Law firms hold everything valuable about their clients
Pending litigation strategy. M&A deal structures. IP filings. Financial records. Trade secrets. Personal information about executives, beneficiaries, and parties in family law and estate matters. A law firm breach is a breach across every client simultaneously, and the reputational damage is existential.
ABA Formal Opinion 477R requires "reasonable efforts" to protect client confidential information. State bar associations have adopted similar requirements. Client questionnaires — especially from public companies, financial institutions, and private equity firms — now request specific security attestations including MFA, encryption, and independent penetration testing.
What we cover for law firms
Client portal security
Document exchange portals, secure messaging platforms, client extranets, and billing portals. Common findings: IDOR vulnerabilities exposing cross-client documents, weak MFA enforcement, session management flaws, and insufficient audit logging.
Document management system testing
iManage, NetDocuments, Worldox, SharePoint, custom DMS platforms. We test access controls, matter-based permissions, ethical wall enforcement, and audit trail integrity. Especially critical for firms with dual-matter conflicts of interest that require strict information barriers.
Email security
Law firms are primary targets for business email compromise. We audit SPF, DKIM, DMARC configuration, evaluate phishing defenses, and test for the specific impersonation patterns targeting matter-related communications (fake opposing counsel, fake client wire instructions, fake partner impersonation for fraudulent wire requests).
Network and endpoint security
Workstation hardening, EDR deployment, privileged access management for IT staff, VPN security, and the legacy-but-still-common issue of local admin rights on lawyer laptops.
Mobile and BYOD
Most lawyers access confidential information from mobile devices. MDM deployment, containerized access, and policy around personal device usage. The question is not whether personal devices access confidential information; it is how they are controlled when they do.
Incident response
Every law firm needs a documented incident response plan, tested annually. The time to develop this is not during the incident. We facilitate tabletop exercises and produce documented IR runbooks specifically for law firm scenarios (ransomware, BEC, data theft by departing attorney).
Client questionnaire responses
Sophisticated corporate clients send detailed security questionnaires before engaging counsel. Questions cover MFA, encryption, background checks, penetration testing, data retention, breach notification, and cloud provider security. Our engagements produce the documentation you need to answer these questionnaires accurately and defensibly.
Cyber insurance for law firms
Cyber insurance premiums for law firms have escalated 50-200% over the last three years. Carriers require specific controls (MFA everywhere, EDR, offline backups, incident response plan) as a condition of coverage. A Valtik assessment identifies the controls needed to qualify for favorable renewal terms.
Services for legal clients
- SOC 2 Readiness — for LegalTech SaaS serving law firms
- ABA 477R compliance assessments
- Client portal and document management penetration testing
- Incident response retainer and tabletop facilitation
- Client security questionnaire response support
- Cyber insurance application and renewal support