SRA cyber security requirements
October is National Cyber Security Awareness Month, so Harry Fallows, legal IT expert at Access Legal, provides an update on your cybersecurity requirements.
The Solicitors Regulation Authority codes of conduct for firms and solicitors registered European lawyers and registered foreign lawyers provide important guidelines for cybersecurity, even though they don’t explicitly mention it. Cybersecurity is a critical aspect of modern legal practice, and firms need to adhere to these codes to protect sensitive data and maintain trust with their clients. Here are some of the key areas you need to look out for:
1. Complete a risk assessment
Section 2.5 of the Code of Conduct for Firms states that firms must identify, monitor and manage all material risks to their business. This includes risks related to cybercrime and data security. To address these risks, firms should conduct a comprehensive risk assessment. The assessment should focus on four key areas:
a. Your physical environment:
Ensure that sensitive information is not visible from outside your premises.
Restrict access to unknown third parties.
b. Your technology:
Evaluate the security measures in place for all technology systems.
Prioritise stronger security measures for systems holding sensitive information, such as case management and accounting systems.
c. Your people:
Limit data access based on roles.
Provide cybersecurity training to employees and ensure they understand cyber threats and company policies.
d. Your suppliers:
Assess your technology suppliers for cybersecurity and data protection accreditations.
Review other service providers (e.g., cleaners and maintenance) for relevant vetting procedures and access restrictions.
2. Effective governance structures and controls
Section 2.1 of the Code of Conduct for firms emphasizes the need for effective governance structures, arrangements, systems and controls to ensure compliance with regulatory and legislative requirements. This includes cyber security management. Firms should designate a senior individual, potentially the compliance officer for legal practice (COLP), IT partner, director, or data protection officer to oversee cybersecurity.
This designated person should:
- Command a budget for necessary resources.
- Possess knowledge of cybercrime.
- Collaborate with the COLP in completing the risk assessment.
- Develop and implement policies, controls and procedures to mitigate risks.
3. Maintaining Competence
Section 4.3 of the Code of Conduct for Firms and Section 3.3 of the Code for Solicitors highlight the importance of maintaining professional knowledge and skills. In the modern legal landscape, technology and cybersecurity knowledge are integral to the roles of solicitors and other employees. As such, firms should incorporate cyber security training into their competence development and continuing professional development (CPD) programs.
4. Handling cybersecurity incidents
In case of a cyberattack, the Code of Conduct for Firms outlines specific actions that firms must take:
- Be honest and open with clients about the breach.
- If clients suffer loss or harm, rectify the situation and explain what happened.
- Investigate potential claims and report outcomes to the SRA (Solicitors Regulation Authority).
- Notify relevant parties of potential claims if requested by the SRA.
Additionally, paragraphs 3.9 and 3.10 state that firms should promptly report facts or matters that might amount to a serious breach of regulatory arrangements. These reports must be made to the SRA or another approved regulator, as appropriate.
In case of a breach, firms should:
- Notify affected customers promptly, explaining the incident and its impact, and compensate for any damages.
- Inform the SRA and follow their guidance.
- Notify the Information Commissioner’s Office (ICO) and follow their guidance.
- Notify their professional indemnity insurer and follow their guidance.
In conclusion, law firms and solicitors need to prioritise cyber security to protect their clients and maintain regulatory compliance. Conducting risk assessments, establishing effective governance structures, providing training and having a clear incident response plan are key elements in meeting the SRA’s cybersecurity requirements. Firms that prioritise these aspects will be better equipped to navigate the digital landscape while safeguarding their clients’ interests. You can download our free Ultimate Guide to Cyber Security to better understand the risks to your firm and how to mitigate them.