Cyber Essentials for Solicitors and Law Firms: What the SRA Expects in 2026

The legal sector handles some of the most sensitive data in the UK economy. Client funds, privileged communications, personal injury records, property transactions, criminal case files - all of it sitting in law firm systems that are increasingly targeted by threat actors.

The regulatory landscape has shifted. From October 2025, the Legal Aid Agency requires Cyber Essentials certification for all firms holding criminal legal aid contracts. The Solicitors Regulation Authority does not yet mandate a specific certification, but its position on cyber security has hardened considerably.

This article sets out what law firms need to know, what the regulators expect, and how to get certified.

From 1 October 2025, any practice holding a Criminal Legal Aid contract must hold a valid Cyber Essentials certificate. This is not guidance - it is a contractual requirement. Without certification, firms risk being unable to renew or continue their legal aid contracts.

The requirement applies to standard Cyber Essentials (not Plus), though firms handling particularly sensitive case data should consider whether Plus provides additional assurance.

This mandate affects an estimated 1,200 legal aid firms across England and Wales. If your firm holds a criminal legal aid contract and does not yet have Cyber Essentials, you are already overdue.

The Solicitors Regulation Authority takes a principles-based approach. It does not mandate a specific certification, but its expectations are clear.

Under SRA Principle 2 and the Code of Conduct for Firms, solicitors must act in a way that upholds public trust and confidence. The SRA interprets this to include maintaining appropriate systems and controls to protect client data and client money.

In practical terms, the SRA considers the following to represent a failure to take "reasonable steps":

• Not enforcing multi-factor authentication on email systems (particularly where client money is handled)
• Failing to maintain up-to-date software and security patches
• Not having documented procedures for handling cyber incidents
• Inadequate access controls around client files and accounts

The SRA has increasingly used its supervisory powers to investigate firms following data breaches. Firms that cannot demonstrate foundational technical controls face regulatory action, including conditions on their practising certificates, fines, and in serious cases, intervention.

Cyber Essentials certification does not guarantee SRA compliance, but it demonstrates that the five foundational technical controls are in place. In the event of a breach, holding current certification provides documented evidence that reasonable steps were taken.

Law firms are attractive targets for three reasons:

The five controls map directly to the risks law firms face:

From 28 April 2026, Cyber Essentials v3.3 makes multi-factor authentication mandatory for all cloud services and all administrator accounts. This aligns directly with the SRA's position that a lack of MFA on email constitutes a failure to take reasonable steps to protect client money.

For law firms, this means MFA on:

• Microsoft 365 or Google Workspace (email and documents)
• Your practice management system (if cloud-hosted)
• Your accounts and client money system
• Any remote access tools (VPN, remote desktop)
• Any file sharing or collaboration platforms

If your firm has not yet rolled out MFA across all these services, address it before your Cyber Essentials assessment. It is both a certification requirement and an SRA expectation.

Cyber Essentials certification is increasingly relevant to professional indemnity insurance. Several PI insurers now ask whether firms hold Cyber Essentials as part of the renewal process. While it is not universally required, firms with certification may benefit from more favourable terms.

Separately, standalone cyber insurance policies almost universally ask about MFA, patching, and access controls - exactly the areas Cyber Essentials covers. Holding certification simplifies the application process and provides documented evidence of your security posture.

For solicitors and law firms, the certification process is straightforward:

1. Assess your position - Use Fig's free readiness tool to check your current compliance against the five controls

2. Address gaps - The most common gaps for law firms are MFA not being enforced on all cloud services, shared user accounts, and overdue software updates

3. Complete the assessment - The Cyber Essentials questionnaire asks about your technical controls across the five themes. Answer based on your actual configuration, not your intended configuration

4. Same-day certification - Purchase through Fig before 12:00 midday and receive your Cyber Essentials certificate the same working day

For firms that need Plus certification (required by some larger clients and panel memberships), allow 1-3 working days for the technical audit.

Cyber Essentials certificates are valid for 12 months. Set a calendar reminder to renew 4-6 weeks before expiry. Letting certification lapse creates a gap that could affect your legal aid contract, client relationships, or insurance coverage.

If your firm's IT environment changes significantly during the year (new practice management system, office move, shift to cloud services), review your controls against the Cyber Essentials requirements to ensure you remain compliant.

Get your law firm certified today