Cyber risk has become the most immediate and serious threat to the operation of law firms. Yet many practices still treat it as a technical issue rather than a partner-level priority. In 2025, that approach is no longer tenable.
Earlier this month, the Guardian ran the stark headline[1]: “Cyber-attacks rise by 50% in past year, UK security agency says”. The National Cyber Security Centre (NCSC) has reported[2] that the UK is experiencing 4 nationally significant cyber-attacks every week was handling 429 incidents in the preceding 12 months, of which 204 were classified as “nationally significant” – this equates to an average of roughly one serious incident every other day. Of those 429, 18 were categorised as ‘highly significant’, meaning that they had the potential to have a serious impact on essential services.
These statistics are not abstract — they reflect a rapidly intensifying risk environment for professional services, and especially for legal practices. Solicitors operate in an environment of heightened expectations: client confidentiality, legal privilege, funds handling, transaction criticality and regulatory oversight. The question no longer is “if” a firm may face a cyber incident, but when, and how well prepared it is to survive and respond.
The growth of nation-state threats (China, Russia, Iran, North Korea) combined with criminal ransomware operators are flagged as a leading driver. The government has begun to respond. Ministers have written to large companies warning that cyber resilience must be treated as a board-level responsibility. Also, the proposed Cyber Security and Resilience Bill would enhance mandatory reporting and extend oversight of critical digital infrastructure. Complementing that, the annual Cyber Security Breaches Survey 2025[3] shows that many businesses remain exposed — some lack basic controls, others are reactive rather than proactive.
These attacks are not confined to large corporates or government bodies. Professional services — and particularly law firms — are now at the forefront of this evolving risk landscape.
Why Law Firms Are Under Attack
Solicitors’ firms are high-value targets. They hold sensitive personal data, confidential communications, privileged legal materials and manage high-value financial transactions. This unique mix of assets makes them particularly appealing to both cybercriminals and state-backed actors. Attacks are no longer limited to data theft — ransomware, email interception, unauthorised payments, and operational disruption are all on the rise. A widely cited figure comes from the Law Society’s Gazette[4] which has reported that the number of successful cyber-attacks on UK law firms jumped by 77% in one year (954 attacks vs 538). A report by NetDocuments[5] (via a security study) showed that in a comparable period, data breaches affecting UK legal firms rose by 39%, affecting personal data of nearly 7.9 million people.
The scale of the threat is becoming increasingly clear. According to the NCSC, nearly 75% of the UK’s top 100 law firms have already experienced a cyber incident.
The SRA has repeatedly highlighted information security and cybercrime as key compliance risks. Despite this, many firms still underinvest in the tools, processes and training needed to build genuine resilience. Too often, cybersecurity is viewed as the responsibility of the IT department — rather than a fundamental element of risk management and client care.
What Happens When Things Go Wrong
A number of high-profile breaches in recent years have demonstrated the real-world consequences of inadequate cybersecurity.
In 2025, DPP Law Ltd was fined £60,000 by the Information Commissioner’s Office (ICO) after hackers gained access to 32 gigabytes of data, including sensitive legal case files and privileged material, which later appeared on the dark web. The ICO concluded that the firm should have implemented stronger protections in light of the nature of the data it held.
In 2024, Levales LLP — a criminal and military law firm in Hampshire — suffered a breach that exposed the personal and health data of over 8,000 individuals. The ICO found that the firm had failed to enable multi-factor authentication and did not adequately oversee the security practices of its IT provider.
The Tuckers Solicitors case in 2020 saw almost one million files — including court bundles — encrypted in a ransomware attack. Many were subsequently leaked online. The ICO fined the firm £98,000, noting that its failure to implement basic technical measures had left it vulnerable.
And in the public sector, the Legal Aid Agency was hit in 2025 by a significant data breach exposing personal information dating back to 2010. This disrupted service provision and caused wider anxiety across the legal aid system. These cases underscore that no firm — or legal body — is immune.
Regulatory Responsibilities and Expectations
Cyber incidents bring into play two distinct but overlapping areas of regulatory responsibility.
First, solicitors are subject to data protection laws, including the UK GDPR and the Data Protection Act 2018. As data controllers, firms are responsible for ensuring the confidentiality, integrity and availability of the personal data they process. Where a breach risks individuals’ rights or freedoms, the firm must report it to the ICO within 72 hours.
Second, firms must comply with the SRA’s Standards and Regulations. This includes obligations to maintain effective governance, act in clients’ best interests, and safeguard confidential information. The SRA expects firms to take proactive steps to mitigate cyber risks — and to report serious incidents that may impact service delivery or public trust.
Failing to meet these obligations can result in fines, enforcement notices, reputational harm, and even disciplinary action. It can also leave firms exposed to professional negligence claims, breach of contract allegations, and regulatory investigations.
Building Cyber Resilience: The Five-Stage Lifecycle
Cybersecurity should not be approached as a checklist or a one-off project. It must be seen as a lifecycle — one that involves identifying risks, protecting systems, detecting threats, responding to incidents, and recovering quickly.
Identify – Firms should begin with a firm-wide cyber risk assessment. What systems and data are critical? Who can access them? What third-party providers are involved? Where do the main vulnerabilities lie? Understanding the environment in which the firm operates is the first step toward securing it.
