In Queensland, law firms are now expected to meet stringent cyber security benchmarks that safeguard client data and uphold professional obligations. As digital threats escalate, two frameworks, Lexon Cyber Protocol and SMB1001 (Level 3+), have emerged as the leading cyber security standards for Queensland’s legal sector.
While Lexon’s insurer-mandated protocol targets immediate cyber risks such as email fraud, SMB1001 delivers a scalable framework for comprehensive governance and security maturity. Understanding how these two align, and where they differ is key for every Queensland law firm seeking both compliance and confidence.
Understanding the Cyber Security Standards for Qld Law Firms
The Lexon Cyber Protocol, issued by Lexon Insurance for insured Queensland legal practices, was designed to reduce cyber-related claims, particularly those involving payment redirection fraud and compromised email accounts. It mandates multi-factor authentication (MFA), strong password policies, and a ‘Verify by Phone’ procedure before processing trust account transfers exceeding $10,000.
By contrast, the SMB1001:2026 standard, endorsed by the Queensland Law Society (QLS), sets out a tiered approach to cyber security maturity. Level 3+ (Gold) certification ensures firms meet advanced benchmarks across access control, data protection, threat detection, and incident response. In essence, Lexon focuses on baseline risk prevention, while SMB1001 expands this into a governance-led model that encompasses continuous monitoring and resilience planning.
Together, these standards create a unified roadmap: Lexon defines the minimum, while SMB1001 establishes the model for excellence in legal cyber security.
Lexon Cyber Protocol vs SMB1001: Key Control Comparison
Both frameworks share overlapping principles but differ in depth and scope. Below are their most critical areas of comparison:
1. Access and Authentication
Lexon enforces strong passwords and mandatory MFA for remote access to critical systems. However, SMB1001 Level 3+ builds on this with strict identity management, requiring firms to implement enterprise password managers, single sign-on, and phishing-resistant MFA (such as FIDO2 tokens).
For example, a fully compliant SMB1001 environment mandates no shared credentials, granular access rights, and automated credential rotation schedules.
2. Baseline System Security
Lexon assumes firms maintain up-to-date antivirus, firewalls, and patching routines, but does not explicitly list them as requirements. SMB1001, however, codifies these controls, including managed firewalls, TLS encryption, endpoint protection, and automatic patching. It also requires regular vulnerability scanning for internet-facing systems.
Law firms certified at Level 3+ must be able to demonstrate not only protection but continuous verification of their defences.
3. Advanced Threat Detection
Lexon’s framework is primarily preventive, lacking technical requirements for continuous monitoring or incident detection. In contrast, SMB1001 Level 3 introduces Endpoint Detection and Response, and higher tiers require Managed Detection and Response (MDR), 24/7 monitoring, and penetration testing.
For firms managing sensitive financial transactions or client data, this layer of real-time threat intelligence represents the difference between prevention and resilience.
4. Payment Fraud Controls
Lexon’s ‘Verify by Phone’ step remains one of the most effective measures against trust account fraud. However, SMB1001 formalises anti-fraud practices into policy, requiring dual payment approvals, written invoice verification procedures, and email security protocols like SPF, DKIM, and DMARC to block impersonation attempts.
This structured approach enables firms to move beyond reactive verification and into a proactive framework for fraud prevention.
5. Data Backup and Recovery
Lexon encourages preparation but provides no explicit backup frequency. SMB1001 specifies a 3-2-1 backup strategy, requiring offline storage, weekly (ideally daily) backups, and annual recovery testing. By Level 3, firms must also have a written incident response plan and cyber insurance coverage.
This ensures firms can both withstand and recover from cyber incidents—a crucial distinction for operational continuity.
