The UK Law Society and Cybersecurity Guidance

The UK Law Society and Cybersecurity Guidance

Does the UK Law Society go far enough in its guidance for legal professionals to help them protect against cybersecurity threats?

On 14 May 2024, the UK Law Society released an updated security questionnaire for legal practices to present to barristers’ chambers, so that law firms can understand what security controls are in place to protect their client’s data from cyberattacks, when instructing barristers. This is supplemented with a non-binding affirmation where both the barristers and the solicitors instructing them are “reminded” of the importance of cybersecurity.

Barristers' Chambers Security Questionnaire v2

The questionnaire, heavy with references to vendor specific technologies allows barristers to select “yes”, “no” and “don’t know” to 34 controls and the law society recommend that chambers revisit their responses and make available the results to their instructing solicitors every 6 months. It's not clear whether there is any minimum required standard that should be met or how questionnaires should be evaluated by the law firms.

Lexcel v6.1

Reviewing Lexcel, the Law Society’s quality mark for legal practice client care, compliance and practice management, a standard is defined across a number of core practice areas, including information management and risk management. Requirements around financial management, like requirement 2.2, mandate that documents must be produced to evidence sound financial management procedures such as budgeting, accounting and variance analysis. On the other hand, information management requirements are much more lenient, only requiring documented policies that describe which security controls should be in place. None of these controls are actually evidenced or tested as part of the Lexcel accreditation.

Lexcel’s information management requirement 3.2 recommends, but does not go as far as mandating, a Cyber Essentials accreditation - an accreditation which contains only the most basic of cybersecurity protective controls. Legal firms are prime targets for cyberattacks based on their proximity to high value personal information and client funds. Lexcel (in its current 6.1 version released in 2018) is wholly inadequate as a quality accreditation against which clients can be assured that their data and money are safe.

The next version of Lexcel might consider mandating a Cyber Essentials Plus certification which will ensure that protective security controls evidenced, tested in-place and working as described in the information security policies. At least this would then reach parity with the questionnaire directed at barristers’ chambers where they are evaluated on their security awareness training, resilience, patching and frequency of penetration testing.

Conveyancing Quality Scheme

Unfortunately, the Conveyancing Quality Scheme (CQS) management standards suffer the same issues as Lexcel, prescribing only policies and no real controls for cyber risk management. Make no mistake, a legal firm who has been accredited with Lexcel or CQS and who has even gone beyond the baseline requirements to achieve a Cyber Essentials accreditation, is still a prime target for a cyberattack and has not done enough – the guidance is simply not strong enough and frankly, legal firms are probably better guided by their insurers with whom they have cyber insurance.

Until the quality of the accreditations and guidance improve, legal firms and their managers responsible for IT risk will need to diligently look beyond the minimum requirements. The cybersecurity industry is filled with vendors selling “silver bullets”, making the selection and implementation of the right security controls a daunting task, especially within a tight IT budget. There is no one-size-fits-all approach to cyber risk management, and legal firms need to partner with an experienced and knowledgeable cybersecurity business. This partnership should provide honest risk assessments, optimise security control selection, and ensure that risk mitigations are properly implemented and evidenced.