Cybersecurity for Law Firms
Australian law firms hold privileged communications, client funds, and confidential personal data that make them a specific target for cybercriminals. A general IT provider is not equipped to manage that risk. JurisIT delivers cybersecurity built specifically for small law firms, aligned to ASD Essential Eight and ACSC guidance, and designed around the real threat landscape your practice faces.
Request a Cyber Security ReviewThe Risk
Cybercriminals do not attack law firms by accident. They do it because law firms hold exactly what attackers need: privileged communications, client account funds, completed identity documents, and records of high-value transactions. That data is worth considerably more on the dark web, or in a ransom demand, than a comparable data set from a retail or hospitality business.
Small and mid-sized firms are not protected by obscurity. They are targeted because they typically have fewer controls, no dedicated security staff, and the same high-value data as larger practices. The HWL Ebsworth ransomware attack in 2023 was carried out by the ALPHV/Blackcat group and affected one of Australia's largest law firms. Smaller firms carry proportionally greater risk because the controls gap is wider.
The ASD Annual Cyber Threat Report 2024-25 confirms the picture is worsening. ASD's ACSC responded to over 1,200 cyber security incidents in FY2024-25, an 11% increase on the prior year, and received over 84,700 cybercrime reports through ReportCyber. Entities were notified of potentially malicious cyber activity more than 1,700 times, up 83% from the previous year. The average cost of cybercrime to a small business reached $56,600, up 14%. For professional services firms, the dominant entry point remains phishing: it was recorded as the initial access technique in 38% of all incidents responded to by ASD's ACSC.
The same report names BianLian ransomware as actively targeting Australian professional services firms and property development, using an exfiltration model where stolen data is threatened for release on the dark web even after a firm restores from backups. The report also records a significant increase in social engineering and impersonation as initial access techniques in the second half of 2024, a pattern with direct implications for private client practices where attackers impersonate clients, executors, and beneficiaries.
Phishing was recorded as the initial access technique in 38% of all incidents responded to by ASD's ACSC in FY2024-25 and is the leading attack vector against Australian professional services firms. For businesses, email compromise resulting in no financial loss was the most commonly reported cybercrime (19%), and BEC fraud resulting in financial loss came second (15%), according to the ASD Annual Cyber Threat Report 2024-25. Attackers compromise or spoof a fee earner's mailbox, monitor active matters, and intercept or redirect payment instructions at the moment of settlement or distribution.
Ransomware accounted for 11% of all incidents responded to by ASD's ACSC in FY2024-25, with 138 ransomware incidents recorded. ASD's ACSC notes that ransomware remains the most disruptive cybercrime threat to Australian organisations. The BianLian group has specifically targeted Australian professional services firms and property development, using a data exfiltration model: even if the firm restores from backups, the threat to publish stolen client data on the dark web remains. A ransomware event two or three days before a property settlement or probate distribution, with no tested backups, is not a recoverable position.
Attackers impersonate clients in property settlements, grant of probate, estate distribution, and trust administration. The ASD Annual Cyber Threat Report 2024-25 confirms that cybercriminals are now using generative AI to create high-quality fake documents, voices, websites, and know-your-customer records, making impersonation attacks significantly more convincing and harder to detect. Identity fraud was the top reported cybercrime type in FY2024-25, up 8%. Private client practices are a primary target because matters involve high-value assets and clients who are often elderly, recently bereaved, or communicating at a distance.
Compromised accounts and credentials were involved in 42% of the most serious incidents responded to by ASD's ACSC in FY2024-25. Information stealer malware is now widely distributed as a cybercrime-as-a-service offering, harvesting usernames, passwords, and browser credentials from infected devices and selling them on dark web marketplaces. For law firms, a fee earner whose personal device is infected can inadvertently expose firm credentials. Departing staff who retain access also present a standing risk: the ASD report recommends identifying and removing inactive accounts as a priority control.
Practice Area Focus · Private Client and Estates
Private client work creates a specific and often underestimated cybersecurity risk profile. Estates hold significant assets including property, managed funds, superannuation, business interests, and digital accounts. Clients are often elderly, recently bereaved, or acting under considerable stress. Transactions are complex and may span months or years. Each of these factors creates points of vulnerability that attackers exploit with increasing sophistication.