Lexon Cyber Protocol vs SMB1001 (Level 3+)
| Category | Lexon Cyber Protocol (Dec 2024) | SMB1001 (Level 3 +) — QLS Endorsed |
| Purpose & Origin | Mandated by Lexon Insurance for insured QLD law firms; focused on reducing claims from payment fraud and email compromise. | Developed by the Queensland Law Society (QLS) as a tiered cybersecurity maturity framework for SMBs, including law firms. |
| Focus Area | Preventive controls (e.g., strong passwords + MFA + “Verify by Phone” for fund transfers). | Comprehensive governance framework covering prevention, detection, response and resilience. |
| Access & Authentication | Strong password policy and mandatory MFA for remote access. | Enforces strict identity security, enterprise password managers, phishing-resistant MFA (e.g., FIDO2 tokens). |
| System Security Controls | Implied expectation to use antivirus, firewalls, and patching (unspecified). | Explicit requirement for managed firewalls, anti-malware, automatic patching, and TLS encryption. |
| Threat Detection | Preventive focus only — no mandate for monitoring or EDR. | EDR required (Level 3), MDR and 24/7 SOC recommended (Level 4 +). |
| Payment Fraud Prevention | Mandatory “Verify by Phone” for transactions > $10 k or bank detail changes; client advisory notices required. | Policy-based controls — dual approvals, invoice verification processes, and email domain protections (SPF, DKIM, DMARC). |
| Data Backup & Recovery | Encouraged (but not explicitly defined); no frequency stated. | Mandates 3-2-1 backup strategy, weekly (backups), 6-month retention minimum, annual recovery testing. |
| Incident Response | Implicit — report breaches to Lexon. | Written incident response plan required (Level 3 +); regular drills and cyber insurance recommended. |
| Certification Level | Not certifiable — compliance is part of insurance eligibility. | Level 3 “Gold” Certification recognised by QLS as proof of cyber resilience. |
| Core Objective | Reduce trust account fraud and basic cyber claims through mandatory controls. | Build long-term cyber governance and resilience across people, processes, and technology. |
Why Compliance Alignment Matters for Queensland Law Firms
Lexon’s Cyber Protocol and SMB1001 are not competing frameworks; they’re complementary pathways to better security. Lexon’s controls target the most frequent and financially damaging threats seen in real claims data, particularly fraudulent trust transfers and compromised email threads.
Meanwhile, SMB1001 offers a comprehensive governance model that meets the expectations of ‘reasonable steps’ from insurers, regulators, and the QLS. Law firms that align with both can demonstrate a higher standard of due diligence, reducing exposure to professional indemnity claims while meeting client expectations for digital trust.
With the QLS now promoting SMB1001 as the recommended benchmark for legal cyber security, compliance is fast becoming a professional obligation rather than an option.
Achieving Lexon and SMB1001 Compliance Through Managed Security Services
For many firms, implementing SMB1001 Level 3+ alongside Lexon controls can seem resource-intensive. However, managed security service providers (MSSPs) specialising in the legal sector make compliance achievable through integrated support.
A mature MSSP approach includes:
- Centralised identity and access management
- Automated patching and vulnerability remediation
- 24/7 security operations and real-time monitoring
- Advanced anti-phishing and fraud prevention
- Documented incident response and recovery testing
This managed model ensures that both Lexon’s preventative requirements and SMB1001’s maturity benchmarks are fully addressed, without requiring in-house security expertise.
Building a Gold-Standard Cyber Defence for Queensland Law Firms
The ultimate goal for Queensland law firms should be alignment with SMB1001 Level 3 “Gold” certification, which inherently meets and surpasses Lexon’s baseline controls. Firms achieving this standard can:
- Prove compliance to insurers and regulators
- Reduce cyber insurance premiums and claim risk
- Improve client trust and professional reputation
- Strengthen resilience against evolving threats
As outlined in the Comparing Lexon Cyber Controls + SMB1001 report, this integrated approach not only protects against immediate cyber risks but also demonstrates leadership in cyber resilience within the legal community.
Conclusion
For Queensland law firms, meeting Lexon’s Cyber Protocol is a baseline necessity, but achieving SMB1001 Level 3+ elevates security maturity to an enterprise-grade level. Firms that adopt both standards can confidently demonstrate they are ‘cyber safe by design,’ thereby satisfying the expectations of insurers, clients, and regulators.
By adopting a proactive cyber security framework supported by managed services, legal practices can protect sensitive data, ensure business continuity, and demonstrate tangible leadership in compliance across the sector.
Partner with a Cyber Security Provider Well-Known in the Field
Protecting your law firm’s data and reputation requires more than minimum compliance. Partner with a cyber security provider that understands the alignment between Lexon and SMB1001 from both technical and legal risk perspectives.
Bits has a proven track record of assisting Queensland firms in implementing identity management, continuous monitoring, and data protection solutions that exceed insurer standards. Our MSP provides peace of mind, ensuring that your systems, clients, and obligations are fully secured.
Contact BITS to discuss how to achieve Lexon and SMB1001 compliance for your firm today.