In an increasingly digital legal landscape, law firms are no longer just custodians of legal knowledge, they are also stewards of vast repositories of sensitive data. From intellectual property and M&A documentation to privileged client communications and personal identity information, law firms are prime targets for cybercriminals.

Since the Panama Papers breach in 2016, the cybersecurity landscape has shifted dramatically, especially with the widespread adoption of cloud-based Software-as-a-Service (SaaS) platforms. Today, legal professionals depend on cloud-based document management, eDiscovery tools, billing systems, and client portals, each one a potential point of entry for attackers if not properly secured.

So what cybersecurity challenges are legal firms facing today, and what practical steps can they take to protect themselves?

---

The SaaS Double-Edged Sword

SaaS tools have enabled law firms to operate more flexibly, collaborate remotely, and scale without the burdens of traditional infrastructure. But this convenience comes with risk. Most SaaS providers operate under a shared responsibility model: they secure the platform, but the data security and access controls are often the client’s responsibility.

Many firms still assume that using a reputable SaaS vendor automatically means their data is safe. Unfortunately, that’s not the case. Misconfigurations, weak access controls, and lack of encryption are frequent culprits in SaaS-related breaches.

 

Common SaaS-related vulnerabilities include:

• Misconfigured access controls, leading to data exposure
• Weak password practices and lack of multifactor authentication (MFA)
• Insecure third-party integrations, which create indirect attack paths
• Unpatched web applications running plugins, themes, or outdated APIs

 

A notable example of a law firm data breach originating from a SaaS vulnerability occurred in 2024, involving Kirkland & Ellis, one of the largest law firms by revenue. The breach was part of a widespread cyberattack exploiting vulnerabilities in the MOVEit Transfer file management software developed by Progress Software. This incident compromised data from hundreds of organizations and millions of individuals. In the case of Kirkland & Ellis, the breach led to a class action lawsuit alleging that the firm failed to adequately protect personal information. The lawsuit claims that Kirkland did not notify affected parties promptly, with some customers only being informed months after the breach occurred. This case underscores the critical importance of securing SaaS platforms and ensuring timely breach notifications to affected individuals.

 

Another significant incident in 2024 involved Thompson Coburn LLP, a U.S. law firm, and its client Presbyterian Healthcare Services. A data breach in May 2024 allowed an unknown hacker to access sensitive personal and healthcare information on Thompson Coburn’s network. The breach exposed private information such as names, prescription details, and clinical data. A class action lawsuit filed in Missouri federal court alleges that inadequate cybersecurity measures led to the breach. This incident highlights the increasing cybersecurity risks faced by law firms, especially when handling sensitive client data through SaaS platforms.

---

SaaS Risks Set the Stage for BEC

As law firms embrace SaaS platforms to manage case files, collaborate with clients, and streamline operations, they’re unknowingly widening the attack surface for increasingly sophisticated cyber threats. While misconfigured settings and unpatched software can directly expose sensitive data, the real danger often begins with access.

That’s where Business Email Compromise (BEC) comes in.

BEC exploits the same weak points in cloud and SaaS ecosystems, specifically, the over-reliance on email for communication and identity. A single compromised login or poorly protected cloud email account can give attackers the keys to the firm’s castle. From there, impersonation, fraud, and data theft are just a few clicks away.

Unlike ransomware, which loudly encrypts systems, BEC is quiet, stealthy, and devastating. Attackers may lurk unnoticed in inboxes, monitor communications, and strike during critical moments like fund transfers or contract signings—often using real client names and timelines pulled directly from compromised cloud apps.

 

Law firms are attractive BEC targets for several reasons:

• Transactional focus: Legal work often involves wire transfers, settlements, and escrow payments, which make financial deception a lucrative goal.

• High-trust relationships: Communications between firms and clients carry an implicit level of trust, making phishing or spoofed emails more convincing.

• Weak email authentication: Many firms still lack robust email authentication standards like DMARC, DKIM, and SPF, making spoofing easy for attackers.

 

 

From BEC to the Bigger Problem: Data Blindness

While BEC may start with a single compromised inbox, its impact often extends far beyond email. Once inside a law firm’s environment, attackers can quietly search for valuable information: contracts, financial records, client data, litigation strategies – all without raising red flags.

 

But here’s the core issue: most law firms don’t actually know where their most sensitive data lives.

 

In the rush to adopt cloud platforms and streamline operations, data often gets scattered across document management systems, shared drives, collaboration tools, and email threads. Without a formal data classification strategy, firms are effectively flying blind—unable to distinguish between public, private, and privileged information.

This lack of visibility not only increases the damage potential of a breach, but also makes regulatory compliance, incident response, and risk management significantly harder.

 

The takeaway? You can’t protect what you can’t identify. Before law firms can truly defend themselves, they need to understand what data they have, where it resides, and who has access to it.

 

With so much sensitive data flowing across SaaS platforms, email threads, and file shares, data classification has become a critical, yet often overlooked, pillar of legal cybersecurity.

 

Legal Cybersecurity in 2025: Practical Steps to Consider

1. Reframe Cybersecurity as a Business Risk, Not Just an IT Issue

Cybersecurity is not just an operational concern—it’s a brand, compliance, and continuity issue. Legal leadership must treat it accordingly, integrating cyber risk into firm-wide decision-making.

2. Secure Your SaaS Environment

Adopt security best practices for SaaS, including:

• MFA, SSO, and strong password policies

• Role-based access controls

• Vendor security reviews before onboarding legal SaaS apps

3. Penetration Testing and Cloud Security Assessments

Modern penetration testing should go beyond the perimeter:

• Review cloud configurations and API access

• Test SaaS-specific permissions and user flows

• Simulate phishing and BEC scenarios to assess real-world risk

4. Logging, Monitoring, and SIEM for SaaS

Ensure all critical SaaS applications forward logs to a centralized SIEM. Monitor for:

• Unusual login behavior

• Privilege escalations

• Bulk data downloads or exfiltration attempts

•  

5. Patching and Updating—Still Critical

Stay current with patches not just for operating systems but also for browser extensions, plugins, and even low-code SaaS apps, which can harbor critical vulnerabilities.

 

6. Build and Test an Incident Response Plan

Develop and rehearse a cyber incident response plan that includes:

• Specific playbooks for BEC, data breaches, ransomware, and SaaS compromise

• Internal and external communication strategies

• Compliance with breach notification laws (GDPR, HIPAA, etc.)

 

Final Thoughts

Cyber threats targeting legal firms have evolved rapidly—with BEC, SaaS misconfigurations, and unclassified sensitive data now among the biggest risks. At the same time, regulatory and client expectations around security have only grown.

Firms that treat cybersecurity as a shared responsibility—one that spans technology, legal compliance, operations, and human behavior—are best positioned to protect their clients and reputation in this new era.

 

Want to know where your firm stands? Book a Cloud Security & BEC Readiness Assessment today.