*/
At some point, after 2020, there must have been a meeting between management at the Legal Aid Agency (LAA) and the government when the LAA computer systems were discussed. Someone in that meeting may have raised the possibility of cyber-attack and the necessary steps which would need to be taken in order for proper cyber security, or cyber resilience, to be put in place. A number representing the costs for those appropriate steps could have been mentioned. And following that meeting, someone has concluded that spending money to protect critical infrastructure at the LAA was simply not worth it. In April 2025, the LAA discovered a cyber-attack following a breach four months earlier on 31 December 2024. In January 2026, the LAA has still not fully recovered.
The Office for Budget Responsibility (OBR) estimates that a cyber-attack on national critical infrastructure could temporarily increase borrowing by over £30 billion – equivalent to 1.1% of Gross Domestic Product (GDP). Independent research for the Department for Science, Innovation and Technology suggests the average cost of a significant cyber-attack in the UK is now over £190,000.* This amounts to around £14.7 billion a year across the economy – equivalent to 0.5% of the UK’s GDP.
To place this in context this is seven times the entire annual budget for criminal legal aid, based upon the independent research; and over 14 times the criminal legal aid budget based upon the OBR research. According to the OBR, the cost of a significant cyber-attack to the UK government is 127.5 times more expensive than the entire budget for government-backed legal assistance to individuals in the civil courts. Whether or not you believe that an innocent woman should be provided with free representation to defend a criminal allegation, or a father should have the assistance of a solicitor to secure contact with their children, it is clear that the impact of a significant cyber-attack is economically serious.
On 12 November 2025, the UK government introduced the Cyber Security and Resilience Bill to ‘strengthen national security and protect growth by boosting cyber protections for the services that people and businesses rely on every day’.
One thing that Liz Kendall, Secretary of State for Science, Innovation and Technology, did was say: ‘I’m sending them a clear message: the UK is no easy target.’ National Cyber Security Centre CEO Dr Richard Horne, meanwhile, urged: ‘We must act at pace to improve our digital defences and resilience.’
But what does this all actually mean? And what is the one thing, the really practical thing, that might actually make a difference?
Announced in the King’s Speech, the Cyber Security and Resilience Bill has been designed to strengthen cyber defences across Britain’s ‘critical sectors’, including public services such as healthcare, drinking water, transport and energy. The Bill will make amendments to the Network and Information Systems Regulations 2018 (NIS) to bring the UK’s domestic legislation in line with the European Union’s NIS2 Directive which was brought into force in October 2024. The question is, though, which sectors will be considered ‘critical’, and is there any part of the legal sector that may be affected?
The NHS and utility companies have been specifically mentioned as ‘critical public services’ which must comply with the Act when in force. Suppliers to these services will also fall within the remit. IT service providers to the NHS, for example, will be deemed as critical by association. This will include help desk support and IT management which will be required to meet stricter cyber security requirements.
Regulators will also gain new powers to designate critical suppliers to essential UK services – such as diagnostic labs serving the NHS or chemical suppliers to water companies – if they meet specific criteria. Designated suppliers must comply with minimum security standards, closing supply chain gaps that cybercriminals could exploit to cause wider disruption.
Barristers or chambers supplying legal advice to critical public services could potentially fall within this ‘critical by association’ designation.
The Cyber Security and Resilience Bill is one of a number of legislative steps that might have a practical impact. (I am a little sceptical that the Secretary of State’s message will actually deter cyber criminals.) On 8 April 2025, the Cyber Governance Code of Practice was published. This has been created to support boards and directors in governing cyber security risks. The Code sets out the most critical governance actions for which directors are responsible. The Code is focused on medium and large businesses over 70% of which have reported that they have experienced some form of cyber-attack in the last 12 months.
The Code is not necessarily designed with chambers in mind, and certainly not for individual practitioners, but considering the areas of advice is certainly worthwhile: A. Risk management; B. Strategy; C. People; D: Incident planning, response and recovery; and E: Assurance and oversight. The Bar Council and Law Society Questionnaire encompasses elements of the advice, for example Action A4, to assess the risk from supply chain and business partners. Similarly, promoting a cyber security culture that encourages positive behaviour (Action 1C) might be good for any clerks room; and Action D1, gain assurance that the organisation has a plan to respond and recover from a cyber incident, if heeded, may have assisted the LAA following their cyber attack last year.
But big picture thinking, soundbites and calls for action can feel very nebulous when going about your day-to-day. Even legislative action is only as practically useful as the people implementing it. While Horne is absolutely correct that we must all improve our cyber resilience ‘at pace’, encompassing this into a single practical step may be tricky. And to some extent it is. Cyber resilience does require a cultural change. A mind-set which appreciates the importance of cyber security, and a willingness to put the necessary steps in place: design the policies and procedures; undertake the training; follow the advice and guidance; achieve the Cyber Essentials certification.
