905.505.2526 [email protected]

Cybersecurity and the Law Firm

Michael Castro, vCISO Jul 10/2020


Canadian law firms are under attack by Cyber criminals. While there is a cost to protect, the importance of cybersecurity for the firm’s clients and to the reputation of the firm are invaluable.

Afterall. Lawyers are required to take the needed steps to protect the legal matters of their clients. These same clients are asking their law firms what their cybersecurity position is and how they will ensure that they protect their information.

The risks are the same as many organizations. Bugs, malware, phishing and gaps in protection all are leading to accelerating risks to firms. Unless protected, law firms are not immune to threats.


Clients entrust law firms with information about trade secrets, financial reports or healthcare information. If a lawyer breaches that trust, the client may end the firm’s engagement or sue the firm for legal malpractice if a breach damages the client.

Federal law does not regulate a law firm’s cybersecurity practices, but federal law may regulate a firm’s clients, such as hospitals, airlines, or banks. Clients may demand that the law firm have adequate policies to prevent, mitigate and respond to a cyberattack.

In all studies have shown that more than a third of law firms were not comfortable with their cybersecurity readiness.

What are the steps to Take?


Law firms of all sizes need to look as cybersecurity as a threat to their organization. Some larger firms may have dedicated IT or even security staff, but that does not eliminate the risk, only help mitigate. For other smaller firms, without the dedicated help, firms need to consider engaging outside help and bring in a third party such as a virtual CISO or another security specialist.

Amongst the other steps:

  1. Review email practises. Sensitive information should not be sent with encryption steps
  2. Consider stronger passwords for logging into systems
  3. Establish the use of multi-factor authentication or other password less model to make authentication more challenging to attackers
  4. Build a policy set for cybersecurity to lay out the governance for the firm on handling and to deal with cybersecurity
  5. Consider building an incident response plan to have the playbook to follow in the event of a breach
  6. Be prepared to answer questions or completing a questionnaire from clients who may want your firm to verify steps are being taken to protect
  7. Have training for all staff
  8. Have a privacy policy in place to support and supplement the security policy in place.


Law firms are under attack. If you need assistance, contact us at RiskAware. WE can help you build a plan and set you on a path to cyber resilience.