• Leigh Payne

How ready are firms in the legal sector to face the growing risk of cyber attacks?

Updated: May 28, 2021

Generally, the legal sector is not known for its early adoption of technology; however, both courts and law firms are coming to rely more and more on technological advances to provide better and more efficient access to justice.

Consequently, law firms are now exposed to problems of data theft, hacking and cybercrime which accompany the use of technology in the provision of services. Given the nature of solicitors’ work, significant amounts of personal data and financial information is processed at any one time, making them a prime target for cybercriminals.

The scale of the problem

Between 2016 and 2019, the Solicitors Regulation Authority (SRA) received 458 reports of cybercrime incidents. This figure does not include those attacks which were reported to the Information Commissioner’s Office or law enforcement and so it is likely that the true amount of cybercrime affecting firms was greater than the figure reported to the SRA.

According to the SRA, the amount of money held by firms and stolen by cybercriminals amounted to nearly £2.5m in the first half of 2020. This was more than a threefold increase on the figure for the same period in 2019. The cost was not merely monetary – transactions will have been prevented or delayed and both clients and employees will have suffered significant stress as a result.

The SRA advises that the hidden costs of cyberattacks faced by firms can include:

  • Increased insurance premiums

  • Paying for financial losses

  • Lost time

  • Damaged client relationships

  • Lost jobs

  • Increased stress and pressure on staff

The Code of Conduct obliges those in the profession to ‘safeguard money and assets entrusted to [solicitors] by clients and others’. Therefore, solicitors are required by their regulator to take steps to protect money and assets from cyberattacks. As it happens, the cost of defending against a cyberthreat is lower than the cost of a successful cyberattack; therefore, it also makes sense from a commercial perspective to have appropriate measures in place.

Pandemic problems

Early 2020 also saw an unexpected development – the first lockdown and the immediate rise of remote working. When the first lockdown was announced in March 2020, firms had very little time to mobilise their entire workforce. Those who had little or no experience of remote working were forced to rely on hastily drawn-up solutions, which inevitably led to weaknesses in cybersecurity.

The problems continued as the months of lockdown rolled on; employees working from home were more vulnerable to cyberattacks and breaches of confidentiality due to the lower levels of security involved with home devices and WiFi, the lack of a secure working space where conversations could take place without fear of being overheard, work devices being used to access non-work-related internet sites, and a lack of training on awareness of cyber threats and how to recognise and counter them.

The rise of video meetings and applications such as Zoom or Teams also raised the possibility that unauthorised parties can gain access to a meeting and overhear or see confidential information without detection.

What to bear in mind

All firms must be aware of the responsibilities placed on them by the Code of Conduct and Accounts Rules, as well as their statutory and common law data protection duties. In particular, the GDPR Accountability Principle imposes a ‘reverse burden of proof’ on data controllers to demonstrate that they complied with all relevant aspects of data protection law.

Accordingly, both technical and organisational measures must be in place for dealing with cyber and data breach risks and firms should know in what circumstances they are required to report incidents to the regulators, in this case the SRA, the Information Commissioner’s Office and/or the police.

Firms should also know what is required of them when it comes to contacting and liaising with their insurers. Failure to follow procedures laid down by insurers may result in cover being declined for any losses arising as a result of a cyber incident.

What can be done?

Good cyber security practices work in two ways – the first is that they may deter cybercriminals from attempting to infiltrate systems. The second is that they can significantly reduce losses arising from any successful cyberattack.

Many firms were found to have good cyber security practice – and that is definitely a start. However, firms must bear in mind that cybercrime continually evolves and creates new threats; therefore, regular review and update of cybersecurity is essential to provide best protection.

The SRA has now issued guidance which is aimed at helping law firms review and improve their cyber security.

Part of the SRA’s investigation into cybersecurity involved visiting 40 firms who had already been targeted by cyberattacks to obtain valuable feedback to highlight the danger points, the potential effects of an attack, and what safeguards can be developed and implemented to protect from similar threats. Find out the full results of these findings together with the SRA’s cyber advice toolkit here:


In light of the risks to law practices, specialist technical/legal advice should be sought on developing a robust cyber-security strategy.