What the SRA and your PII insurer actually want from your IT

MFA enforced for all users, not just partners. The questionnaire wants to know coverage in percentage terms, and 'most users' isn't a winning answer. The number to aim for is 100% of accounts, including service accounts where possible and with documented exceptions where not.

Backups of Microsoft 365 that have been restored in the last twelve months. Not configured. Restored. Insurers increasingly ask for the date of the last test restore and the recovery time achieved. A backup you've never restored is treated as no backup at all.

A documented incident response plan that names roles. Not an aspiration document. A plan with a named incident lead, a contact list for the incident response partner, the SRA, the ICO, the cyber insurer and a PR firm if appropriate. The plan should fit on one or two pages and live somewhere everyone can find it under stress.

Security awareness training with evidence of completion. A platform-delivered training with reporting, not a single-line entry in a handbook. The insurer wants to see that staff have completed it within the last twelve months, with refreshers scheduled.

Cyber Essentials, ideally Plus. The cost is small relative to a PII premium reduction or to keeping cover at all in the harder corners of the conveyancing market.

The SRA Standards and Regulations don't prescribe specific technical controls. They expect 'competent' use of technology, protection of client confidentiality, and management of risks. The various Warning Notices give specifics: cybercrime, fraudulent emails, ransomware, and recently AI.

In investigations, the SRA increasingly cites the gap between what a competent firm would have done and what the firm in question actually did. Lack of MFA, untested backups, no incident response plan and no security awareness training all read as gaps a reasonable firm would have closed.

PII proposal forms now run to fifteen or twenty pages of cyber-specific questions for conveyancing firms, and ten to fifteen for general practice. Typical sections cover identity and access, endpoint security, backup, supplier risk, training, and incident response.

The questions are reasonable. The problem is that many firms answer them without the underlying evidence, and discover at claim time that the gap matters. An insurer can void cover for material misrepresentation, and 'we said we had MFA but we didn't actually enforce it on legacy authentication' is the kind of misrepresentation that gets there.

An IT partner that knows the legal sector will build the evidence pack quietly through the year, not the week before renewal. Quarterly check-ins, an annual gap assessment against the current PII questionnaire, evidence captured automatically through Microsoft 365 reporting, and a single source for all the documents.

By the time renewal arrives, completing the questionnaire is an hour's work, not a panic. The premium reflects an evidenced posture rather than a hopeful claim.

Recent SRA guidance and insurer questionnaires increasingly ask about AI use. How is the firm using AI tools? What client data flows through them? What controls are in place around confidentiality?

A firm using Microsoft 365 Copilot inside its tenant, with sensitivity labels and proper SharePoint hygiene, has a defensible answer. A firm with fee-earners pasting client documents into public ChatGPT does not. The conversation will move quickly over the next two years; getting ahead of it is cheap and avoids the awkward middle.

A single folder, kept current, containing: MFA coverage report from Entra ID, conditional access policy summary, backup test logs with dates and RTOs, the incident response plan with last review date, training completion report, Cyber Essentials certificate, and a summary of any incidents and the response.

The pack is read by the broker and the insurer. It's also reviewed by the SRA if anything goes wrong. Both audiences are looking for the same thing: evidence that the firm takes this seriously and behaves competently.

A firm where the evidence pack is up to date, the renewal is unremarkable, the IT partner can answer the cyber questions without the partners having to dig, and the SRA conversation - if it ever happens - is short.

That's the goal. The cost of getting there is modest. The cost of not getting there shows up at renewal, at claim, or in an SRA letter, and any one of those is worse than the cost of getting it right.

A good PII broker is a useful ally in this conversation. They've seen many firms' evidence packs, they know which insurers are easier on which questions, and they can guide what to emphasise and what to remediate before submission.

Treat the broker as part of the team rather than a quote-shopper. The firms that get the best renewal outcomes are usually the ones who started the conversation with the broker six months out and arrived at submission with everything in place.