Protect – Once risks are understood, firms must implement layered security controls. These include strong identity management, password protection, encryption, up-to-date software, patching protocols, and secure, tested backups. Multi-factor authentication (MFA) is now widely considered essential — not optional.
Detect – Even the best defences can be bypassed. Firms need systems in place to monitor activity, detect anomalies, and raise alerts. Without these, a breach may go unnoticed until significant damage has occurred.
Respond – A written, rehearsed incident response plan is critical. It should clearly outline roles and responsibilities — from IT to legal to client communications — and ensure coordination with external advisors, such as forensic investigators or PR consultants. Mock-breach exercises can help to identify gaps in the firm’s readiness.
Recover – Firms must be able to restore systems and data quickly. This means having offline, secure backups that have been tested in real-world conditions. It also means having business continuity plans to ensure client service can continue during an incident. Post-incident reviews should be conducted to improve future resilience.
Where Many Firms Still Fall Short
Despite growing awareness, many firms continue to fall into the same traps. The absence of MFA is a common and avoidable failing, one which regulators increasingly view as a sign of inadequate governance. Over-reliance on external IT providers is another risk — while technical support can be outsourced, accountability cannot. The SRA has made it clear that firms remain responsible for the security of client data, regardless of who manages their systems.
Failure to apply software updates and patches is another widespread problem. Attackers routinely exploit known vulnerabilities in outdated systems, and many breaches could have been avoided with timely maintenance. Similarly, many firms have inadequate monitoring or no visibility into unauthorised access attempts — meaning breaches are often discovered late, if at all.
Perhaps most concerning, many practices still have no formal, tested plan for responding to an incident. Under pressure, decision-making becomes erratic, clients are left uninformed, and recovery is delayed — all of which further compounds the damage.
Practical Steps That Firms Can Take Now
Fortunately, improving cyber resilience need not be prohibitively expensive. Many of the most effective measures are affordable and achievable for firms of all sizes.
Implementing MFA across all systems is a priority. Access permissions should be reviewed regularly to ensure that only those who need access have it — and that old accounts are removed promptly. Secure, offline backups must be maintained and tested. Staff should be trained in good security habits, including recognising phishing emails and reporting suspicious activity.
Third-party supplier contracts must be reviewed for compliance with recognised security standards (such as ISO 27001), and should include breach notification clauses, data ownership terms, and audit rights. Logging and alerting tools can provide early warnings of compromise, allowing firms to act before serious harm occurs.
Firms should also maintain a concise but detailed incident response plan, reviewed and tested annually. It should cover internal escalation, regulatory reporting, communication strategies, and relationships with external advisors. These measures can materially reduce the impact of a breach — and demonstrate to regulators and clients that the firm is actively managing risk.
Cyber insurance should also be reviewed. Some policies now exclude or limit coverage for cyber incidents, and insurers increasingly expect to see evidence of active risk management before offering full cover.
The Future: More Regulation, More Sophistication
The coming years are likely to bring even greater complexity. The government’s proposed Cyber Security and Resilience Bill will expand reporting obligations and introduce greater oversight of firms involved in critical services — including some legal practices. The Data Use and Access Act 2025 introduces new requirements around data portability, smart data schemes and regulatory access.
At the same time, the threat environment continues to evolve. The NCSC has warned that criminals are increasingly weaponising artificial intelligence — using it to automate phishing attacks, scan for vulnerabilities and launch faster, more targeted campaigns. These developments shrink the window for detection and increase the importance of preparation.
Law firms also face growing risks from their own supply chains. Cloud services, client portals and legal tech platforms may introduce vulnerabilities outside the firm’s direct control. Sophisticated clients now demand warranties, indemnities and audit rights relating to cybersecurity. Firms that cannot demonstrate robust practices may find themselves excluded from key transactions.
And finally, the geopolitical risk must not be ignored. Firms involved in cross-border work, sanctions enforcement or sensitive litigation may attract attention from hostile third-parties and even other governments. Cyber risk is no longer just operational — it is strategic.
Conclusion
Cyber risk is now one of the most pressing challenges facing UK solicitors. The legal profession is particularly exposed due to the nature of the work it undertakes, the sensitivity of the data it holds, and the regulatory expectations it must meet.
Cybersecurity can no longer be seen as the domain of the IT team. It is a core professional duty — central to protecting client confidentiality, maintaining trust, and ensuring compliance. The message from regulators, insurers and clients is consistent: solicitors must demonstrate not only an awareness of cyber risk, but a robust and tested response to it.
For many firms, the tools and frameworks already exist. What is needed now is the leadership, commitment and cultural change to put them into action.
Infolegal members can access additional resources, including sample incident response plans, checklists, and training modules via the Infolegal InfoHub. If you would like more information, please contact us on enquiries@infolegal.co.uk.
[1] https://www.theguardian.com/technology/2025/oct/14/cyber-attacks-rise-in-past-year-uk-security-agency-says
[2] https://www.ncsc.gov.uk/news/uk-experiencing-four-nationally-significant-cyber-attacks-weekly
[3] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025
[4] https://www.lawgazette.co.uk/news/cyber-attacks-on-law-firms-jump-by-77/5120668.article
[5] https://www.netdocuments.com/en-gb/company-news/data-breaches-in-uk-legal-sector-increase-by-more-than-a-third-impacting-almost-8-million-people/