Cyber Essentials and Cyber Essentials Plus: What Every Law Firm Should Actually Know

TLDR

Cyber Essentials is no longer just an IT certification. For law firms, it is increasingly a minimum standard of care.

The SRA expects firms to manage foreseeable cyber risk. Insurers are asking harder questions at renewal. Larger clients and public sector bodies increasingly expect certification as a condition of appointment. Cyber Essentials provides a relatively low-cost way to demonstrate that your firm has basic but essential controls in place. Cyber Essentials Plus goes further by independently testing that those controls actually work.

For most firms, the real issue is not whether Cyber Essentials is technically difficult. It is whether you can justify not having it.

Key Takeaways

• Cyber Essentials addresses five basic controls that prevent the majority of common cyber attacks.

• Cyber Essentials is a self-assessment. Cyber Essentials Plus includes independent technical testing.

• The certification is increasingly relevant to COLPs and managing partners because it evidences reasonable risk management.

• Firms with turnover under £20 million that certify their whole organisation may receive up to £25,000 of included cyber insurance.

• Many clients, insurers and public sector tenders increasingly regard Cyber Essentials as a minimum requirement rather than a differentiator.

The Solicitors Regulation Authority has told firms to stop asking themselves if they will be targeted by cyber criminals. The question, in its own words, is when.

And yet, when you speak to partners and COLPs across the sector, a surprising number have either never heard of Cyber Essentials or have filed it away as something for IT to deal with. That is a mistake.

Cyber Essentials is not simply an IT issue. It sits squarely within the responsibilities of anyone accountable for risk, governance, client confidentiality and business continuity.

In most firms, that means the managing partner, the COLP, or both.

What Cyber Essentials Actually is

Cyber Essentials is a UK government-backed certification scheme overseen by the National Cyber Security Centre and delivered by IASME on behalf of the government.

The scheme requires organisations to demonstrate that five basic technical controls are in place:

• Firewalls

• Secure configuration

• User access control

• Malware protection

• Patch management

These are not advanced or expensive controls. They are the cyber equivalent of locking the doors, checking the windows and making sure the alarm works.

Cyber Essentials exists because most successful cyber attacks are not sophisticated. They exploit weak passwords, unsupported software, old user accounts and systems that have not been patched.

There are two levels:

• Cyber Essentials – a self-assessment verified by an accredited certification body.

• Cyber Essentials Plus – the same controls, but independently tested by a qualified assessor.

Certification currently starts at around £320 plus VAT for the smallest firms and rises to approximately £600 plus VAT depending on headcount.

Why It Matters More for Law Firms Than Most Sectors

Law firms are attractive targets because they hold exactly the type of information criminals want: confidential negotiations, client money, personal data, litigation strategy and privileged communications.

A firm acting on a property transaction, corporate acquisition or contentious matter may hold information that can be monetised immediately.

UK law firms are now routinely targeted because they combine valuable data with, in many cases, limited internal cyber capability. The sector has experienced a sustained rise in phishing, ransomware and business email compromise attacks in recent years.

For COLPs, the issue is not whether the firm has an IT policy. It is whether the firm can evidence that it has taken reasonable and proportionate steps to protect client confidentiality and manage foreseeable risk.

The Solicitors Regulation Authority Code of Conduct requires firms to identify, monitor and manage material risks. Firms must also safeguard confidential information and properly oversee outsourced providers.

If your firm knows that cyber risk is foreseeable, knows that law firms are heavily targeted, and still cannot demonstrate even a basic level of control, that is an uncomfortable position if an incident occurs.

The Information Commissioner's Office can impose fines of up to £17.5 million or 4% of global annual turnover for serious breaches of data protection law. Beyond that sit the costs of client claims, business interruption, lost trust and regulatory investigation.

What Certification Actually Requires

For most small and mid-sized firms, achieving Cyber Essentials is less about buying new technology and more about proving that existing arrangements are actually working.

The practical questions are straightforward:

• Are all devices running supported software?

