If the SRA knocked on your door tomorrow and asked to see your IT security controls, could you show them? Not just “we have antivirus” or “our IT person handles that.” Actual documented evidence that client data is protected, that you have tested backups, that your team knows how to spot a phishing email.

Most law firms we speak to cannot. Not because they do not care, but because nobody has mapped what the SRA actually expects against what their IT setup actually delivers.

43% of UK businesses reported a cyber attack in the past year (DSIT 2025). Law firms sit in the crosshairs because they hold two things criminals want: client money and confidential data. Conveyancing fraud alone costs firms millions every year, and the SRA has made clear that IT security failures are a regulatory matter, not just an IT problem.

Not sure where your firm stands? Run a credential exposure check on your domain at no cost. It takes two minutes and shows whether your team’s email passwords are already circulating on criminal marketplaces. Request your credential exposure check or call 0151 452 3060.

What the SRA Actually Expects from Your IT

The SRA does not prescribe specific technology. It does not tell you which firewall to buy or which email provider to use. Instead, it sets outcome-based obligations under the Code of Conduct and the Accounts Rules that have direct IT security implications.

Principle 6: Client Confidentiality

You must keep the affairs of current and former clients confidential unless disclosure is permitted or required. In practice, this means your IT systems must prevent unauthorised access to client files, emails, and case management data.

If a staff member’s email account is compromised because they reused a password that was leaked in a data breach, and an attacker reads privileged correspondence, that is a confidentiality failure. The SRA will not accept “we didn’t know the password was compromised” as a defence.

SRA Accounts Rules

Firms holding client money must have controls to prevent misuse. With conveyancing fraud and business email compromise on the rise, the SRA expects firms to demonstrate that payment verification procedures are in place, that email accounts used for financial instructions are properly secured, and that staff are trained to recognise social engineering.

Lexcel and Best Practice

While Lexcel certification is voluntary, the SRA uses its standards as a benchmark for what “good” looks like. Lexcel requires documented IT policies, tested business continuity plans, staff training records, and regular risk assessments. Even if you are not pursuing Lexcel, these are the standards the SRA measures you against.

The 10-Point IT Security Checklist for SRA Compliance

Use this to audit your current position. If you cannot answer “yes” to each point with evidence, you have a gap.

Access Controls

1. Multi-factor authentication on every account

Only 40% of UK businesses use MFA on email (DSIT 2025). For a law firm handling privileged client data, this is non-negotiable. Every user account that touches client information needs MFA enabled. No exceptions.

2. Individual user accounts with appropriate permissions

Shared logins make it impossible to maintain an audit trail. The SRA expects you to know who accessed what and when. Each staff member needs their own account, with access limited to the systems and data they need for their role.

3. Documented leavers process

When a solicitor or staff member leaves, their access must be revoked immediately. Not next week. Not when IT gets round to it. The same day. This includes email, case management systems, remote access, and any cloud services.

Data Protection

4. Encryption at rest and in transit

Client data on laptops, in email, and in your case management system must be encrypted. If a laptop is stolen from a car or a coffee shop, unencrypted client files become a reportable breach. Properly configured Microsoft 365 handles much of this, but “properly configured” is the operative phrase.

5. Email security and anti-phishing

85% of cyber attacks start with a phishing email (DSIT 2025). Your email system needs advanced threat protection that catches sophisticated attacks, not just basic spam filtering. This is especially critical for conveyancing teams who handle payment instructions by email.

Business Continuity

6. Tested backups with documented recovery times

Having backups is not enough. When did you last test a restore? The SRA expects firms to demonstrate they can recover and continue serving clients if systems go down. “We back up to the cloud” is not a business continuity plan. A documented, tested recovery process is.

7. Incident response plan

What happens when something goes wrong? Who calls who? When do you notify clients? When do you report to the SRA and the ICO? If the answer is “we would figure it out at the time,” you have a problem. The SRA expects a documented, rehearsed incident response plan.

How Does Your Firm Measure Up?

If you ticked off gaps on this checklist, you are not alone. Most law firms have two or three areas that need attention.

