Resources / Compliance
SRA cybersecurity expectations in plain English
The SRA doesn't specify a tech stack. It specifies outcomes. Here's what those outcomes demand from your IT environment in practice.
The SRA’s approach to cybersecurity is unusual in regulated industries. Where the FCA prescribes, the ICO codifies, and the NCSC publishes detailed control catalogues, the SRA mostly stays out of technical specifics. It tells you what outcomes to achieve and leaves the how to your judgement.
That sounds permissive. In practice, it makes the SRA’s expectations harder to satisfy, not easier — because outcome-based regulation gives you no checklist to hide behind. You’re judged on whether your controls were proportionate to the risk, and that judgement happens after something has gone wrong.
This article is a plain-English translation of what the SRA actually expects from a law firm’s IT environment, and what those outcomes demand technically.
The four outcomes
The SRA’s expectations boil down to four outcomes:
- Confidentiality of client information. Only the right people can see client data.
- Integrity of client information. Client data isn’t tampered with — and you can prove it wasn’t.
- Availability of client information. When a fee-earner needs a file, they can get it.
- Demonstrability. You can show the SRA, an auditor, or a client what you did and why.
Most cyber-incident findings against firms come back to a failure on one of those four. Usually more than one.
What confidentiality requires technically
In practice, confidentiality requires:
- Multi-factor authentication on every account, every device, every entry point. No exceptions for partners. No exceptions for “the laptop only goes out once a month.”
- Access controls scoped to need-to-know. A fee-earner working on Smith v Jones doesn’t need access to Brown v Williams unless there’s a reason. A receptionist doesn’t need access to the matter files at all.
- Encrypted devices. Every laptop, tablet, and phone storing client data — even temporarily — must be encrypted at rest. Bitlocker on Windows, FileVault on Mac, MDM-enforced on mobiles.
- Secure email. End-to-end encryption isn’t required, but transport encryption (TLS) is now table-stakes, and large or sensitive transfers should use a secure portal rather than attachment-by-email.
- Confidentiality clauses in IT supplier contracts. Your managed-IT firm should be bound by the same confidentiality expectations as the rest of your supply chain. Most aren’t, by default.
What integrity requires technically
- Audit logs. Who accessed what, when, from where. Microsoft 365 generates these automatically; most firms don’t review them.
- Version history. Document management and matter management systems must keep version history that can’t be silently overwritten.
- Append-only audit trails for key events — particularly client-money transactions, file changes by external counsel, and access events on confidential matters.
- Backups that can’t be deleted. Ransomware attackers explicitly target backup systems. Immutable backups (cloud-stored, time-locked) are now standard practice.
What availability requires technically
- Tested backups. Backups that have never been restored aren’t backups; they’re hopes. Restore drills, ideally quarterly, are how you find out.
- Documented recovery time objectives. How long can your firm function without email? Without the case management system? Without the document store? You should know, and you should have tested it.
- Redundancy proportionate to risk. A 25-person firm doesn’t need geo-redundant infrastructure. It does need a clear answer to “what happens if the office floods.”
- Patched systems. Most outages aren’t dramatic; they’re a six-month-old vulnerability in a system that wasn’t updated. Continuous patching matters more than dramatic disaster-recovery investments.
What demonstrability requires
This is the one most firms fail on. Even firms that have decent controls often can’t show they have them. The minimum:
- A written information-security policy. Read by every staff member at induction and every year thereafter.
- A documented incident response plan. Specific to your firm, with named owners, current contact details, and a tested escalation path.
- A risk register. Identifying the cyber risks specific to your firm, the controls in place, and the residual risk.
- Evidence of training. Phishing-awareness training records for every staff member, refreshed annually at minimum.
- An IT supplier register. Naming every external party with access to your environment, the data they touch, and the contractual basis for their access.
If you can’t produce any of those documents in 24 hours, you’re below the SRA’s expectations for demonstrability — regardless of how good your underlying controls are.
What “proportionate” actually means
The SRA’s proportionality principle is sometimes read as “we’re a small firm, so the rules are looser.” That’s not what it means.
Proportionality is about how you achieve the outcomes, not whether you achieve them. A 20-person firm doesn’t need a 24-hour Security Operations Centre staffed by analysts in shifts. It does need MFA, encrypted devices, secure backups, a phishing-aware staff, and a written response plan. The controls are smaller; the outcomes are the same.
Where Cyber Essentials fits in
Cyber Essentials is a UK government scheme covering five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. It is not specifically required by the SRA, but it covers most of the technical baseline the SRA expects.
For most small law firms, achieving Cyber Essentials annually is the cleanest single way to satisfy the technical-control expectations. It does not, by itself, satisfy the demonstrability outcome — that requires policy, training, and incident-response work on top.
What to do if you’re worried
The honest test: pick a fee-earner at random. Ask them to walk you through what they’d do if their laptop were stolen on the train tonight. If the answer involves uncertainty about whose number to call, what data is on the device, or whether the firm even knows it’s missing, you have an SRA exposure.
Fixing it doesn’t require a six-figure programme. It requires a small number of unglamorous controls done consistently. That’s the work most managed-IT firms quietly skip — and the work the SRA actually cares about.
Frequently asked
Common questions on this topic.
Does the SRA require Cyber Essentials?
No, the SRA does not formally require Cyber Essentials certification. However, Cyber Essentials covers most of the technical controls the SRA expects firms to have in place, so achieving certification is a useful way to demonstrate alignment.
What does the SRA expect from a law firm's IT?
The SRA expects firms to protect the confidentiality, integrity, and availability of client information. In practice, this means access controls, MFA on all accounts, encrypted devices, secure email, audit trails, retention policies, and a tested incident response plan.
What happens if a law firm has a cyber breach?
A material breach must be reported to the SRA, the ICO (under UK GDPR), and any affected clients. The SRA will assess whether the firm's controls were proportionate and whether the breach response was adequate. Fines, conditions, and adverse findings are all on the table.
Do small law firms have the same cybersecurity obligations as large ones?
The obligations are the same — but the SRA expects controls to be proportionate to the firm's size and risk profile. A 20-person firm doesn't need a 24-hour SOC team; it does need MFA, encrypted laptops, secure backups, and a written response plan.