Solicitors Regulation Authority (SRA) - Reporting an incident

However, they discovered that seven significant incidents were not reported, despite clear and significant breaches. Furthermore, reports were not regularly made when clients were affected but the firm had not been directly involved, for example, where clients were tricked into sending money to a third party. While reporting incidents where only clients are affected is not a regulatory requirement, the SRA encourage reporting as the information might be useful in helping our wider work to tackle cybercrime and raise awareness of common scams.

Certain cybercrime incidents involving personal data must be reported to the Information Commissioner's Office (ICO) within 72 hours. During the SRA's visits, they spoke with firms about their ICO responsibilities and found that nine firms had made a referral to the ICO following a cyberattack. However, the SRA also discovered that nine firms encountered an incident where it appeared personal data had been accessed, but no report had been made.

Finally, the SRA found that 23 firms had informed law enforcement following their last cybercrime incident. These included incidents where clients transferred significant amounts of money to fraudsters, highlighting the severity of cybercrime incidents.

In conclusion, it is crucial for firms and individuals to report cybersecurity incidents promptly and comply with regulatory and legal reporting requirements. This includes reporting to the SRA and the ICO where necessary.

Thank you for reading, and I hope you found this edition informative.


Don't wait for a cyber incident to strike. Take action today to safeguard your digital life. Stay one step ahead of the threats and enjoy peace of mind knowing that you're protected.