In an estate administration matter, the firm communicates with beneficiaries, financial institutions, the ATO, state Supreme Court registries, and in some cases overseas parties. Each of those communication channels is a potential attack surface. Attackers have redirected estate distributions by impersonating beneficiaries, extracted account information by impersonating the deceased's financial institutions, and intercepted correspondence about grant of probate to redirect asset proceeds.
Enduring power of attorney matters carry a related risk. If an attacker compromises the attorney's email, they can issue instructions to the firm as if from the attorney. The firm, acting in good faith, may process those instructions. The client, the donor, may not become aware until the estate is being administered, by which point the losses may be unrecoverable.
STEP-member firms and those recognised by Doyle's Guide for private client work face an additional reputational dimension. A cybersecurity failure that results in client fund loss or data exposure in a deceased estate is not just a regulatory matter. It is a breach of the trust on which private client practice is built.
Scenario · Private Client Identity Verification
A private client firm with ten fee earners, wills, probate, and estate planning, with a STEP-member principal, contacts JurisIT after a near-miss: an email purportedly from a beneficiary of an estate under administration requested a change to the bank account for their distribution. The email was well-constructed and included accurate matter details. A junior fee earner almost acted on it before checking with the principal.
What JurisIT finds: The firm's Microsoft 365 tenant has no role-based access controls. All fee earners can access all client matters. A fee earner who left the firm three months earlier still has an active account, not yet deprovisioned. There is no written procedure for verifying beneficiary identity when account details change. Email authentication records (SPF, DKIM, DMARC) are either missing or set to monitoring-only mode, which means spoofed emails using the firm's domain pass directly into recipients' inboxes.
What we build: Role-based access controls are configured in Microsoft 365 so that fee earners can only access the matters assigned to them. The leaver account is deprovisioned immediately and a leaver protocol is documented: access is revoked on the day notice is given, with a matter handover procedure. DMARC is moved to enforcement policy so that spoofed emails using the firm's domain are rejected at the mail server before reaching clients or third parties.
Identity verification procedure: JurisIT works with the firm's principal to produce a written procedure for all payment instruction changes in estate matters. Any change to beneficiary account details requires verification by telephone on a number the firm holds independently, written confirmation from the beneficiary, and principal sign-off before any distribution proceeds. This procedure is incorporated into the client care letter for all estate administration engagements from the outset.
Breach response planning: A documented incident response plan is produced, naming the responsible principal, the firm's PI insurer contact, and the steps required under the Notifiable Data Breaches scheme: assessment of whether a breach is eligible, notification to the OAIC, and notification to affected individuals. Pre-drafted client communication templates are included so the firm is not writing those communications under pressure during an active incident.
Australian law firms that handle property transactions face a version of the same email interception risk seen in UK conveyancing. An attacker who compromises a fee earner's email account, or successfully spoofs the firm's domain, can send fraudulent settlement instructions to the buyer or their financial institution at the point of settlement. The funds move quickly and are rarely recovered in full.
The controls for property matters mirror those for private client work: DMARC enforcement to prevent domain spoofing, MFA on all accounts, a written client-facing statement that settlement account details will never change by email, and a telephone verification procedure for any instruction involving financial transfers.
Private client firms increasingly administer estates that include digital assets: cryptocurrency held on exchanges or in self-custody wallets, online brokerage accounts, domain names, digital businesses, and subscription platforms. These assets have unique access dependencies. The credentials required to access them may be the only way to recover them, and if a fee earner's device is compromised, locally stored credentials for a client's digital estate may be exposed or lost.
JurisIT's approach to digital assets in private client work draws on Frank Downes' background as a LexisNexis author on digital asset estate planning and as a former member of the STEP Digital Assets Steering Committee. Where a data recovery engagement is required, recovering access to a deceased client's digital accounts or from failed storage media, JurisIT operates from an ISO 14644-1 Class 5 clean room environment.
Our Approach
JurisIT delivers cybersecurity as part of the Practice Resilience® programme, not as a standalone product install. Every control put in place is documented, governed, and maintainable. The scope of a Cybersecurity Uplift engagement is determined after a baseline assessment of the firm's current position. The controls below represent what can be included; every firm's starting point is different.