Change your password. It is so important. Password1! Is not a safe password. In fact, it is the equivalent of not having a password at all. You are effectively allowing anyone who knows your name to access your personal details. Not tech-savvy cyber criminals employing the most up-to-date artificial intelligence to apply the latest techniques in social engineering. Anyone who knows your name. And changing it to P@55w0rd1! Is only marginally better. Many username/password combinations can be found on the dark web. Following the TalkTalk hack in 2015 (and even before) huge lists can be purchased for very modest sums. So if you are using the same password as you did at Bar school or university, your personal data is exposed.
Change your password to three simple words. Even better, generate a random password which is secured by biometric data; either a fingerprint or face ID. Also, activate multi-factorial identification. And change all of your passwords. I know it is tedious, time consuming and may feel unnecessary. But access to one account can provide information that can lead to another. Do not allow an unsecured Hotmail account from 2014 to crash the entire IT network of your best solicitor. So, if you do one thing: change your password.
References
‘LAA system was ‘extremely high risk’ in 2021, MPs told’, Law Society Gazette, 27 October 2025
‘The fiscal risks posed by cyberattacks’, Office for Budget Responsibility, 2021
Independent research by Alma Economics, KPMG and Frontier Economics on the economic impact of cyber-attacks on the UK, for the Department for Science, Innovation and Technology, 12 November 2025
Cyber Governance Code of Practice, Department for Science, Innovation and Technology and National Cyber Security Centre, April 2025
Sam Thomas is a barrister at 2BR. He is the co-author of Cyber Security: Law and Practice (LexisNexis: 2019) and Blockchain and Cryptocurrency: International Legal and Regulatory Challenges (Bloomsbury: 2023). Sam sits on the Bar Council IT Panel and is Chair of the Association of Regulatory and Disciplinary Lawyers. Sam’s practice encompasses advocacy and advice in cyber compliance and regulatory law, for which he was recognised by Chambers & Partners and the Legal 500, 2021-25.
At some point, after 2020, there must have been a meeting between management at the Legal Aid Agency (LAA) and the government when the LAA computer systems were discussed. Someone in that meeting may have raised the possibility of cyber-attack and the necessary steps which would need to be taken in order for proper cyber security, or cyber resilience, to be put in place. A number representing the costs for those appropriate steps could have been mentioned. And following that meeting, someone has concluded that spending money to protect critical infrastructure at the LAA was simply not worth it. In April 2025, the LAA discovered a cyber-attack following a breach four months earlier on 31 December 2024. In January 2026, the LAA has still not fully recovered.
The Office for Budget Responsibility (OBR) estimates that a cyber-attack on national critical infrastructure could temporarily increase borrowing by over £30 billion – equivalent to 1.1% of Gross Domestic Product (GDP). Independent research for the Department for Science, Innovation and Technology suggests the average cost of a significant cyber-attack in the UK is now over £190,000.* This amounts to around £14.7 billion a year across the economy – equivalent to 0.5% of the UK’s GDP.
To place this in context this is seven times the entire annual budget for criminal legal aid, based upon the independent research; and over 14 times the criminal legal aid budget based upon the OBR research. According to the OBR, the cost of a significant cyber-attack to the UK government is 127.5 times more expensive than the entire budget for government-backed legal assistance to individuals in the civil courts. Whether or not you believe that an innocent woman should be provided with free representation to defend a criminal allegation, or a father should have the assistance of a solicitor to secure contact with their children, it is clear that the impact of a significant cyber-attack is economically serious.
On 12 November 2025, the UK government introduced the Cyber Security and Resilience Bill to ‘strengthen national security and protect growth by boosting cyber protections for the services that people and businesses rely on every day’.
One thing that Liz Kendall, Secretary of State for Science, Innovation and Technology, did was say: ‘I’m sending them a clear message: the UK is no easy target.’ National Cyber Security Centre CEO Dr Richard Horne, meanwhile, urged: ‘We must act at pace to improve our digital defences and resilience.’
But what does this all actually mean? And what is the one thing, the really practical thing, that might actually make a difference?
Announced in the King’s Speech, the Cyber Security and Resilience Bill has been designed to strengthen cyber defences across Britain’s ‘critical sectors’, including public services such as healthcare, drinking water, transport and energy. The Bill will make amendments to the Network and Information Systems Regulations 2018 (NIS) to bring the UK’s domestic legislation in line with the European Union’s NIS2 Directive which was brought into force in October 2024. The question is, though, which sectors will be considered ‘critical’, and is there any part of the legal sector that may be affected?
The NHS and utility companies have been specifically mentioned as ‘critical public services’ which must comply with the Act when in force. Suppliers to these services will also fall within the remit. IT service providers to the NHS, for example, will be deemed as critical by association. This will include help desk support and IT management which will be required to meet stricter cyber security requirements.
