Is Your Law Firm Really Cyber Ready? The Five Questions Every Legal Practice Must Answer

Cybersecurity is no longer optional for law firms. From ABA Model Rule 1.6 to rising cyber insurance demands, firms must now prove their cybersecurity efforts—not just deploy tools.

Here’s the harsh truth: Many law firms think they’re secure because they use Managed Detection and Response (MDR). But when insurers or regulators ask for proof of compliance, most can’t deliver.

According to leading sources like the NIST Cybersecurity Framework (CSF), Center for Internet Security (CIS) Controls, and the American Bar Association’s Legal Technology and Cybersecurity Reports, law firms consistently fall short in several critical areas. The most common gaps include:

• Missing or outdated cybersecurity risk assessments
• Incomplete or undocumented employee training programs
• No active monitoring for external threats, such as dark web exposure
• Unproven or nonexistent incident response plans
• Vendors with access to client data but no formal security agreements

These gaps don’t just increase the likelihood of a breach, they jeopardize compliance with insurance, client, and regulatory expectations.

Real-World Impact from Three Law Firm Cyber Incidents

1. Moses Afonso Ryan (2016–17) A 10-attorney Providence firm lost over $700,000 in billings after a ransomware attack shut them down for nearly three months—largely due to a lack of employee training and absence of an incident response plan.

•  Campbell Conroy & O’Neil (Feb 2021) This Boston-based firm—serving Fortune 500 clients like Apple, ExxonMobil, Pfizer, and Boeing—suffered a ransomware incident that encrypted sensitive client or personal data (including Social Security numbers, passport and financial details). They offered 24 months of credit monitoring and fraud protection, and although they did not disclose ransom amounts, the fallout included extensive forensic investigations, regulatory review, and reputational impact.

• Cadwalader, Wickersham & Taft (Nov 2022 disclosed Apr 2023) The firm confirmed that over 93,000 individuals had personal data impacted—details included Social Security numbers—after unauthorized remote access was discovered. Affected parties were warned of identity theft risk, and the firm had to offer identity protection services.

Takeaway: Ask yourself these five questions:

• Do we have a current, documented cybersecurity risk assessment?
• Are all employees trained—and can we prove it?
• Are we monitoring threats beyond our firewall (like compromised credentials)?
• Is our incident response plan specific to legal data breaches?
• Can we prove vendor compliance?

If you can’t confidently answer “yes” to all five, your firm is likely exposed to regulatory, financial, and reputational risk.

Your best option is to work with an experienced cybersecurity consultant and service provider. We suggest you take this Cybersecurity Assessment for Law Firms, then talk with a Guardian cybersecurity expert to help you understand your current posture and what you need to have the protection your firm needs… for you clients, your data, and your reputation.