Why Law Firms
Every law firm is a data aggregator. That is not how firms describe themselves but it is how attackers see them. A mid-size firm handling commercial litigation, real estate closings and corporate transactions holds confidential information from hundreds of clients on a single network. Trade secrets sit in discovery databases. Financial records live in trust accounting systems. Personally identifiable information fills intake files. An attacker who breaches one law firm gains access to the sensitive data of every client that firm serves.
The legal industry has been slow to recognize this. A 2025 ABA Cybersecurity TechReport found that only 36 percent of law firms have an incident response plan. Fewer than half use file encryption. The gap between the sensitivity of the data and the security protecting it is wide and getting wider.
Five characteristics make law firms attractive targets:
- Concentrated confidential data
- A single firm holds privileged communications, litigation strategy documents, draft patent filings, M&A deal terms and client financial records. Breaching a law firm gives an attacker access to the confidential data of every client on the roster. Nation-state actors have targeted firms specifically to obtain pre-public merger information for insider trading.
- Trust account wire transfers
- Law firms move client money through trust accounts (IOLTA accounts in the US, trust accounts in Canada). Real estate closings routinely involve wire transfers of $500,000 to several million dollars. Settlement disbursements can reach eight figures. These transfers happen on tight timelines with minimal independent verification. Attackers know exactly when and how this money moves.
- Low security maturity
- Most firms under 100 attorneys do not have a dedicated security professional. IT is often outsourced to a managed service provider whose primary focus is uptime rather than threat detection. Security awareness training is inconsistent. Multi-factor authentication adoption remains below 50 percent at small and mid-size firms according to recent ABA survey data.
- Professional obligation culture overrides caution
- Lawyers operate under intense deadline pressure. Court filing deadlines are absolute. Deal closings have contractual time constraints. When a partner sends an urgent request to wire settlement funds and the closing is in two hours, the instinct is to act quickly. Attackers exploit this pressure by timing fraudulent requests to coincide with known deadlines.
- Client trust creates social engineering leverage
- The attorney-client relationship is built on trust and confidentiality. When a client receives an email from their lawyer requesting a wire transfer or document, they are predisposed to comply without questioning it. Attackers who compromise a lawyer's email account inherit that trust relationship with every client in the inbox.
The Breach Numbers
Law firms are not reporting breaches voluntarily. The data we have comes from regulatory filings, court records and industry surveys. What it shows is consistent and concerning.
| Metric | Value |
|---|---|
| Am Law 200 firms reporting a breach (2023-2025) | Over 40% |
| Law firms with an incident response plan (ABA 2025) | 36% |
| Average cost of a law firm data breach | $4.7 million |
| Law firms using full file encryption | Under 50% |
| Average ransom demand targeting law firms (2025) | $2.5 million |
| Percentage of BEC targeting professional services | 18% of all BEC incidents |
The IBM Cost of a Data Breach Report consistently ranks professional services among the top ten costliest industries for breaches. The reputational damage compounds the financial loss. A law firm that cannot protect its own data will struggle to retain clients who trusted it with theirs.
Common Attack Vectors
Attackers do not need sophisticated exploits to breach a law firm. They need a phishing email and a staff member who clicks it. The two attack types that cause the most damage to law firms are business email compromise and ransomware.
BEC on trust accounts
Business email compromise targeting law firm trust accounts follows a predictable pattern. The attacker compromises an attorney's email account through credential phishing or password reuse. They monitor the inbox for weeks, learning which matters involve wire transfers, which clients are closing deals and who in the firm handles trust account disbursements.
When a real estate closing or settlement disbursement approaches, the attacker sends instructions from the compromised account to the firm's trust accounting team or directly to the client. The wire instructions look legitimate because they come from a legitimate account. The money goes to an account the attacker controls. By the time anyone notices, the funds have been moved offshore.
Trust account BEC is particularly devastating because of the fiduciary obligation. The firm held client money in trust. When that money is stolen through the firm's compromised email, the question of liability falls on the firm. Malpractice carriers are increasingly scrutinizing whether the firm had reasonable security controls in place before paying claims.
