SRA Cyber Security Requirements for Law Firms and Solicitors

Complete a risk assessment

Section 2.5 of the Code of Conduct for Firms states ‘You identify, monitor and manage all material risks to your business, including those which may arise from your connected practices.’

One significant risk to consider is undoubtedly cybercrime and data security. Falling victim to a cyber attack can have a devastating impact on your business, so a full risk assessment should be conducted to discover where in your business the biggest risk lies.

When completing your risk assessment, there are four main areas you will need to assess, with risks recorded in your risk register:

1. Your physical environment
2. Your technology
3. Your people
4. Your suppliers

Assessing your physical environment

When assessing your physical environment in terms of data security, the main risks to look out for are:

1. Is there any possibility of sensitive information being visible to people outside your premises? i.e., can computer screens or papers be seen through exterior windows?
2. Can any unknown third parties access the premises?

Assessing your technology

Here you will need to look at your entire tech stack and what security measures each has in place and the risk each poses to your business should there be a data breach.

For example, your legal case management or accounting systems contain a wealth of sensitive information. A data breach in these systems could have a significant impact on your firm. Therefore, it is crucial to implement robust security measures to safeguard your valuable data.

Assessing your people

When assessing your people, you will need to look at what access they have to data and where that should be limited, but you should also look at their cyber security knowledge and understanding of cyber threats as well as your policies.

Your people are critical to combatting cybercrime, so you must ensure that any risks are mitigated.

Assessing your suppliers

Here, you should look at who supplies your technology. Do they have any cyber security or data protection accreditations such as ISO27001 or Cyber Essentials? What risks might they pose to your business?

You should also look at other businesses you work with such as cleaners and maintenance. What vetting procedures do these businesses conduct? Do they have any relevant accreditations? You might also look at when they have access to the premises. For example, you may restrict access to out of hours only, when computers will be turned off and any sensitive information is stored securely.

Have effective governance structures, arrangements, systems and controls in place

Section 2.1 of the Code of Conduct for Firms states that you need to ‘have effective governance structures, arrangements, systems and controls in place that ensure you comply with all the SRA's regulatory arrangements, as well as with other regulatory and legislative requirements, which apply to you.’

The first thing to consider here is who will be in charge of your cyber security measures? Your COLP will ultimately be responsible for your firm’s compliance with the codes of conduct, but they may delegate the cyber security management to another.

This person should hold a senior position so that they are able to command a budget for any resources required to mitigate cyber risks, but should also have the requisite knowledge of cybercrime. An IT Partner or Director, or Data Protection Officer might be suitable.

This person may need to complete the risk assessment with the COLP as discussed previously.

Having identified those risks, they will then need to implement a set of policies, controls and procedures to mitigate them.

Maintaining Competence

Section 4.3 of the Code of Conduct for Firms states ‘You ensure that your managers and employees are competent to carry out their role, and keep their professional knowledge and skills, as well as understanding of their legal, ethical and regulatory obligations, up to date.’

Similarly, section 3.3 of the Code for Solicitors states ‘You maintain your competence to carry out your role and keep your professional knowledge and skills up to date.’

In a modern practice, knowledge of technology and cyber security measures will form a key part of solicitors and other employees’ roles. As such, including cyber security training as part of employee competence and CPD measures is a must.

When things go wrong

If you do fall victim to a cyberattack, the Code of Conduct for Firms states a few actions that you must carry out.

Paragraph 3.5 provides that ‘You are honest and open with clients if things go wrong, and if a client suffers loss or harm as a result you put matters right (if possible) and explain fully and promptly what has happened and the likely impact. If requested to do so by the SRA you investigate whether anyone may have a claim against you, provide the SRA with a report on the outcome of your investigation, and notify relevant persons that they may have such a claim, accordingly.’

While paragraph 3.9 states ‘You report promptly to the SRA, or another approved regulator, as appropriate, any facts or matters that you reasonably believe are capable of amounting to a serious breach of their regulatory arrangements by any person regulated by them (including you) of which you are aware. If requested to do so by the SRA, you investigate whether there have been any serious breaches that should be reported to the SRA.’.

This is followed up by paragraph 3.10, which states ‘Notwithstanding paragraph 3.9, you inform the SRA promptly of any facts or matters that you reasonably believe should be brought to its attention in order that it may investigate whether a serious breach of its regulatory arrangements has occurred or otherwise exercise its regulatory powers.’

So, should you suffer a breach, you must

• Promptly notify any affected customers, letting them know what happened, what impact it has on them and compensating for any damages
• Notify the SRA of the breach and follow any guidance they provide
• Notify the ICO of the breach and follow any guidance they provide
• Notify your Professional Indemnity Insurer of the breach and follow any guidance they provide.

  ---