Cyber attacks on UK law firms are no longer hypothetical. The SRA's 2024 Risk Outlook identified cyber crime as a top threat to the profession, with firms of all sizes targeted. Client data, conveyancing completion monies, and confidential litigation files are valuable targets.

If you are a solicitor, law firm partner, or COFA, you have likely been asked to approve a cyber insurance premium. The question that follows is straightforward: is the premium an allowable expense for tax purposes? The answer is yes, but only if the policy meets certain conditions. This article explains the tax treatment, the SRA's expectations on cyber cover, and how to handle the cost in your firm's accounts.

Is Cyber Insurance an Allowable Expense for a Solicitor Law Firm?

Yes, cyber insurance premiums are generally an allowable expense for a UK solicitor law firm, provided the policy covers the firm's trade risks. The cost is deductible against the firm's profits for corporation tax (if the firm is a limited company) or for income tax (if the firm is a partnership or LLP).

HMRC's guidance on allowable expenses under the "wholly and exclusively" rule (ITA 2007 s.34 / CTA 2009 s.54) applies here. The premium must be incurred wholly and exclusively for the purposes of the trade. A cyber insurance policy that covers the firm's own data breach costs, regulatory fines (where insurable), notification costs, and business interruption clearly meets this test.

Where the policy includes cover for third-party losses (for example, client money stolen due to a cyber attack), that element is also an allowable expense because it directly protects the firm's professional indemnity exposure. The SRA Accounts Rules require firms to protect client money; cyber cover is part of that protection.

What About Personal Cyber Cover for Partners?

A separate question arises when a partner takes out personal cyber insurance for their own devices or home office. If the partner uses that equipment exclusively for the firm's work, the premium may be deductible. But if the policy covers personal use as well, HMRC will likely argue the cost is not wholly and exclusively for the trade. In practice, the firm should pay for the policy directly and ensure it is a business policy, not a personal one.

SRA Expectations on Cyber Cover

The SRA does not mandate cyber insurance by name, but its regulatory requirements effectively push firms toward having it. The SRA Accounts Rules require firms to protect client money and client data. The SRA's Code of Conduct for Solicitors (paragraph 3.2) requires firms to "have in place effective systems and controls" to manage risks, including cyber risks.

In practice, the SRA expects firms to have:

  • A documented cyber security policy
  • Staff training on phishing and social engineering
  • Appropriate technical controls (multi-factor authentication, encrypted backups)
  • A response plan for a data breach or cyber incident
  • Cyber insurance to cover the financial consequences

If a firm suffers a cyber attack and does not have cyber cover, the SRA may view that as a failure of risk management. The COFA should ensure the firm's risk register includes cyber risk and that the insurance position is documented.

How to Treat Cyber Insurance in the Firm's Accounts

Cyber insurance premiums are typically paid annually in advance. For accounting purposes, you should spread the cost over the policy period. If the premium is £6,000 for a 12-month policy starting 1 July 2025, you should recognise £3,000 as an expense in the year ended 30 June 2025 (or the firm's accounting period). The remaining £3,000 is a prepayment on the balance sheet.

For tax purposes, HMRC allows the deduction in the period the expense is recognised in the accounts, provided the accruals basis is used. Most law firms use the accruals basis (FRS 102 or FRS 105). If your firm uses the cash basis, the deduction is taken when the premium is paid.

VAT Treatment of Cyber Insurance

Cyber insurance premiums are generally exempt from VAT under the insurance exemption (VATA 1994, Schedule 9, Group 2). This means the insurer will not charge VAT on the premium. The firm cannot recover input VAT because there is none to recover. This is the same treatment as professional indemnity insurance.

If the policy includes additional services (for example, cyber security audits or breach response services) that are separately itemised and VAT-rated, those elements may attract VAT at 20%. Check the policy wording carefully. If the insurer charges VAT on a bundled service, you can recover it if your firm is VAT-registered and the service relates to your taxable supplies.

Data Breach Insurance vs Cyber Insurance: What's the Difference?

Some firms buy "data breach insurance" as a standalone policy, while others buy broader "cyber insurance". The tax treatment is the same for both, provided the policy covers the firm's trade risks. The key difference is scope:

  • Data breach insurance typically covers costs arising from a breach of personal data: notification to the ICO, credit monitoring for affected clients, legal defence costs, and regulatory fines (where insurable).
  • Cyber insurance is broader and may also cover business interruption, ransomware payments, system restoration, and third-party liability for loss of client money.

For a solicitor law firm, a comprehensive cyber insurance policy is usually more appropriate than a narrow data breach policy. The SRA's guidance on cyber security recommends firms consider the full range of risks, including financial loss from fraudulent payment instructions (often called "mandate fraud" or "CEO fraud").

Can a Solicitor Claim Cyber Insurance as a Personal Deduction?

If you are a sole practitioner or a partner in a law firm, you cannot claim a personal deduction for cyber insurance that covers the firm. The expense must be borne by the firm and deducted against the firm's profits. Partners then pay tax on their share of the firm's profits (after the deduction).

If you are a locum solicitor or consultant solicitor working through a limited company, the company can claim the premium as an allowable expense. The same "wholly and exclusively" test applies. If the policy covers both business and personal use, the company should apportion the cost or buy a separate business-only policy.

Practical Steps for the COFA

If you are a COFA (Compliance Officer for Finance and Administration), you should ensure the firm's cyber insurance policy is reviewed annually. Key points to check:

  • Does the policy cover the firm's specific risks (client money, conveyancing transactions, litigation files)?
  • Is the limit of indemnity sufficient? The SRA does not specify a minimum, but £250,000 to £500,000 is common for small firms. Larger firms may need £1m or more.
  • Does the policy include cover for regulatory defence costs and ICO fines? Some policies exclude these.
  • Is the policy in the firm's name, not an individual partner's name?
  • Is the premium paid from the firm's business account, not from client account?

The COFA should also document the firm's cyber risk assessment and the rationale for the chosen level of cover. This documentation will be useful if the SRA ever asks about the firm's risk management systems.

Common Mistakes with Cyber Insurance Deductions

We see several recurring errors when law firms claim cyber insurance as an expense:

  • Claiming the premium as a personal deduction. The firm must pay and claim the deduction.
  • Not spreading the cost over the policy period. This can distort profit figures and may cause issues if the firm changes accounting periods.
  • Treating the premium as a client account expense. Cyber insurance is a firm overhead, not a client money cost. Never pay it from client account.
  • Forgetting to include cyber cover in the firm's risk register. The SRA expects to see evidence of risk management, not just the insurance policy.
  • Assuming all cyber policies are VAT-exempt. Check the invoice for any VAT-rated services bundled in.

Conclusion

Cyber insurance is an allowable expense for a solicitor law firm, provided the policy covers the firm's trade risks and is paid from the firm's business account. The cost is deductible against profits for corporation tax or income tax, and the premium is generally exempt from VAT.

The SRA expects firms to have appropriate cyber risk management in place, and cyber insurance is a key part of that. The COFA should ensure the policy is reviewed annually, documented in the risk register, and paid correctly.

If you are unsure whether your firm's cyber insurance policy meets the tax and regulatory requirements, speak to a legal-sector-specialist accountant. We can review your policy wording, check the VAT treatment, and ensure the deduction is claimed correctly in your firm's accounts.

For more guidance on law firm compliance and tax, see our COFA fundamentals guide and our COFA compliance support services. If you are considering a practice sale or merger, our practice valuation services can help you assess the impact of cyber risk on your firm's value.