• Are security updates applied promptly?

• Is administrative access restricted only to those who genuinely need it?

• Is multi-factor authentication enabled?

• Are firewalls and anti-malware protections properly configured?

• Have former employees had their accounts removed?

This is where many firms discover the gap between assumption and reality.

It is common to find that several devices have not been patched in months, that former employees still have access to systems, or that administrator rights have been granted far more widely than anyone realised.

None of those weaknesses requires a sophisticated attacker to exploit. They simply require an open door.

Cyber Essentials Plus goes further by testing whether those controls genuinely work.

The assessor may:

• Test external-facing systems for known vulnerabilities

• Verify that devices block malicious files

• Check that phishing protections are functioning

• Confirm that multi-factor authentication is properly enforced

For firms handling particularly sensitive matters, or for those wanting stronger evidence for clients or insurers, Cyber Essentials Plus is often the more persuasive option.

The Insurance and Client Expectation Angle

One of the less well-known aspects of Cyber Essentials is that UK organisations with turnover below £20 million that certify their entire organisation are automatically eligible for cyber liability insurance of up to £25,000, arranged through IASME. This includes access to a 24-hour helpline, incident response and crisis management support.

That will not cover a major incident, but it may fund the crucial first response phase when decisions need to be made quickly.

More importantly, insurers increasingly expect firms to evidence basic cyber controls when renewing professional indemnity or cyber cover. An independent certification is usually more persuasive than a statement that the IT provider believes everything is under control.

The same is increasingly true of clients. Larger businesses, public sector bodies and panel appointments are beginning to treat Cyber Essentials as a baseline requirement rather than a mark of distinction.

If you are bidding for government work involving sensitive or personal data, Cyber Essentials has been mandatory since 2014.

Five Practical Priorities Before You Start

Before engaging a certification body, take the time to understand your current position. The National Cyber Security Centre provides a free Cyber Essentials Readiness Tool which is a useful starting point.

The five areas most likely to need attention are:

1. User Accounts and Leavers: Review every account that has access to your systems. Remove anyone who no longer needs access. Former employees are a common and avoidable risk.

2. Software and Patching: Every device in scope must be running supported software. Windows 10 reached end of support in October 2025. Any device still using it will create problems during assessment.

3. Multi-Factor Authentication: Recent Cyber Essentials requirements strengthened expectations around MFA. It is now expected for administrator accounts and for cloud services accessible over the internet. If you use Microsoft 365 or a cloud-based case management system without MFA, address that first.

4. Scope: Decide exactly what is covered by the certification. Cloud services, home-working devices and outsourced IT providers often create confusion. Be clear about where your provider's responsibility ends and yours begins.

5. Board-Level Sign-OffCyber Essentials requires a senior person to sign the self-assessment. In a law firm, that is likely to be the managing partner or COLP. The intention is clear: responsibility for cyber risk should sit with the people who govern the firm, not be delegated entirely to IT.

Cyber Essentials or Cyber Essentials Plus?

The answer depends on your firm's risk profile and what you need to demonstrate.

• A smaller firm with limited internal systems and no client-driven requirement may find standard Cyber Essentials an appropriate and proportionate starting point.

• A larger firm, a firm handling particularly sensitive work, or one responding to insurer or client scrutiny should strongly consider Cyber Essentials Plus.

The distinction is simple.

Cyber Essentials says:

Cyber Essentials Plus says:

For many law firms in 2026, that difference matters.

The Bigger Point

Cyber Essentials will not prevent every attack. It is not designed to.

What it does do is reduce the risk of the most common incidents: opportunistic attacks exploiting weak passwords, old accounts, unsupported software and poor patching.

The National Cyber Security Centre often describes most cyber attacks as the digital equivalent of a burglar trying the front door to see if it is unlocked.

Cyber Essentials makes sure the door is locked.

For a law firm holding privileged information, client money and sensitive personal data, that is no longer an optional extra. It is increasingly the minimum standard your clients, your regulator and your insurer expect.