Ransomware on case files
Ransomware operators target law firms because the pressure to pay is extreme. A manufacturing company hit with ransomware can shift to manual processes. A law firm with encrypted case files facing a court-imposed discovery deadline in 72 hours has no manual alternative. The files are either accessible or they are not.
Modern ransomware groups add a second layer of pressure through double extortion. They exfiltrate confidential client files before encrypting them. The threat is not just operational disruption but public release of privileged documents. For a firm handling sensitive litigation or regulatory matters, the exposure of client data can be more damaging than the encryption itself.
Groups like ALPHV/BlackCat and LockBit have specifically listed law firms on their leak sites. The message to other firms is clear: pay or your clients' privileged information becomes public.
Ethical Obligations: ABA Model Rule 1.1
Cybersecurity is not optional for lawyers. It is an ethical obligation.
ABA Model Rule 1.1 requires that lawyers provide competent representation. Comment 8 to Rule 1.1, amended in 2012, states that competence includes keeping abreast of "the benefits and risks associated with relevant technology." This is not aspirational language. It is a competence requirement.
ABA Model Rule 1.6 requires that lawyers make "reasonable efforts" to prevent unauthorized disclosure of client information. What constitutes "reasonable efforts" is evolving, but the direction is clear. State bar associations have issued formal ethics opinions confirming that lawyers have a duty to:
- Understand the security risks of the technology they use
- Implement reasonable safeguards to protect client data
- Stay informed about current cyber threats relevant to their practice
- Notify affected clients promptly when a breach occurs
California State Bar Formal Opinion 2015-193, New York State Bar Association Ethics Opinion 1019 and Florida Bar Advisory Opinion 12-3 all address the intersection of technology competence and ethical practice. The consensus is unambiguous. A lawyer who fails to implement reasonable cybersecurity measures is not meeting the standard of competence the profession requires.
For managing partners the implication is direct. A firm that suffers a preventable breach faces not only financial and reputational damage but potential bar discipline for failing to meet Rule 1.1 and Rule 1.6 obligations.
What a Law Firm Security Program Needs
Building a security program for a law firm is not the same as building one for a technology company. The priorities are different. The workflows are different. The regulatory obligations are different. A law firm security program must account for the specific ways firms create, store and transmit confidential information.
- Trust account wire verification protocol
- Every wire transfer from a trust account must go through a verification process that exists outside of email. Dual authorization is mandatory. The person who receives wire instructions should not be the same person who initiates the transfer. Out-of-band verification by phone to a number on file is required for every transaction above a defined threshold.
- Email security beyond spam filtering
- Credential phishing is the primary entry point for law firm breaches. Standard spam filters are not sufficient. Firms need advanced email security that detects impersonation attempts, flags external emails that spoof internal addresses and quarantines messages with suspicious attachment types. Every user account must have multi-factor authentication enabled.
- Endpoint detection and response
- Traditional antivirus does not detect modern ransomware until after encryption begins. Endpoint detection and response tools monitor for behavioral indicators of compromise and can isolate an infected workstation before the ransomware spreads to file servers containing case data.
- Encrypted backup with tested recovery
- Backups are worthless if they cannot be restored under pressure. Firms need encrypted offsite backups that are tested quarterly. The recovery process should be documented step by step. The backup system must be isolated from the production network so that ransomware cannot encrypt both the live data and the backups simultaneously.
- Incident response plan with legal-specific scenarios
- A generic incident response plan does not account for trust account fraud, court filing deadlines during a ransomware event or the ethical notification obligations under bar rules. The plan must address these scenarios specifically. It should name the individuals responsible for each step and include contact information for the firm's cyber insurance carrier, outside forensic investigators and bar counsel.
- Security awareness training for attorneys and staff
- Attorneys are high-value phishing targets because their email accounts provide access to client trust and privileged communications. Training must go beyond annual compliance exercises. It should include simulated phishing campaigns, real examples of law firm BEC attempts and specific guidance on verifying wire transfer requests.
