The profession’s own surveys tell a sobering story: in the American Bar Association’s most recent cybersecurity analysis, 29% of firms reported experiencing a security breach, and another 19% said they did not know whether they had been breached. Larger firms were most likely to be in the dark, with “don’t know” rates reaching 60% in organizations of 500 lawyers or more. American Bar Association
Clients are asking tougher questions. In the ABA’s survey, requests to complete security questionnaires or provide security documentation are now routine for mid-size and large firms.
Sophisticated clients are not waiting for regulators to set the floor. Half of firms with more than 100 lawyers reported receiving requests for security requirement documents, and nearly as many mid-sized firms are being asked to complete detailed security questionnaires. Meanwhile, far fewer clients request full security audits, suggesting that questionnaires and attestations remain the common screening tool.
The threat profile has shifted as well. Ransomware groups and supply-chain attackers now treat law firms as pivotal access points to valuable, nonpublic information. In late 2023, LockBit claimed responsibility for breaching Allen & Overy, placing the London-based firm on its leak site before law enforcement’s 2024 disruption of the ransomware syndicate. Australia’s HWL Ebsworth saw sensitive data taken and published by the ALPHV/BlackCat group, ultimately affecting scores of government entities. And in the United States, Kirkland & Ellis was named in multidistrict litigation tied to the MOVEit file-transfer exploit, a supply-chain breach that swept up hundreds of organizations. These cases are different in their details but identical in their lesson: the sector remains a high-value target.
The new normal: supply-chain exposure and extortion. Attackers increasingly come through vendors and shared tools, then monetize by leaking snippets of sensitive data to force payment.
Phishing still sits at the top of most firms’ threat lists, aided by business-email compromise schemes that mimic clients, counterparties, and even court notices. Recent industry polling of legal IT leaders again ranked phishing as the leading threat vector for firms, even as many continue to underinvest in immutable backups and incident playbooks. The picture is consistent with broader enterprise research: the average cost of a breach climbed to $4.88 million in 2024, and third-party compromises accounted for roughly a third of known incidents.
Confidentiality at Stake: What Typically Leaks
When firms are hit, the data rarely fits in one bucket. Personal identifiers can be paired with legal matter details, tax records, or health information. Deal rooms may contain internal projections, credit-worthiness files, or diligence reports. Merger and acquisition materials can be particularly damaging, enabling illicit trading or sabotaging transactions. Discovery repositories often hold sensitive productions and attorney-client communications; once exfiltrated, they become leverage for extortion. Intellectual property—patents, trade secrets, licensing negotiations—can also be swept up, eroding a client’s competitive standing if copied or posted. The blend of personal data and market-moving information is precisely why law firms remain attractive targets.
Treat every matter workspace like a vault. Segment access, log aggressively, and assume anything uploaded could be exfiltrated.
Where Firms Are Most Vulnerable
The profession’s weak spots are no longer mysteries. Email impersonation and credential theft open the door to wire fraud, file theft, and lateral movement. Legacy systems persist in many practices, especially those that have grown through merger and carry overlapping document systems and aging endpoints. Third-party risk is now a first-order concern: as MOVEit showed, a single vulnerable file-transfer tool can become an attack path into hundreds of organizations, including outside counsel. And access control remains uneven, with privileged accounts and remote entry points often under-monitored. Each of these dynamics raises both breach risk and incident complexity.
Compliance Is Tightening
The ethical baseline has been clear for years. ABA Formal Opinions 477R and 483 require lawyers to use reasonable safeguards when transmitting client information and to notify clients appropriately after a data breach, while Opinion 482 emphasizes preparedness and continuity when disasters—including cyber incidents—strike. Firms that treat these as check-the-box exercises risk missing what clients and insurers now expect: documented security programs, tested incident response plans, and real evidence of controls in daily use.
Regulators have also raised the floor. The SEC’s cybersecurity disclosure rule—effective December 18, 2023—requires public companies to report material incidents within four business days and to describe risk management and governance annually. While many firms are not registrants, their public-company clients are, which in practice pulls outside counsel into tighter timelines, more rigorous vendor assessments, and paper trails that hold up under scrutiny. New state privacy laws, including Texas’s Data Privacy and Security Act effective July 1, 2024, expand consumer rights and impose duties on businesses handling personal data, again shaping what clients expect of their legal vendors. And NIST’s Cybersecurity Framework 2.0, released in 2024, provides a modern reference for governance and supply-chain risk that clients increasingly cite.
Practical implication: even if your firm isn’t directly regulated, your clients are. Their regulators will drive what they demand from you.
What To Do Now
For leadership, the essential steps are less about buying tools than about running the practice like a critical infrastructure operator. Start by mapping where client data actually lives, who can touch it, and which vendors process it. Align your policies and controls to a recognized framework (NIST CSF 2.0 is the current standard) and test the plan with tabletop exercises that include outside responders and insurers. Make phishing and business-email-compromise drills routine, update playbooks for rapid client notification, and insist on immutable, tested backups. Treat vendor governance as a standing program, not an annual questionnaire. Each of these actions reduces the odds that your firm becomes the next headline—and, if it does, limits the damage.
Headline Hacks: Recent Cases That Changed the Conversation
Allen & Overy’s LockBit incident in November 2023 signaled that even elite global practices are within reach of modern extortion crews. Australia’s HWL Ebsworth breach demonstrated how a single law-firm intrusion can ripple across government agencies. And the MOVEit litigation naming Kirkland & Ellis underscored that a software supplier’s vulnerability can land outside counsel in court. Together, they have made cybersecurity a board-level topic inside law firms, not merely an IT line item.
The message from law enforcement is blunt: ransomware groups are priority targets. LockBit’s 2024 takedown offers relief, not amnesty; copycats remain active.
Reputation Matters, and Prepared Firms Fare Better
Firms that invest in governance, training, and rehearsed response protect more than data; they protect the client relationships that sustain their businesses. That is the point of the ABA’s guidance and the thrust of recent regulations: transparency, readiness, and credible controls. Clients increasingly expect nothing less.
---
CyLogic understands the operational and regulatory pressures behind those expectations. FedRAMP-aligned controls, continuous monitoring, and disciplined vendor management are not marketing taglines; they are the practical foundations for keeping client data safe in an era of cascading supply-chain risk. If your firm is reassessing its posture, our team can walk through a concrete program—policy, controls, and incident readiness—that matches how law practices actually work.