If you’re a solicitor or legal practice accredited under the Lexcel scheme, you’ve likely noticed a shift. The Law Society’s Lexcel v6.1 standard has introduced expanded requirements around information security — bringing cybersecurity firmly onto the agenda for UK law firms of all sizes.
And for good reason.
Legal practices are increasingly targeted by cybercriminals seeking sensitive client data, financial details, or access to wider corporate networks. The Lexcel standard now recognises that strong cybersecurity is not a bonus — it’s a baseline for professional conduct.
What Has Changed in Lexcel?
Lexcel v6.1 includes several important updates, particularly under:
🔐 Standard 5.7 – Information Management and Security
📄 Standard 6.3 – File Management and Data Handling
📥 Standard 7.5 – Risk Management, including cyber risk as part of business continuity planning
Practices are now expected to show evidence of:
-
Data protection policies covering digital systems
-
Awareness training for all staff on cyber threats
-
Clear access controls for case management systems
-
Supplier and third-party risk assessment (including outsourced IT providers)
-
A documented response plan for cyber incidents and data breaches
These are not just tick-box requirements — they’re strategic necessities in a digital legal environment.
The Risks Law Firms Must Now Address
⚠️ Email compromise – Still the most common route into legal systems, particularly for conveyancers and probate firms.
⚠️ Ransomware – Several UK practices have suffered extended downtime, data loss, and reputational harm.
⚠️ Third-party IT exposure – Many smaller firms outsource their infrastructure but fail to monitor supplier security.
⚠️ Legacy systems – Outdated case management platforms or insecure VPNs leave firms wide open.
Law firms are rich targets — handling funds, confidential documents, and critical transactions — yet many operate without a dedicated IT or security lead.
What Good Looks Like for Lexcel Compliance
To meet both the spirit and the letter of the Lexcel standard, we recommend:
-
Annual vulnerability scanning – Identify misconfigurations and exposed assets across your public infrastructure.
-
Supplier due diligence – Check your IT provider’s cyber hygiene. Can they demonstrate secure practices?
-
User training and phishing tests – Educate your staff on common attack vectors and assess awareness regularly.
-
Documented response plans – Know what you’ll do (and who will do it) if you suffer a breach or ransomware attack.
-
Data access reviews – Ensure staff have only the access they need, and that ex-employees are deprovisioned promptly.
How Cyber Tzar Supports UK Law Firms
At Cyber Tzar, we provide practical, SaaS-based tools that support law firms in demonstrating Lexcel compliance — and in building real resilience:
✅ Real-time vulnerability scanning across client-facing systems
✅ Supplier and IT partner risk benchmarking
✅ Compliance dashboards to track Lexcel-aligned controls
✅ Reports that can be shared with auditors, stakeholders, and clients
Whether you’re applying for Lexcel for the first time or preparing for reaccreditation, we give you the evidence, oversight, and confidence you need to meet the new cybersecurity bar.
⚖️ Want to understand where your firm stands against the Lexcel standard?
Get a tailored cyber risk scan at cybertzar.com