A structured review of your current Microsoft 365 configuration, device posture, email authentication, access controls, and backup arrangements against the ASD Essential Eight. Produces a prioritised gap list aligned to your practice areas and the specific threats your firm faces, not a generic report.
MFA enforced across all Microsoft 365 accounts, including email, SharePoint, and practice management system access. Conditional Access policies configured so that unmanaged or non-compliant devices cannot access firm systems, even with valid credentials. Essential Eight Maturity Level 1 requirement met.
SPF, DKIM, and DMARC configured and moved to enforcement policy (p=reject). Anti-impersonation rules for high-risk senders. Microsoft Defender for Office 365 policies configured for the legal sector threat landscape. Prevents spoofed emails using your domain from reaching clients or financial institutions.
Microsoft Intune enrolment for all firm devices. Endpoint protection policies. Encryption enforced at device level. Leaver protocol documented and implemented: access revoked on the day of departure, with a matter handover checklist to protect active client engagements.
Immutable backup configuration for case management data, email, and client files. Tested monthly, not just configured. Documented recovery time objective for client communication purposes during a recovery. If your firm cannot operate because files are encrypted, the backup is the difference between a difficult week and a regulatory catastrophe.
A written, named incident response plan covering detection, containment, notification, and recovery. Aligned to the Notifiable Data Breaches scheme: what constitutes an eligible breach, how to assess it, notification to the OAIC, and notification to affected individuals. Pre-drafted client communication templates included. The plan should exist before an incident, not be assembled during one.
Phishing simulation and training built around the scenarios your staff will actually encounter: impersonation of clients or beneficiaries, social engineering targeting legal administrative staff, and fraudulent payment instructions in estate or property matters. Scenarios drawn from ACSC case records and OAIC breach data, not generic corporate training modules.
Every control implemented is documented in a format your principal or compliance officer can present to the Law Society, the OAIC, or your PI insurer. The difference between a firm that has controls and a firm that can demonstrate controls is often the difference between a regulatory inquiry and a regulatory intervention.
Shadow AI — fee earners using ChatGPT, Copilot, or other AI tools with client data without a firm policy — is now a cybersecurity and compliance issue. Client data processed by an external AI platform under unreviewed terms of service may constitute a notifiable data breach under the Privacy Act. JurisIT maps AI tool use across your firm and produces an AI Acceptable Use Policy specific to your jurisdiction and practice areas.
Regulatory Alignment
Australian law firms are subject to cybersecurity and data protection obligations from several sources. No single framework covers everything. The table below sets out the key requirements and what they mean in practice for a firm of 5 to 15 fee earners.
| Regulator or Framework | What it requires | What it means in practice |
|---|---|---|
| Privacy Act 1988 (Cth) and the NDB Scheme | Firms must have reasonable data security measures in place. Eligible data breaches must be reported to the OAIC and affected individuals. From 1 July 2026, any firm that provides a designated service under the AML/CTF legislation is also subject to the Privacy Act by virtue of that status, regardless of turnover. | The OAIC recorded 532 breach notifications in the first half of 2025, with the legal industry consistently in the top five most targeted sectors. For firms providing designated AML/CTF services, the Privacy Act now applies even if they would otherwise fall below the $3 million small business threshold. A documented breach response plan is a compliance requirement for those firms, not an optional extra. |
| ASD Essential Eight | Eight mitigation strategies targeting the most common attack vectors. Three maturity levels. Published by the Australian Signals Directorate and endorsed by ACSC. | Essential Eight Maturity Level 1 is the practical baseline for a firm of 5 to 15 fee earners. It covers the controls most likely to prevent a successful attack: MFA, patching, application control, and daily backups. |
| ASD Annual Cyber Threat Report 2024-25 | ASD's ACSC responded to over 1,200 cyber security incidents in FY2024-25, an 11% increase. Professional services and property development are named as priority target sectors for ransomware. BianLian specifically targets these sectors using a data exfiltration model. Phishing is the initial access technique in 38% of all incidents. | The ASD report is the authoritative reference for what proportionate controls look like in an Australian context. Regulators, insurers, and courts will refer to it when assessing whether a firm took reasonable steps. The ASD's four recommended 'big moves' for businesses are: implement effective logging, replace legacy IT, manage third-party risk, and prepare for post-quantum cryptography. |
