreditation processes mapped to documented information-security policies.
- Annual cyber awareness training tracked per-individual, with role-specific modules for conveyancers, partners and admin staff.
- COLP / COFA familiar with the cyber programme, not just the IT lead.
Realistic cyber security budget for a UK law firm
2-partner high-street practice (4–6 staff)
- M365 Business Premium: £1,300/year
- Cyber Essentials managed: £750/year
- Awareness training + conveyancing-specific module: £200/year
- Backup beyond M365 retention: £250/year
- External pen test (every 2 years amortised): £1,750/year
- Total: ~£4,250/year
5-partner regional firm (15–25 staff)
- M365 Business Premium: £5,400/year
- Standard tier MDR (24/7 during conveyancing weeks): £5,500/year
- Cyber Essentials Plus: £3,500/year
- Awareness training: £750/year
- Practice-management system backup add-on: £1,500/year
- Annual external pen test: £5,000
- Cyber insurance: £3,500/year
- Total: ~£25,000/year
20+ partner mid-market firm (60–120 staff)
- Premium tier managed cyber including SIEM & threat hunting: £36,000/year
- M365 mix (Business Premium + E3 + E5): £38,000/year
- Cyber Essentials Plus + ISO 27001 surveillance: £9,000/year
- Awareness training + role-specific modules: £3,500/year
- Pen testing programme (web app + external + internal annual): £15,000/year
- Cyber insurance (£5m cover): £9,500/year
- IR retainer with UK CREST firm: £6,000/year
- Total: ~£117,000/year
Frequently Asked Questions
The SRA does not directly mandate Cyber Essentials. However, the SRA’s Standards and Regulations require firms to take proportionate steps to safeguard client confidentiality and client money, and the SRA’s annual Risk Outlook explicitly identifies cyber as a priority risk. In SRA enforcement actions following cyber incidents, the regulator examines the controls in place and benchmarks them against industry baseline — which now means Cyber Essentials at minimum. Firms that hold CE Plus when an incident occurs face significantly less regulatory exposure than firms with no certification.
Conveyancing fraud (also called “Friday afternoon fraud”) remains the highest-impact risk. Attackers compromise a conveyancer’s mailbox, monitor active matters, then send fraudulent “updated bank details” emails to buyers shortly before completion. UK conveyancing-fraud losses run into tens of millions per year. Defences: MFA on every mailbox, anti-impersonation email rules, written client warnings that bank details will not change by email, verbal verification of any apparent change on a phone number from the firm’s website (not from the suspicious email).
Lexcel is the Law Society’s practice-management quality standard. Section 6 (Risk management) and Section 7 (Client care) include explicit information-security requirements: risk assessment, documented policies, training, business continuity and incident response. Modern Lexcel re-accreditation increasingly probes how firms handle client data, what backup arrangements exist, and how staff are trained on phishing. Aligning with Lexcel and Cyber Essentials Plus together gives a defensible baseline for both the SRA and PII insurers.
The SRA expects firms to report “serious” incidents under the Standards and Regulations — in practice, any incident with material loss of client money, significant breach of client confidentiality, or potential reputational damage. The bar is below ICO breach-notification thresholds in some cases. Firms also have UK GDPR obligations to notify the ICO within 72 hours where a personal-data breach reaches the risk threshold. Best practice: build a single incident-response runbook that covers SRA, ICO, PII insurer and client notifications — reduces decision-making during the chaos of a real incident.
NCSC and ICO guidance is to avoid paying ransoms. UK sanctions law also prohibits payment to threat actors on the consolidated sanctions list, with potential criminal exposure for directors. Several UK law firms have publicly refused to pay following ransomware incidents, recovering from immutable backups instead. Build the cyber programme so that paying is never the only route to recovery: immutable backups, tested restores, IR retainer, cyber insurance with a credible DFIR panel. If your only path is to pay, the wider cyber programme has already failed.
Realistic 2026 budget: ~£20,000–£28,000/year for a 5-partner firm with 15–25 staff, covering Microsoft 365 Business Premium, Standard-tier managed MDR, Cyber Essentials Plus, awareness training, practice-management system backup, an annual external pen test, and a £2m cyber insurance policy. As a benchmark, 5–7% of total IT spend going to dedicated cyber line items is sensible for a UK law firm — slightly above the all-sectors average because of the data sensitivity and the conveyancing fraud risk.
Need an SRA-aware cyber security review of your firm? Request a free cyber gap analysis — we’ll cover the controls the SRA, Lexcel, CQS and your PII insurer actually expect, with conveyancing-specific recommendations to reduce Friday-afternoon-fraud exposure. See also our best UK cyber security companies guide.
Related Reading
More from the Connection Technologies blog.