The Law Firm Cybersecurity Audit: What to Check Before Your Clients Ask You To
Your clients are already asking. If they haven't asked you yet, they're about to.
Your clients are already asking. If they haven't asked you yet, they're about to.
General counsel at Fortune 500 companies now routinely issue third-party vendor security questionnaires before signing engagement letters. Insurance carriers underwriting cyber policies want evidence of your controls before they'll quote you a premium. And increasingly, state bars are treating cybersecurity failures not as unfortunate incidents but as ethics violations — the New York State Bar Association's ethics opinions have been evolving steadily in this direction, and ABA Formal Opinion 477R established years ago that lawyers must make "reasonable efforts" to prevent unauthorized access to client information. The question in 2026 is no longer whether your firm needs a cybersecurity audit. It's whether you want to discover your vulnerabilities on your own terms or on opposing counsel's.
Law firms are extraordinarily attractive targets. You hold privileged communications, financial records, M&A intelligence, and litigation strategy — often for dozens of clients simultaneously. The 2020 ransomware attack on Grubman Shire Meiselas & Sacks, which exposed celebrity client data and resulted in reported demands exceeding $40 million, was not an anomaly. It was a preview. Smaller firms have since learned that the attackers don't care about your headcount.
Here is what a serious internal audit should cover.
Endpoint Security: Your Laptops Are the Front Door
Start with the obvious and unglamorous. Every device that touches client data — laptops, mobile phones, home workstations used by remote associates — should have endpoint detection and response (EDR) software installed, not just legacy antivirus. There is a meaningful difference. EDR tools like CrowdStrike Falcon or Microsoft Defender for Endpoint provide behavioral monitoring that catches threats antivirus misses.
Audit questions to ask right now: Which devices are enrolled in your mobile device management (MDM) system? Do you have a full inventory? Are firmware and OS updates enforced, or merely recommended? Is full-disk encryption enabled on every machine — not just firm-issued devices, but the personal laptop your senior partner uses to review documents from the airport?
Multi-factor authentication deserves its own line item because it remains the single highest-return security control available. If your firm is not enforcing MFA on every external-facing system — email, document management, client portals, billing software — you are operating below the current standard of care. Period.
Vendor Risk: You Are Only as Secure as Your Weakest Integration
The 2020 SolarWinds compromise was a masterclass in supply chain attacks. Your firm's exposure to third-party vendors is almost certainly broader than you've mapped. Legal technology stacks in 2026 routinely include e-discovery platforms, document management systems, client intake tools, billing software, e-signature services, and cloud storage providers. Each integration is a potential attack surface.
A basic vendor risk audit should answer three questions for every material vendor: Where does our client data go when it enters this system? What are this vendor's own security certifications — SOC 2 Type II, ISO 27001? And what does our contract say about breach notification timelines and liability?
Pay particular attention to legal research and AI-assisted drafting tools that have been integrated hastily over the past two years. The rush to adopt generative AI in legal practice has outpaced the contractual due diligence. Some of these tools have data retention and training policies that are incompatible with attorney-client privilege. Read the terms of service. Then read them again.
Client Portal Vulnerabilities: The Weakest Link Has a Login Screen
Client-facing portals are where security theater meets real risk. Many firms stood up portal solutions during the pandemic without adequate security review, and those implementations have aged poorly. Common problems include shared login credentials across client teams, no session timeout enforcement, document links that don't expire, and portals hosted on subdomains that haven't been updated since the original deployment.
Commission a penetration test of your portal. This doesn't require a six-figure engagement — a focused external pen test on your client-facing infrastructure can be scoped to a reasonable cost. What you're looking for: authentication bypass vulnerabilities, insecure direct object references (which allow authenticated users to access other clients' documents by manipulating URLs), and misconfigured permissions.
If your portal vendor cannot provide you with their most recent penetration test results or SOC 2 report, that is itself a finding worth escalating.
What a Basic Security Audit Actually Includes
A credible internal security audit for a law firm — not a compliance checkbox, but a real assessment — should include the following components:
Asset inventory and access review. Who has administrative access to your core systems? When were those access rights last reviewed? Former employees and departed partners with lingering credentials are a recurring source of incidents.
Incident response plan review. You should have a documented IR plan. It should name specific people, not job titles. It should include outside breach counsel and a forensics vendor identified in advance — not selected during a crisis at 2 a.m.
Phishing simulation. Send your own staff a simulated phishing email. The results will be humbling. Use them constructively.
Backup and recovery validation. Having backups is not the same as having tested backups. Ransomware gangs know the difference. Verify that your backups are air-gapped or immutable and that your recovery time objective is actually achievable.
Insurance alignment. Review your cyber liability policy against your actual security posture. Misrepresentations in your application — even inadvertent ones — can void coverage at the moment you need it most.
The Credibility Argument
There is a business development case for taking this seriously, not just an ethics and liability case. Clients are beginning to treat security attestations the way they treat Martindale ratings — as table stakes for engagement. Firms that can hand a prospective client a current SOC 2 report or a clean third-party security assessment are closing conversations that less prepared competitors are losing.
Do the audit before your clients schedule one for you. The findings will be uncomfortable. That's exactly the point.