| Mandatory Ransomware Reporting | On 30 May 2025, the Australian Government introduced mandatory ransomware reporting for businesses with annual turnover of $3 million or more and entities responsible for critical infrastructure. The regime requires prompt reporting of ransomware incidents to ASD's ACSC. | Law firms at or above the $3 million turnover threshold must now report ransomware incidents. The regime is designed to improve the government's visibility of ransomware threats. Firms with a documented incident response plan are significantly better placed to comply without operational disruption when a report is required at short notice. |
| Law Society Professional Conduct Rules | Solicitors must maintain client confidentiality and protect client information. State Law Society rules vary in specificity but all require reasonable steps to protect client data. | A cybersecurity failure that exposes client data is not just a technology problem. It is a potential conduct breach. Firms that can demonstrate they had proportionate controls in place are in a materially better position when a complaint or investigation follows a breach. |
| AML/CTF Act (Cth) and Tranche 2 | Tranche 2 reforms commenced in July 2026 and bring law firms providing designated services within the AML/CTF regime for the first time. Digital identity verification and transaction monitoring obligations apply. Firms that are reporting entities under the AML/CTF Act are also subject to the Privacy Act by virtue of providing a designated service, regardless of turnover. | AML/CTF compliance has a direct intersection with cybersecurity: digital identity verification systems must be protected against compromise, and transaction monitoring data is sensitive. Firms implementing Tranche 2 compliance need the cybersecurity foundation in place first. For smaller firms that would otherwise fall below the Privacy Act's small business threshold, becoming an AML/CTF reporting entity brings them within the Privacy Act and the NDB scheme simultaneously. |
| PI Insurance Requirements | Most professional indemnity and cyber liability insurers now ask specific questions about MFA, backup testing, email authentication, and incident response planning as part of the renewal process. | Firms that cannot demonstrate these controls face higher premiums or restricted coverage. A breach claim that follows a documented period of non-compliance can give the insurer grounds to contest coverage. JurisIT's documentation package is designed for both the regulatory and insurer evidence files. |
Frequently Asked Questions
We already have an IT provider. Why would we need JurisIT?
A general IT provider installs MFA. A legal sector specialist knows why DMARC enforcement matters specifically for firms handling property settlements and estate distributions, configures it correctly in a Microsoft 365 environment, produces compliance documentation your principal can present to the Law Society or OAIC, and understands the specific attack patterns targeting Australian private client and property practices. Most IT providers are not familiar with the ASD Essential Eight, ACSC guidance for professional services, or the Notifiable Data Breaches scheme obligations that apply to law firms. The firm remains responsible for its cybersecurity posture even when it has outsourced IT.
We are a small firm. Are we really a target?
Small firms are not obscure. They are attractive because attackers know that smaller practices typically have fewer controls, no dedicated security resource, and the same high-value data as larger firms. The ASD Annual Cyber Threat Report 2024-25 identifies professional services and property development as priority target sectors for ransomware. ASD's ACSC received over 84,700 cybercrime reports in FY2024-25 and notes that cybercrime against small-to-medium businesses is both frequent and costly: the average cost per cybercrime report for a small business reached $56,600 in FY2024-25, up 14% on the prior year. Every firm with an active client account and email is a potential target.
What is the ASD Essential Eight and does our firm need to comply with it?
The ASD Essential Eight is a set of eight mitigation strategies published by the Australian Signals Directorate to protect organisations against the most common cyber attack vectors. It is not a legal requirement for most private law firms, but it is the framework that Australian regulators, insurers, and courts treat as the reference point for proportionate cybersecurity. A firm that implements Essential Eight Maturity Level 1 has addressed the controls most likely to prevent a successful attack and can demonstrate that to any of those parties.
When does our firm need to report a data breach?