Regulators will also gain new powers to designate critical suppliers to essential UK services – such as diagnostic labs serving the NHS or chemical suppliers to water companies – if they meet specific criteria. Designated suppliers must comply with minimum security standards, closing supply chain gaps that cybercriminals could exploit to cause wider disruption.
Barristers or chambers supplying legal advice to critical public services could potentially fall within this ‘critical by association’ designation.
The Cyber Security and Resilience Bill is one of a number of legislative steps that might have a practical impact. (I am a little sceptical that the Secretary of State’s message will actually deter cyber criminals.) On 8 April 2025, the Cyber Governance Code of Practice was published. This has been created to support boards and directors in governing cyber security risks. The Code sets out the most critical governance actions for which directors are responsible. The Code is focused on medium and large businesses over 70% of which have reported that they have experienced some form of cyber-attack in the last 12 months.
The Code is not necessarily designed with chambers in mind, and certainly not for individual practitioners, but considering the areas of advice is certainly worthwhile: A. Risk management; B. Strategy; C. People; D: Incident planning, response and recovery; and E: Assurance and oversight. The Bar Council and Law Society Questionnaire encompasses elements of the advice, for example Action A4, to assess the risk from supply chain and business partners. Similarly, promoting a cyber security culture that encourages positive behaviour (Action 1C) might be good for any clerks room; and Action D1, gain assurance that the organisation has a plan to respond and recover from a cyber incident, if heeded, may have assisted the LAA following their cyber attack last year.
But big picture thinking, soundbites and calls for action can feel very nebulous when going about your day-to-day. Even legislative action is only as practically useful as the people implementing it. While Horne is absolutely correct that we must all improve our cyber resilience ‘at pace’, encompassing this into a single practical step may be tricky. And to some extent it is. Cyber resilience does require a cultural change. A mind-set which appreciates the importance of cyber security, and a willingness to put the necessary steps in place: design the policies and procedures; undertake the training; follow the advice and guidance; achieve the Cyber Essentials certification.
Change your password. It is so important. Password1! Is not a safe password. In fact, it is the equivalent of not having a password at all. You are effectively allowing anyone who knows your name to access your personal details. Not tech-savvy cyber criminals employing the most up-to-date artificial intelligence to apply the latest techniques in social engineering. Anyone who knows your name. And changing it to P@55w0rd1! Is only marginally better. Many username/password combinations can be found on the dark web. Following the TalkTalk hack in 2015 (and even before) huge lists can be purchased for very modest sums. So if you are using the same password as you did at Bar school or university, your personal data is exposed.
Change your password to three simple words. Even better, generate a random password which is secured by biometric data; either a fingerprint or face ID. Also, activate multi-factorial identification. And change all of your passwords. I know it is tedious, time consuming and may feel unnecessary. But access to one account can provide information that can lead to another. Do not allow an unsecured Hotmail account from 2014 to crash the entire IT network of your best solicitor. So, if you do one thing: change your password.
References
‘LAA system was ‘extremely high risk’ in 2021, MPs told’, Law Society Gazette, 27 October 2025
‘The fiscal risks posed by cyberattacks’, Office for Budget Responsibility, 2021
Independent research by Alma Economics, KPMG and Frontier Economics on the economic impact of cyber-attacks on the UK, for the Department for Science, Innovation and Technology, 12 November 2025
Cyber Governance Code of Practice, Department for Science, Innovation and Technology and National Cyber Security Centre, April 2025
Kirsty Brimelow KC, Chair of the Bar, sets our course for 2026
What meaningful steps can you take in 2026 to advance your legal career? asks Thomas Cowan of St Pauls Chambers
Marie Law, Director of Toxicology at AlphaBiolabs, explains why drugs may appear in test results, despite the donor denying use of them
Asks Louise Crush of Westgate Wealth Management
AlphaBiolabs has donated £500 to The Christie Charity through its Giving Back initiative, helping to support cancer care, treatment and research across Greater Manchester, Cheshire and further afield
Q&A with criminal barrister Nick Murphy, who moved to New Park Court Chambers on the North Eastern Circuit in search of a better work-life balance
Jury-less trial proposals threaten fairness, legitimacy and democracy without ending the backlog, writes Professor Cheryl Thomas KC (Hon), the UK’s leading expert on juries, judges and courts
Human rights cases don’t come bigger than this. Tim Otty KC, lead counsel for the Government of Ukraine in its case before the European Court against Russia, talks about the significance of this landmark ruling and other pro bono highlights from his career at the Bar. Interview by Anthony Inglese CB
Are you ready for the new way to do tax returns? David Southern KC explains the biggest change since HMRC launched self-assessment more than 30 years ago... and its impact on the Bar
Professor Dominic Regan and Seán Jones KC present their best buys for this holiday season
Marking one year since a Bar disciplinary tribunal dismissed all charges against her, Dr Charlotte Proudman discusses the experience, her formative years and next steps. Interview by Anthony Inglese CB
