What to do after a cyber-attack

Knowing what to do after a cyber-attack will help you protect your firm’s systems from further damage or loss, and your clients’ data from being compromised.

26 Jun 2025

3 minute read

This guide explains how to:

limit damage to systems and data
comply with regulations

If personal data is lost, you’ll need to know what to do under the UK General Data Protection Regulation (GDPR).

You may need to tell the Solicitors Regulation Authority, and your clients if their data is affected.

You should know what to expect from your professional indemnity insurance and cyber insurance.

Be aware of what client information you can give to your insurers. You should also know what you can tell your clients and other parties about your insurers.

If your system has been hacked

If you’ve been hacked, you should follow your response plan.

This should outline how to alert the right members of staff, take actions to stop the attack, and reduce the damage.

This may involve:

disconnecting from the internet
disabling remote access
installing any pending security updates or patches
changing passwords
maintenance work on your firewall

Document the attack and the steps you took to fix it. You’ll need these records if you need to report the attack, for example under GDPR.

Find out what happened

Investigate the hack to understand the extent of it. Do not delete any files as this could make the situation worse.

If you have a website hacker protection service, the monitoring service should give you an early warning that you’ve been attacked.

Taking down your website

If your website is badly attacked, you may decide to take it down in the short term.

If you do not already have a back-up plan in place, ask your hosting provider to back up your website data.

You can use external website hack cleaning services to scan, diagnose and fix your website.

Reporting the attack

Your reporting duty will depend on the kind of cyber-attack you’ve experienced and what the damage was.

If money is lost

If you lose client money or information through an attack, you must immediately contact the Solicitors Regulatory Authority (SRA).

This applies even if you recover the money later.

The SRA will expect you to:

tell the client
repay any money you lost
take steps to reduce risks of a further attack

You should also contact:

your bank to find out whether it will be able to replace the funds
your professional indemnity insurer

If sensitive personal data is lost

You must report a personal data breach to the Information Commissioner’s Office (ICO).

This is a requirement of the UK GPDR.

To raise awareness of risks and allow others to learn from the event, you may also wish to report attack to the SRA and Action Fraud.

Telling clients

You may need to tell your clients if the attack is likely to negatively affect their personal data or privacy.

You do not need to do this if you can prove the data was protected with encryption or a similar security measure.

Read the ICO's guidance on when and how to notify clients.

You should have a PR strategy in place to handle any incoming questions from clients. Tell your client-facing employees what your position is and give them any information that may be useful.

Learning from the attack

At an appropriate point, review the attack with your employees.

Discuss:

how it happened
what the impact was
what went well in responding to the attack
what improvements could be made

Informing your insurers

You should be aware of client confidentiality when talking to your insurers.

Professional indemnity insurance

Under the terms of your professional indemnity insurance (PII) policy, you must tell your insurer about any circumstances that may lead to a claim.

You’ll also have to give some details of your insurers to clients and/or claimants. For more information, read:

These regulations only apply to the compulsory element of the insurance.

You should not give information about your insurers beyond what is necessary. Ideally, get your insurer to agree what you may tell clients and other parties.

Do not admit liability or offer a settlement to any third party without consent from your insurers.