Under the Notifiable Data Breaches scheme, your firm must notify the OAIC and affected individuals when an eligible data breach occurs. An eligible breach is one that involves personal information, where there is a risk of serious harm to the individuals whose data was affected, and your firm has not been able to prevent that risk through remedial action. You must report as soon as practicable after becoming aware. From 1 July 2026, firms that are AML/CTF reporting entities are subject to the Privacy Act by virtue of providing a designated service, which means the NDB scheme applies to them regardless of turnover. For firms above the $3 million threshold, the scheme has always applied. JurisIT's incident response plan includes the assessment steps for determining whether a breach is eligible, template notifications, and the sequence for notifying the OAIC and affected clients.
Does cybersecurity affect our professional indemnity insurance?
Directly and materially. Most PII and cyber liability insurers now ask specific questions about MFA, backup testing, email authentication, and incident response planning as part of the annual renewal. Firms that cannot demonstrate these controls face higher premiums and, in some cases, restrictions on coverage for cyber-related claims. A successful breach claim that follows a documented period of non-compliance can give an insurer grounds to contest coverage entirely. JurisIT's documentation package is designed to support both your regulatory compliance file and your insurer evidence file.
How does JurisIT approach AI tools and cybersecurity?
Shadow AI — fee earners using ChatGPT, Copilot, Grammarly, or other AI tools with client data without firm approval — is now a cybersecurity and compliance issue as well as a conduct risk. Client data processed by an external AI platform under unreviewed terms of service may constitute an eligible data breach under the Notifiable Data Breaches scheme if the platform experiences a security incident. JurisIT's AI Governance overlay identifies shadow AI use across your firm, assesses the data-handling risk, and produces an AI Acceptable Use Policy specific to Australian law firms, including guidance for private client and property matters.
What is the new mandatory ransomware reporting regime?
On 30 May 2025, the Australian Government introduced mandatory ransomware reporting for businesses with annual turnover of $3 million or more and entities responsible for critical infrastructure. Covered organisations must report ransomware incidents to ASD's ACSC. The ASD Annual Cyber Threat Report 2024-25 notes that ASD's ACSC responded to 138 ransomware incidents in FY2024-25 and assesses that the vast majority of cybercrime continues to go unreported. The mandatory regime is designed to address that gap. Law firms at or above the turnover threshold should ensure their incident response plan includes the steps for assessing and reporting a ransomware incident, and should not wait for an incident to occur before identifying who is responsible for making the report.
Our firm is small. Does the Privacy Act apply to us?
It depends on whether your firm provides a designated service under the AML/CTF legislation. The small business exemption in the Privacy Act generally still applies to firms below the $3 million annual turnover threshold. However, from 1 July 2026, any firm that is a reporting entity under the AML/CTF Act by virtue of providing a designated service is also subject to the Privacy Act, regardless of turnover. For law firms providing conveyancing, property settlement, or trust and company services that fall within the Tranche 2 designated service categories, this means the Privacy Act and the Notifiable Data Breaches scheme apply even if the firm would otherwise be exempt. If you are unsure whether your firm's services trigger AML/CTF reporting entity status, that is precisely the kind of question a JARI assessment and a JurisIT compliance engagement will resolve.
How does JurisIT's AML/CTF work connect to cybersecurity?
Tranche 2 of the AML/CTF Act, which commenced in July 2026, brings Australian law firms providing designated services within the AML/CTF regime for the first time. Digital identity verification and transaction monitoring are central to that compliance programme. Those systems hold sensitive client identity and financial data. Implementing Tranche 2 compliance without the cybersecurity foundation in place first creates a compounding risk: the compliance system itself becomes a target.
There is also a Privacy Act dimension that many smaller firms have not yet registered. Any firm that becomes an AML/CTF reporting entity by virtue of providing a designated service is also subject to the Privacy Act and the Notifiable Data Breaches scheme, regardless of turnover. The small business exemption does not apply once a firm is within the AML/CTF regime. For smaller practices that were previously below the $3 million threshold, becoming a reporting entity under Tranche 2 is therefore the trigger that brings their full suite of data protection and breach notification obligations into force. JurisIT delivers AML/CTF compliance and cybersecurity as integrated elements of the Practice Resilience® programme, not as separate engagements.
JurisIT's cybersecurity reviews are conducted by people who understand Australian privacy law obligations, ASD Essential Eight requirements, and the specific fraud patterns targeting private client and property practices. The output is documentation your principal can use, not a technical report for an IT team you do not have.
Further Reading