Trust Account Wire Fraud: How It Happens
Consider this scenario. It is drawn from patterns we have investigated across multiple engagements. The details are composited to protect client confidentiality but every element has occurred in real cases.
A real estate attorney is handling a commercial property closing. The purchase price is $1.8 million. The buyer's funds are deposited in the firm's trust account. Closing is scheduled for Friday at 2:00 PM. The attorney's email account was compromised three weeks ago through a phishing email that mimicked the firm's document management system login page. The attacker has been reading emails silently and has not sent a single message.
On Thursday afternoon the attacker sends an email from the attorney's actual account to the firm's trust accounting clerk. The email states that the seller's counsel has provided updated wire instructions for the closing proceeds. The new wire details are attached. The email asks the clerk to update the records before the Friday closing.
The clerk processes the update. On Friday the trust account disbursement goes to the attacker's account instead of the seller's counsel. The attacker moves the funds through two intermediary accounts within four hours. By Monday morning when the seller's counsel calls asking where the funds are, the money is overseas.
The firm now faces a $1.8 million loss from its trust account. The malpractice carrier is reviewing whether the firm had adequate email security. The state bar is evaluating whether the firm met its obligations under trust accounting rules. The client relationship is destroyed. The firm's reputation in the local real estate bar is severely damaged.
Every element of this scenario was preventable. Multi-factor authentication on the attorney's email account would have blocked the initial compromise. An out-of-band verification call before processing the wire change would have revealed the fraud. Dual authorization on trust account transfers would have created a second checkpoint. A 24-hour hold on updated wire instructions would have provided time for the real closing to expose the discrepancy.
Where to Start
If your firm does not have a security program the scope of what needs to be done can feel overwhelming. Do not try to do everything at once. Start with the controls that address the highest-risk scenarios.
- Enable MFA on every account. Every email account, every cloud application, every remote access tool. This single control blocks the majority of credential-based attacks. It should be enforced firm-wide with no exceptions for senior partners.
- Implement a wire verification protocol. Define the process for verifying trust account wire transfers that exists completely outside of email. Document it. Train every person who touches trust account disbursements. Enforce it without exception regardless of deadline pressure.
- Run a tabletop exercise. Sit your attorneys and administrative staff in a room and walk through a trust account BEC scenario. Find out where your process breaks before an attacker does. Sherlock Forensics runs tabletop exercises designed for law firm threat scenarios.
- Get a penetration test. Find out what an attacker can see from outside your network before they find it themselves. A penetration test identifies exposed services, weak credentials and misconfigured systems that create entry points.
- Establish an incident response retainer. When a breach occurs the first 48 hours determine the outcome. Having a forensic investigation team already under contract means response begins immediately rather than after days of procurement. An incident response retainer ensures your firm has expert support before you need it.
FAQ
Why are law firms targeted by cyber attackers more than other professional services?
Law firms concentrate high-value confidential data from multiple clients in a single network. They hold trade secrets, merger details, litigation strategy and personally identifiable information. They also process large wire transfers through trust accounts with minimal verification controls. Attackers get access to dozens of clients by breaching one firm. Nation-state actors have specifically targeted law firms to obtain pre-public M&A information for insider trading purposes.
What are the most common cyber attacks against law firms?
Business email compromise targeting trust account wire transfers is the most financially damaging attack. Ransomware is the most operationally disruptive because it encrypts case files and litigation deadlines create extreme pressure to pay. Phishing remains the primary initial access vector for both attack types. Double extortion ransomware adds the threat of publishing privileged client data if the ransom is not paid.
Does ABA Model Rule 1.1 require law firms to have cybersecurity?
Yes. ABA Model Rule 1.1 requires competent representation. Comment 8 explicitly states that lawyers must stay current with the benefits and risks of technology relevant to their practice. Multiple state bar associations have issued ethics opinions confirming that competence includes a duty to implement reasonable cybersecurity measures to protect client data. Firms that suffer preventable breaches face potential bar discipline in addition to financial and reputational damage.