Vol. III · No. 128 Independent LegalTech Analysis Wednesday, June 17, 2026

The Legal Stack

← Analysis Analysis · AI & Ethics

The Cybersecurity Checklist Every Law Firm Needs in 2026

Law firms are the softest targets in professional services. You hold privileged communications, M&A deal terms, litigation strategy, and client financial data — and you're disproportionately staffed by people who believe clicking "unsubscribe" on a phishing email is fine. The American Bar Association's 2024 Legal...

Andy Armstrong
May 10, 2026 · 7 min read

Law firms are the softest targets in professional services. You hold privileged communications, M&A deal terms, litigation strategy, and client financial data — and you're disproportionately staffed by people who believe clicking "unsubscribe" on a phishing email is fine. The American Bar Association's 2024 Legal Technology Survey reported that 29% of respondent firms had experienced a security breach at some point. That number almost certainly undercounts reality, because many firms still don't know when they've been compromised.

The threat landscape in 2026 is not abstract. It is specific, targeted, and increasingly automated. Here's what you actually need to do about it.

The Threats Specifically Targeting Legal Practices

Ransomware gangs have stopped spraying attacks broadly. They now conduct reconnaissance before deployment. When Campbell Conroy & O'Neil — a firm representing Ford, Pfizer, and Exxon — was hit by ransomware in 2021, attackers had almost certainly been inside the network for weeks. That playbook has matured considerably since. Modern threat actors use AI-assisted spear phishing to impersonate managing partners, opposing counsel, and even judges. They study your firm's public filings, LinkedIn profiles, and website attorney bios before they send a single email.

Business Email Compromise (BEC) remains the highest-dollar threat to legal practices. The FBI's Internet Crime Complaint Center reported $2.9 billion in BEC losses across industries in 2023. Law firms are prime targets because wire transfers are routine, time pressure is constant, and a paralegal redirecting escrow funds isn't inherently suspicious. The attack vector is almost always a spoofed or compromised email account, and the window between instruction and irrevocable wire transfer is often under four hours.

Insider threats are underreported and underappreciated. Lateral moves between firms create data exfiltration risk. A departing associate downloading client files to personal cloud storage is not a hypothetical — it's a documented pattern that generated litigation in cases like Aon Risk Services v. Alliant Insurance Services and numerous subsequent matters. Your DLP (data loss prevention) controls matter as much as your perimeter defenses.

Finally, third-party vendor risk is now a front-door problem. The 2023 MOVEit vulnerability compromised hundreds of organizations, including legal sector entities that used the file transfer platform. If your e-discovery vendor, court reporting service, or document management SaaS provider gets hit, your client data goes with it.

The Minimum Controls You Need Running Right Now

These are not aspirational. These are table stakes.

Multi-Factor Authentication on everything. Every email account, every practice management platform, every remote access point. SMS-based MFA is better than nothing but should be replaced with authenticator apps or hardware tokens where possible. The SolarWinds breach demonstrated that sophisticated actors can work around SMS MFA through SIM-swapping. Use FIDO2 hardware keys for your most privileged users.

Endpoint Detection and Response (EDR), not just antivirus. Traditional signature-based antivirus is functionally obsolete against modern threats. EDR tools like CrowdStrike Falcon or Microsoft Defender for Endpoint provide behavioral monitoring that can catch attackers moving laterally even after initial compromise.

Email filtering with anti-spoofing protocols. SPF, DKIM, and DMARC should be configured and enforced on your domain. If they aren't, someone can send email that appears to come from your firm. This is not a 2026 edge case — it is a fundamental hygiene requirement that many mid-size firms still haven't completed.

Privileged Access Management. Not every attorney needs admin rights. Segment access by role, enforce least-privilege principles, and audit privileged account usage quarterly.

Encrypted backups, tested regularly. Offline, encrypted backups stored separately from your primary network are the only reliable defense against ransomware that makes recovery possible without paying. Test your restoration process at least twice a year. Backups you've never restored are a guess, not a guarantee.

Incident Response Plan, documented and rehearsed. I'll return to this below.

What Clients Are Now Demanding

Sophisticated clients — particularly financial institutions, healthcare systems, and publicly traded companies — are no longer satisfied with a checkbox on a vendor questionnaire. Expect to receive detailed cybersecurity assessments as part of outside counsel approval processes. JPMorgan Chase's outside counsel guidelines, amended in recent years, require explicit cybersecurity representations and the right to audit. Blackstone, Microsoft, and numerous other major clients have issued similar demands.

The New York Department of Financial Services' Part 500 cybersecurity regulation — which has been expanded in scope since its 2017 passage and now covers a broader set of covered entities and their service providers — gives you a working template for what sophisticated clients expect. Annual penetration testing, documented policies, a designated CISO or equivalent, and breach notification within 72 hours are baseline requirements under that framework. If you represent financial sector clients in New York, you may already be subject to these rules indirectly.

The ABA Model Rules, specifically Rules 1.1 (competence) and 1.6 (confidentiality), have been interpreted by state bars to impose affirmative cybersecurity obligations on counsel. The comment to Rule 1.6 explicitly references the duty to make reasonable efforts to prevent unauthorized disclosure. "Reasonable" in 2026 means substantially more than it did in 2016.

How to Respond When the Breach Happens

Assume it will. The firms that weather breaches well are the ones that prepared before the event.

Your first call is not to IT. It is to outside counsel — retained specifically to manage breach response — to establish privilege over the investigation. The work product generated by your forensic investigators should flow through counsel. This is not obstruction; it's the framework that In re Target Corp. Customer Data Security Breach Litigation helped establish and that regulators have generally accepted.

Simultaneously, engage a qualified forensic firm to isolate affected systems and preserve evidence. Do not let your internal IT team attempt remediation before forensic imaging. Evidence destruction, even inadvertent, creates regulatory and litigation exposure.

Notification obligations under state breach notification laws — all 50 states now have them — vary by data type, residency of affected individuals, and timeline. Forty-eight states require notification within 30 to 90 days of discovery. Some, including Florida and Colorado, impose stricter timelines. Identify which states' residents are affected and work through notification sequencing with counsel.

The Bottom Line

Cybersecurity is no longer an IT budget line. It is a professional responsibility issue, a client retention issue, and increasingly, a liability issue. The firms that treat it as a compliance exercise will eventually face the firms that treated it as a practice management imperative — in court, in a bar complaint, or in a client termination letter. The checklist above isn't comprehensive. But every item on it is something you should be able to confirm is operational before you finish reading this sentence.

If you can't, start there.

More Analysis