Cyber insurance for solicitors — 2026 guide for UK law firms

Reviewed by Matthew Bartlett, Director · Last reviewed 9 July 2026

Solicitors' firms sit in the front rank of cyber targets in the UK. The reasons are structural: firms hold identifiable personal data at scale, take instructions and route funds by email, and operate client accounts subject to strict SRA rules. This entry sets out how cyber cover works for a law firm, how it fits with the SRA Minimum Terms and Conditions professional indemnity wording, and what the regulator expects when a breach happens.

Why solicitors need cyber cover

SRA Principle 6 requires solicitors to act in a way that encourages equality, diversity and inclusion — but it is Principle 7 and the Code of Conduct's confidentiality duty that most obviously bite when client data is lost. Rule 6 of the Codes of Conduct requires firms to keep the affairs of current and former clients confidential unless disclosure is required or permitted by law. The SRA Accounts Rules impose separate duties around client money that make conveyancing wire fraud a compliance event, not just a commercial one.

UK GDPR sits on top. Every firm is a data controller for client personal data. A breach that meets the risk threshold in Article 33 triggers an ICO notification within 72 hours. The National Cyber Security Centre and Action Fraud have documented conveyancing wire-fraud attacks against small firms for a decade; the pattern of compromised email, spoofed completion instructions and diverted client funds is now sufficiently well-known that failing to have controls in place raises its own SRA question.

What a solicitors' cyber policy typically covers

Wordings vary but the categories are consistent. First-party covers usually include breach response (specialist legal, forensic and PR support from the first call), cyber extortion and ransomware where lawful, business interruption for a defined period after a security event, data restoration, and cybercrime cover for social-engineering fraud and diverted funds. The cybercrime section is the one that responds to the classic conveyancing scenario, and it is often sub-limited well below the aggregate — the practical implication is that firms with heavy purchase volumes should treat the sub-limit as a specific negotiation point rather than a footnote.

Third-party covers include privacy and network security liability (defence and damages for client claims), regulatory investigation costs (both ICO and SRA), regulatory fines where insurable at law, and media and content liability. The interaction with the firm's SRA-mandated PI policy matters at least as much as any single clause — a client sued for professional negligence following a data breach will look to PI; the response costs will look to cyber.

What is typically excluded

Expect exclusions for state-sponsored acts (usually via the Lloyd's Market Association war clauses), prior known circumstances, losses arising from unpatched critical vulnerabilities after a defined window, unencrypted portable media, and bodily injury. Some wordings exclude losses arising from failure to follow the firm's own written procedures — a policy that turns the firm's SRA compliance documentation into a condition precedent is a very different product from one that treats it as background context. A specialist broker checks how this is drafted.

The UK GDPR notification clock

Article 33 of the UK GDPR requires notification to the ICO of a personal data breach without undue delay and, where feasible, within 72 hours. Article 34 requires notification to affected data subjects where the breach is likely to result in a high risk to their rights and freedoms. For solicitors, the practical trigger is often a compromised mailbox with client correspondence, which is almost always personal data at some level of sensitivity. The DPA 2018 fills in the regime for special category data. Firms will also owe internal notifications: to the SRA under paragraph 7.7 of the Code where the breach is a serious breach, to the firm's PI insurer (as a circumstance) and to clients affected.

Cyber versus PI — where they overlap and where they do not

The SRA MTC PI wording covers civil liability arising from the practice. A negligent handling of client data is a civil liability event — so a client claim following a breach is a PI claim on the SRA-mandated wording. What the MTC does not fund is the response: the forensic team, the ICO notification, the ransom decision, the client communications, the credit monitoring. Those sit on cyber. A specialist broker aligns wordings so an event that touches both is handled by both insurers without argument over who leads.

Controls that underwriters look for in a solicitors' firm

Cyber underwriters price on evidence of practical safeguards. For a law firm expect to be asked about multi-factor authentication on remote access and email, endpoint detection and response on every machine, offline or immutable backups tested at least annually, a documented patch cadence, staff phishing training with a conveyancing-specific module, dual-verification procedures on any change-of-bank-details instruction, and an incident response plan that names the SRA reporting path and the firm's PI insurer's circumstance notification address. A firm that answers no to any of the ransomware or funds-transfer safeguards will find those sections stripped from the quote or heavily sub-limited.

How Apex handles solicitors' cyber cover

Apex Insurance Brokers Limited places cyber cover for law firms alongside SRA-compliant PI. We work with Lloyd's syndicates and specialist company markets, review the cybercrime sub-limit against the firm's typical conveyancing volume, and check the interaction with the PI wording line by line. Client retention runs at 95%. Commission is disclosed on request under ICOBS 4.4. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, firm reference number 724952.