The SRA does not prescribe a technology stack. It sets out principles around confidentiality, cybersecurity, and business continuity, and leaves it to firms to determine how they meet them.
That gap between regulatory principle and operational reality is where most law firm IT problems start. The compliance may be in place. The ability to demonstrate it often is not.
The SRA Code of Conduct 2019 requires solicitors to keep client data confidential and to protect it from misuse. The SRA's cybersecurity guidance sets out specific expectations: documented security policies; staff training on cyber risks; appropriate access controls; and tested incident response plans. These are not suggestions – they translate directly into IT requirements.
Confidentiality. Client data must be encrypted at rest and in transit. Access must be role-based and auditable. Systems containing privileged communications need to be treated differently from general business infrastructure.
Cybersecurity baseline. Multi-factor authentication, email security, endpoint protection, and regular patching are expected as standard. The SRA has made clear these are not discretionary.
Business continuity. Firms must be able to recover operations after disruption. The SRA expects this to be documented and tested. Backup alone is not sufficient; recovery needs to be achievable within a timeframe that does not leave clients exposed.
Supplier due diligence. If you outsource IT, the SRA expects you to have satisfied yourself that your provider meets appropriate security standards. Your IT partner needs to provide evidence of their own security posture, not just assurances.
GDPR. The SRA enforces data protection obligations for law firms. Data processing agreements with your IT provider, breach notification procedures, and retention policies all sit at the intersection of data protection law and your managed IT service.
Conveyancing fraud and client account fraud account for a disproportionate share of SRA enforcement actions. The mechanism is typically the same: a criminal intercepts email correspondence between a solicitor and a client, alters bank account details, and diverts funds. Firms have faced both regulatory action and personal financial liability as a result.
The SRA has issued specific guidance on this risk. The technical countermeasures are well-established: DMARC and DKIM records correctly configured on your email domain; encrypted communications for sensitive exchanges; and verification procedures for any change in payment details. They only work, however, if they are correctly implemented and actively maintained. An IT provider that does not include email security as part of its managed service is leaving a compliance gap.
Email security also connects directly to your cybersecurity posture more broadly. A firm that passes a phishing simulation but sends unencrypted client correspondence has an incomplete security picture.
24/7 monitoring and incident response. Cyber incidents do not follow office hours. The time between an incident occurring and being contained determines how much client data is exposed and whether the SRA's breach notification threshold is met.
Email security. DMARC and DKIM correctly configured, anti-phishing controls active, and staff phishing simulation as part of ongoing awareness training – not a one-off exercise.
Backup and tested disaster recovery. Backup schedules that align with your data retention policies, documented recovery procedures, and at least annual recovery testing with a written record of the outcome.
Multi-factor authentication. Across your case management system, email, remote access, and any system that touches client data. This is a baseline expectation from the SRA, professional indemnity insurers, and an increasing number of corporate clients.
Documented security posture. When your insurer, a corporate client, or the SRA asks you to evidence your cybersecurity controls, you need to be able to produce documentation without delay. Your IT partner should maintain this as a standard deliverable, not something assembled in response to a request.
This is the core of what Highgate delivers through our managed services for law firms, as part of a broader Improve efficiency programme that covers cloud, infrastructure, and cost alongside the operational layer.
For firms operating across multiple offices, the compliance picture extends to every location. A security control that applies at your main office but not at a regional branch does not satisfy the SRA's expectations.
Kings Chambers, a barristers’ chambers operating across three UK locations, came to Highgate after a previous provider left them with inconsistent infrastructure and reactive support. A full IT review consolidated Microsoft licensing and rationalised backup across all three sites under a single managed service. Lewis Martin, their Compliance Manager, said: “The difference in service with Highgate was clear from day one. They have quickly become a trusted partner and understand our business, support our goals, and ensure our IT is secure, efficient, and future-ready.”
The pattern is common. Firms that grew through merger, or expanded from a single office without revisiting their IT strategy, often carry inconsistent infrastructure across sites. That inconsistency is a compliance risk. A good IT partner identifies it before it becomes an SRA conversation.
Can you demonstrate your own security posture? An IT provider that cannot produce evidence of their own security controls – Cyber Essentials certification at minimum – cannot credibly manage yours.
Do you understand SRA compliance obligations specifically? Not IT compliance in general. The SRA's cybersecurity guidance, the conveyancing fraud risk, the business continuity expectations. A generic answer tells you what you need to know.
Can you provide documentation for our supplier due diligence file? This is a direct SRA requirement for outsourced services. Hesitation here is informative.
What is your incident response process, and who do we contact out of hours? The process matters as much as the technical capability, and law firms need to know the escalation path before an incident occurs.
Are our data and systems hosted in the UK? For most law firms, UK data residency is a contractual and regulatory expectation. Confirm it is explicit, not assumed.
The law firms that handle this well are rarely the ones with the largest IT budgets. They are the ones that appointed an IT partner who understood the regulatory environment from the outset and could demonstrate it – rather than one that treated a law firm like any other professional services business of the same headcount.
A structured IT review for a law firm covers your current security posture against SRA expectations, your backup and recovery capability, your email security configuration, and your supplier due diligence documentation. It gives you a clear picture of where you stand and what to address first.
Find out more about our managed services for law firms, or visit our Improve efficiency hub to see how the wider IT programme fits together. To arrange an initial conversation, call 0300 140 0000.