Our H-Protect Standard package (from £55/user/month) maps directly to these SRA requirements: multi-factor authentication enforcement, advanced email security, 24/7 credential monitoring, encrypted backup with quarterly restore drills, and a documented incident response framework. It works alongside your existing IT; you do not need to change providers.

Book a 15-minute call to walk through your gaps: Schedule a call | 0151 452 3060

Monitoring and Detection

8. 24/7 monitoring for credential exposure and threats

The average breach takes 241 days to detect (IBM 2025). Nearly 8 months of someone sitting in your systems, reading client emails, watching conveyancing transactions. Credential monitoring alerts you within hours if a staff member’s password appears in a breach, not months later when the damage is done.

9. Regular vulnerability assessments

When did someone last check your external-facing systems for weaknesses? Not your internal IT person glancing at the firewall logs. A proper, structured assessment. The SRA increasingly expects firms to demonstrate proactive security testing, not reactive incident response.

Staff and Governance

10. Security awareness training with evidence

Only 19% of UK businesses provide cyber security training to staff (DSIT 2025). For a law firm where every staff member handles confidential client data, untrained staff are your biggest vulnerability. The SRA expects training to be regular, documented, and tested, not a one-off induction slide.

Conveyancing Fraud: The SRA’s Biggest Concern

The SRA has issued repeated warnings about “Friday afternoon fraud,” and for good reason. The attack pattern is well established:

  1. An attacker compromises a solicitor’s email account, usually through a phished or reused password
  2. They monitor conveyancing transactions silently, sometimes for weeks
  3. At the point of completion, they send the buyer “updated bank details” from the solicitor’s genuine email address
  4. The buyer transfers completion funds to the criminal’s account
  5. The money is moved and laundered within hours

This is not theoretical. It happens to law firms across the country every week. The SRA holds the firm responsible for having controls in place to prevent it, including email authentication (DMARC, DKIM, SPF), verbal verification procedures for payment changes, and staff training on business email compromise.

A credential exposure check on your firm’s domain will show whether any of your team’s passwords are already compromised. If they are, and MFA is not enabled, you are one phished email away from this scenario.

What a Proportionate Security Investment Looks Like

The SRA expects “proportionate” controls. For a 10-50 person law firm, proportionate does not mean hiring a full-time security analyst at £45,000 a year. It means having the right managed services in place.

Ongoing protection: H-Protect Standard at £55/user/month covers endpoint protection, email security, credential monitoring, encrypted backup with tested restores, and vulnerability scanning. For a 20-person firm, that is roughly £1,100/month, or about £13,200 a year. Compare that to the average cost of an impactful breach at £8,260 (DSIT 2025), before you factor in SRA regulatory action, client notifications, reputational damage, and potential negligence claims.

Proactive testing: CREST accredited penetration testing from £750 gives you an independent assessment of your external security posture. For firms that need annual compliance evidence, the Assurance package at £1,995/year includes full testing with a remediation retest.

Quick start: A credential exposure check on your domain costs nothing and takes two minutes. It shows whether your firm’s email credentials are already exposed. That alone answers one of the SRA’s first questions: “Do you know if your systems have been compromised?”

Find Out Where Your Firm Stands This Week

The SRA is not going to wait for you to get round to this. Conveyancing fraud, data breaches, and credential theft are accelerating, and regulatory scrutiny is increasing.

Here is how to start:

  1. Today: Request a credential exposure check on your domain. No cost, no commitment, results in 48 hours. Request your check
  2. This week: Book a 15-minute call to walk through this checklist against your current setup. We will tell you exactly where the gaps are. Call 0151 452 3060.
  3. This month: Get a vendor-sponsored vulnerability assessment to test your external defences. We run 20 of these a month for local businesses.

We work with law firms across Liverpool, Wirral, Chester, and the wider North West. We understand SRA requirements, case management systems, and the pressure of completions and court deadlines.

Call 0151 452 3060 or book your assessment online.

HiltDigital provides security-first IT services for law firms across the North West. We work alongside your existing IT as a specialist security layer, covering threat monitoring, compliance support, and infrastructure architecture.